Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virtumonde Virus [CLOSED]

Started by FD_IT_Student , Jun 30 2008 01:44 PM

  • This topic is locked This topic is locked

#1
FD_IT_Student
Posted 30 June 2008 - 01:44 PM

FD_IT_Student

    New Member

  • Member
  • Pip
  • 9 posts
Hi all - I'm looking for some help with my home pc I am 100% sure that I have the virtumonde virus and I really don't want to format my hard drive so I have come on here looking for some help :) :)

I have done the following:
- Downloaded Kaspersky Anti Virus (Trial edition), I have ran through and done a system scan... it found a few trojans that were due to my younger brother downloading music files from Limewire :)
- Downloaded "Virtumondobegone", ran through this and I shall copy the log below
- Downloaded "Vundo Fix", ran through this earlier with no luck :(
- Updated Java

I have also scanned the PC with the following programs
- Spybot S&D
- Ad-awareSE
- AVG

The problem is still here :) I have gone into the registry myself a few times and manually removed some of the registry keys and values which are just rebuilt as soon as I restart the pc/internet.

The symptoms are as follows...
- Annoying pop-ups every now and again
- Windows Updates are turned off
- Cookies are set to the lowest settings
- Browser helper objects are also added

I did try and also update the windows (using windowsupdate.com) but due to my updates being turned off the website can't connect to them!

Please Help me!!! :)

Here is the log from VirtumondoBeGone

[06/30/2008, 13:49:43] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Ash\Desktop\VirtumundoBeGone.exe" )
[06/30/2008, 13:49:51] - Detected System Information:
[06/30/2008, 13:49:51] - Windows Version: 5.1.2600, Service Pack 2
[06/30/2008, 13:49:51] - Current Username: Ash (Admin)
[06/30/2008, 13:49:51] - Windows is in NORMAL mode.
[06/30/2008, 13:49:51] - Searching for Browser Helper Objects:
[06/30/2008, 13:49:51] - BHO 1: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[06/30/2008, 13:49:51] - BHO 2: {4c2a6f8a-bc55-4d24-bf7d-467e66f09bd8} ()
[06/30/2008, 13:49:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 13:49:51] - Checking for HKLM\...\Winlogon\Notify\acdubu
[06/30/2008, 13:49:51] - Key not found: HKLM\...\Winlogon\Notify\acdubu, continuing.
[06/30/2008, 13:49:51] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[06/30/2008, 13:49:51] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/30/2008, 13:49:51] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/30/2008, 13:49:51] - BHO 6: {9358CB63-6746-4EF2-BDA5-1165FC152D1D} ()
[06/30/2008, 13:49:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 13:49:51] - Checking for HKLM\...\Winlogon\Notify\urqOecCS
[06/30/2008, 13:49:51] - Key not found: HKLM\...\Winlogon\Notify\urqOecCS, continuing.
[06/30/2008, 13:49:51] - BHO 7: {944FA61B-91B2-4A08-A465-F248B1781E2B} ()
[06/30/2008, 13:49:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 13:49:51] - Checking for HKLM\...\Winlogon\Notify\hgGWPJBs
[06/30/2008, 13:49:51] - Key not found: HKLM\...\Winlogon\Notify\hgGWPJBs, continuing.
[06/30/2008, 13:49:51] - BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/30/2008, 13:49:51] - BHO 9: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/30/2008, 13:49:51] - BHO 10: {BAFFE38C-C38F-421D-A619-854106535705} ()
[06/30/2008, 13:49:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 13:49:51] - Checking for HKLM\...\Winlogon\Notify\geBrqrrQ
[06/30/2008, 13:49:51] - Found: HKLM\...\Winlogon\Notify\geBrqrrQ - This is probably Virtumundo.
[06/30/2008, 13:49:51] - Assigning {BAFFE38C-C38F-421D-A619-854106535705} MSEvents Object
[06/30/2008, 13:49:51] - BHO list has been changed! Starting over...
[06/30/2008, 13:49:51] - BHO 1: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[06/30/2008, 13:49:51] - BHO 2: {4c2a6f8a-bc55-4d24-bf7d-467e66f09bd8} ()
[06/30/2008, 13:49:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 13:49:51] - Checking for HKLM\...\Winlogon\Notify\acdubu
[06/30/2008, 13:49:51] - Key not found: HKLM\...\Winlogon\Notify\acdubu, continuing.
[06/30/2008, 13:49:51] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[06/30/2008, 13:49:51] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/30/2008, 13:49:51] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/30/2008, 13:49:51] - BHO 6: {9358CB63-6746-4EF2-BDA5-1165FC152D1D} ()
[06/30/2008, 13:49:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 13:49:51] - Checking for HKLM\...\Winlogon\Notify\urqOecCS
[06/30/2008, 13:49:51] - Key not found: HKLM\...\Winlogon\Notify\urqOecCS, continuing.
[06/30/2008, 13:49:51] - BHO 7: {944FA61B-91B2-4A08-A465-F248B1781E2B} ()
[06/30/2008, 13:49:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 13:49:51] - Checking for HKLM\...\Winlogon\Notify\hgGWPJBs
[06/30/2008, 13:49:51] - Key not found: HKLM\...\Winlogon\Notify\hgGWPJBs, continuing.
[06/30/2008, 13:49:51] - BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/30/2008, 13:49:51] - BHO 9: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/30/2008, 13:49:51] - BHO 10: {BAFFE38C-C38F-421D-A619-854106535705} (MSEvents Object)
[06/30/2008, 13:49:51] - ALERT: Found MSEvents Object!
[06/30/2008, 13:49:51] - BHO 11: {C4DBDFC8-DCE8-403E-A2BA-21FBB5A033C9} ()
[06/30/2008, 13:49:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 13:49:51] - Checking for HKLM\...\Winlogon\Notify\yayxwTJB
[06/30/2008, 13:49:51] - Key not found: HKLM\...\Winlogon\Notify\yayxwTJB, continuing.
[06/30/2008, 13:49:51] - Finished Searching Browser Helper Objects
[06/30/2008, 13:49:51] - *** Detected MSEvents Object
[06/30/2008, 13:49:51] - Trying to remove MSEvents Object...
[06/30/2008, 13:49:52] - Terminating Process: IEXPLORE.EXE
[06/30/2008, 13:49:52] - Terminating Process: RUNDLL32.EXE
[06/30/2008, 13:49:53] - Disabling Automatic Shell Restart
[06/30/2008, 13:49:53] - Terminating Process: EXPLORER.EXE
[06/30/2008, 13:49:53] - Suspending the NT Session Manager System Service
[06/30/2008, 13:49:53] - Terminating Windows NT Logon/Logoff Manager
[06/30/2008, 13:49:53] - Re-enabling Automatic Shell Restart
[06/30/2008, 13:49:53] - File to disable: C:\WINDOWS\system32\geBrqrrQ.dll
[06/30/2008, 13:49:53] - Renaming C:\WINDOWS\system32\geBrqrrQ.dll -> C:\WINDOWS\system32\geBrqrrQ.dll.vir
[06/30/2008, 13:49:53] - File successfully renamed!
[06/30/2008, 13:49:53] - Removing HKLM\...\Browser Helper Objects\{BAFFE38C-C38F-421D-A619-854106535705}
[06/30/2008, 13:49:53] - Removing HKCR\CLSID\{BAFFE38C-C38F-421D-A619-854106535705}
[06/30/2008, 13:49:53] - Adding Kill Bit for ActiveX for GUID: {BAFFE38C-C38F-421D-A619-854106535705}
[06/30/2008, 13:49:53] - Deleting ATLEvents/MSEvents Registry entries
[06/30/2008, 13:49:53] - Removing HKLM\...\Winlogon\Notify\geBrqrrQ
[06/30/2008, 13:49:53] - Searching for Browser Helper Objects:
[06/30/2008, 13:49:53] - BHO 1: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[06/30/2008, 13:49:53] - BHO 2: {4c2a6f8a-bc55-4d24-bf7d-467e66f09bd8} ()
[06/30/2008, 13:49:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 13:49:53] - Checking for HKLM\...\Winlogon\Notify\acdubu
[06/30/2008, 13:49:53] - Key not found: HKLM\...\Winlogon\Notify\acdubu, continuing.
[06/30/2008, 13:49:53] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[06/30/2008, 13:49:53] - BHO 4: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/30/2008, 13:49:53] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/30/2008, 13:49:53] - BHO 6: {9358CB63-6746-4EF2-BDA5-1165FC152D1D} ()
[06/30/2008, 13:49:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 13:49:53] - Checking for HKLM\...\Winlogon\Notify\urqOecCS
[06/30/2008, 13:49:53] - Key not found: HKLM\...\Winlogon\Notify\urqOecCS, continuing.
[06/30/2008, 13:49:53] - BHO 7: {944FA61B-91B2-4A08-A465-F248B1781E2B} ()
[06/30/2008, 13:49:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 13:49:53] - Checking for HKLM\...\Winlogon\Notify\hgGWPJBs
[06/30/2008, 13:49:53] - Key not found: HKLM\...\Winlogon\Notify\hgGWPJBs, continuing.
[06/30/2008, 13:49:53] - BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/30/2008, 13:49:53] - BHO 9: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/30/2008, 13:49:53] - BHO 10: {C4DBDFC8-DCE8-403E-A2BA-21FBB5A033C9} ()
[06/30/2008, 13:49:53] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 13:49:53] - Checking for HKLM\...\Winlogon\Notify\yayxwTJB
[06/30/2008, 13:49:53] - Key not found: HKLM\...\Winlogon\Notify\yayxwTJB, continuing.
[06/30/2008, 13:49:53] - Finished Searching Browser Helper Objects
[06/30/2008, 13:49:53] - Finishing up...
[06/30/2008, 13:49:53] - A restart is needed.
[06/30/2008, 13:49:53] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[06/30/2008, 13:50:11] - Attempting to Restart via STOP error (Blue Screen!)

[06/30/2008, 19:44:59] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Ash\Desktop\VirtumundoBeGone.exe" )
[06/30/2008, 19:45:02] - Detected System Information:
[06/30/2008, 19:45:02] - Windows Version: 5.1.2600, Service Pack 2
[06/30/2008, 19:45:02] - Current Username: Ash (Admin)
[06/30/2008, 19:45:02] - Windows is in NORMAL mode.
[06/30/2008, 19:45:03] - Searching for Browser Helper Objects:
[06/30/2008, 19:45:03] - BHO 1: {3049C3E9-B461-4BC5-8870-4C09146192CA} (RealPlayer Download and Record Plugin for Internet Explorer)
[06/30/2008, 19:45:03] - BHO 2: {4c2a6f8a-bc55-4d24-bf7d-467e66f09bd8} ()
[06/30/2008, 19:45:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 19:45:03] - Checking for HKLM\...\Winlogon\Notify\acdubu
[06/30/2008, 19:45:03] - Key not found: HKLM\...\Winlogon\Notify\acdubu, continuing.
[06/30/2008, 19:45:03] - BHO 3: {53707962-6F74-2D53-2644-206D7942484F} (Spybot-S&D IE Protection)
[06/30/2008, 19:45:03] - BHO 4: {5B00702D-9C04-4DCC-8825-87FA2905F1E6} ()
[06/30/2008, 19:45:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 19:45:03] - Checking for HKLM\...\Winlogon\Notify\urqOecCS
[06/30/2008, 19:45:03] - Key not found: HKLM\...\Winlogon\Notify\urqOecCS, continuing.
[06/30/2008, 19:45:03] - BHO 5: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/30/2008, 19:45:03] - BHO 6: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/30/2008, 19:45:03] - BHO 7: {9358CB63-6746-4EF2-BDA5-1165FC152D1D} ()
[06/30/2008, 19:45:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 19:45:03] - No filename found. Continuing.
[06/30/2008, 19:45:03] - BHO 8: {944FA61B-91B2-4A08-A465-F248B1781E2B} ()
[06/30/2008, 19:45:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 19:45:03] - Checking for HKLM\...\Winlogon\Notify\hgGWPJBs
[06/30/2008, 19:45:03] - Key not found: HKLM\...\Winlogon\Notify\hgGWPJBs, continuing.
[06/30/2008, 19:45:03] - BHO 9: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[06/30/2008, 19:45:03] - BHO 10: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[06/30/2008, 19:45:03] - BHO 11: {C4DBDFC8-DCE8-403E-A2BA-21FBB5A033C9} ()
[06/30/2008, 19:45:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/30/2008, 19:45:03] - Checking for HKLM\...\Winlogon\Notify\yayxwTJB
[06/30/2008, 19:45:03] - Key not found: HKLM\...\Winlogon\Notify\yayxwTJB, continuing.
[06/30/2008, 19:45:03] - Finished Searching Browser Helper Objects
[06/30/2008, 19:45:03] - Finishing up...
[06/30/2008, 19:45:03] - Nothing found! Exiting...


Thanks for your time - it's very much appreciated :wacko: :)

Edited by greyknight17, 17 July 2008 - 09:42 AM.

  • 0

Advertisements

#2
greyknight17
Posted 30 June 2008 - 07:50 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
1. Download combofix at http://download.blee...Bs/ComboFix.exe Save it to your Desktop before you run it.
2. Double-click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply.

Note:
Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#3
FD_IT_Student
Posted 01 July 2008 - 12:00 PM

FD_IT_Student

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here is the log

ComboFix 08-06-30.2 - Ash 2008-07-01 18:32:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.442 [GMT 1:00]
Running from: C:\Documents and Settings\Ash\Desktop\Un-used Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\ContextTool
C:\Program Files\ContextTool\pcre3.dll
C:\Program Files\ContextTool\uninstall.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\BJTwxyay.ini
C:\WINDOWS\system32\BJTwxyay.ini2
C:\WINDOWS\system32\ckrnhrpm.dll
C:\WINDOWS\system32\dgvwvwyg.dll
C:\WINDOWS\system32\gnnthndw.ini
C:\WINDOWS\system32\gywvwvgd.ini
C:\WINDOWS\system32\kyfakckv.dll
C:\WINDOWS\system32\ovpbdikp.dll
C:\WINDOWS\system32\sBJPWGgh.ini
C:\WINDOWS\system32\sBJPWGgh.ini2
C:\WINDOWS\system32\SCceOqru.ini
C:\WINDOWS\system32\SCceOqru.ini2
C:\WINDOWS\system32\Show Pink Zone.ico
C:\WINDOWS\system32\spzax.ocx
C:\WINDOWS\system32\xqfwkvwh.ini
C:\WINDOWS\system32\Xwxadfii.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-01 to 2008-07-01 )))))))))))))))))))))))))))))))
.

2008-06-30 23:35 . 2008-06-30 23:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-06-30 22:06 . 2008-06-30 22:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-30 22:00 . 2008-06-30 22:06 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-06-30 21:59 . 2008-04-23 05:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-30 21:59 . 2007-04-17 10:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-30 21:59 . 2007-03-08 06:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-30 21:59 . 2008-04-23 05:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-30 21:59 . 2008-04-23 05:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-30 21:59 . 2008-04-23 05:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-30 21:59 . 2008-04-23 05:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-30 21:59 . 2008-04-23 05:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-30 21:59 . 2008-04-22 08:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-30 21:56 . 2008-06-30 21:56 <DIR> d-------- C:\b30ad7822cbfca4503e5df91
2008-06-30 21:38 . 2008-06-30 21:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-30 17:45 . 2008-06-30 17:54 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-30 17:45 . 2008-06-30 17:54 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-30 17:44 . 2008-06-30 17:44 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-30 17:44 . 2008-07-01 18:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-30 17:44 . 2008-07-01 18:49 3,076,896 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-30 17:44 . 2008-07-01 18:49 67,872 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-30 17:44 . 2008-07-01 18:47 43,088 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-30 17:44 . 2008-07-01 18:47 7,340 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-30 17:35 . 2008-06-30 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-30 13:35 . 2008-06-30 13:35 <DIR> d-------- C:\VundoFix Backups
2008-06-29 22:08 . 2008-06-29 22:08 105,856 --a------ C:\WINDOWS\system32\qqdvfbbn.dll
2008-06-29 22:08 . 2008-06-29 22:08 105,856 --a------ C:\WINDOWS\system32\acdubu.dll
2008-06-29 22:05 . 2008-06-29 22:05 314,784 --a------ C:\WINDOWS\system32\fgfcCS.dll
2008-06-29 14:32 . 2008-06-29 14:32 105,856 --a------ C:\WINDOWS\system32\mhmecbfy.dll
2008-06-29 14:32 . 2008-06-29 14:32 105,856 --a------ C:\WINDOWS\system32\ibjqub.dll
2008-06-29 13:38 . 2008-06-29 13:38 314,784 --a------ C:\WINDOWS\system32\sadasdasdadsad.dll
2008-06-29 12:47 . 2008-06-29 12:45 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-29 12:47 . 2008-06-29 12:47 2,538 --a------ C:\WINDOWS\unins000.dat
2008-06-29 10:28 . 2008-06-29 10:28 105,856 --a------ C:\WINDOWS\system32\mpomnevd.dll
2008-06-29 10:28 . 2008-06-29 10:28 105,856 --a------ C:\WINDOWS\system32\kmapug.dll
2008-06-29 10:10 . 2008-06-29 10:10 <DIR> d-------- C:\Program Files\Microsoft Games
2008-06-29 10:09 . 2008-06-29 10:10 <DIR> d-------- C:\Program Files\Vietcong MP demo
2008-06-29 10:09 . 2008-06-29 10:09 <DIR> d-------- C:\Program Files\Symantec
2008-06-29 10:09 . 2008-06-29 10:09 <DIR> d-------- C:\Program Files\Channel4
2008-06-28 22:41 . 2008-06-28 22:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-24 09:01 . 2008-06-24 09:01 25,488 --a------ C:\WINDOWS\system32\geBrqrrQ.dll.vir
2008-06-23 23:20 . 2008-06-23 23:20 <DIR> d-------- C:\Documents and Settings\Ash\Application Data\PC Suite
2008-06-23 18:37 . 2007-11-22 15:00 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-06-11 14:31 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 14:31 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 17:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-06-30 21:56 --------- d-----w C:\Program Files\Google
2008-06-30 17:32 --------- d-----w C:\Program Files\Common Files\Carlson
2008-06-30 16:54 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-30 16:38 --------- d-----w C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\AVG7
2008-06-30 16:38 --------- d-----w C:\Documents and Settings\Ash\Application Data\AVG7
2008-06-30 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-29 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-29 11:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-29 09:12 --------- d-----w C:\Program Files\Kontiki
2008-06-29 09:09 --------- d-----w C:\Program Files\Call of Duty
2008-06-29 06:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-28 07:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-22 23:12 --------- d-----w C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\LimeWire
2008-06-10 09:14 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-28 20:10 --------- d-----w C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\PC Suite
2008-05-19 23:12 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-11 20:17 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-11 20:17 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-05-11 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-05-11 20:14 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-05-11 20:14 --------- d-----w C:\Program Files\Nokia
2008-05-11 20:14 --------- d-----w C:\Program Files\DIFX
2008-05-11 20:14 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-05-11 20:14 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-11 20:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-01-20 23:20 1,352 ----a-w C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\filterclsid.dat
2007-12-05 19:07 555 ----a-w C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\internaldb8467.dat
2007-12-05 19:07 374 ----a-w C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\internaldb6334.dat
2007-12-05 19:07 18,432 ----a-w C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\internaldb41.dat
2002-07-10 20:32 327,680 ----a-w C:\Documents and Settings\Ash\ArcadeRes.dll
2002-07-10 20:32 2,916,407 -c--a-w C:\Documents and Settings\Ash\Aphex.exe
2002-07-10 20:32 163,840 -c--a-w C:\Documents and Settings\Ash\rwvoice.dll
2002-07-10 20:32 106,496 -c--a-w C:\Documents and Settings\Ash\rwnet.dll
2002-07-10 14:59 94,208 ----a-w C:\Documents and Settings\Ash\gsws.dll
2002-07-10 14:59 81,920 ----a-w C:\Documents and Settings\Ash\gslan.dll
2002-05-27 22:05 77,824 ----a-w C:\Documents and Settings\Ash\GSAPak.exe
2001-12-20 10:46 4,396 -c--a-w C:\Documents and Settings\Ash\4dca9208.dat
2001-12-20 10:46 118,784 -c--a-w C:\Documents and Settings\Ash\pw32.dll
1999-11-12 18:16 224,768 ----a-w C:\Documents and Settings\Ash\fpupdate.exe
1999-06-25 10:55 149,504 -c--a-w C:\Documents and Settings\Ash\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4c2a6f8a-bc55-4d24-bf7d-467e66f09bd8}]
2008-06-29 22:08 105856 --a------ C:\WINDOWS\system32\acdubu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 20:49 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 08:15 151552]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-17 14:05 98304]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 16:30 58992]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"BuildBU"="c:\dell\bldbubg.exe" [2006-12-17 13:42 61440]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 12:38 866816]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-11-02 14:04 258048]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-15 13:21 675840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-03 22:52 185896]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 18:20 282624 C:\WINDOWS\stsystra.exe]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 06:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
--a------ 2005-12-07 17:05 1537696 C:\Program Files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
-ra------ 2006-01-30 17:00 98304 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"C:\\Program Files\\Valve\\Steam\\Steam.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\laurie101\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Call of Duty\\CoDMP.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ashymartin\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"3721:TCP"= 3721:TCP:LimeWire

R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;C:\WINDOWS\system32\DRIVERS\hnm_wrls_pkt.sys [2006-07-14 02:01]
R2 wsppkt;Wireless Security Protocol;C:\WINDOWS\system32\DRIVERS\wsp_pkt.sys [2006-07-14 02:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 04:39]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-11-08 14:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-13 17:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DG0NJN2J-Kelsa).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{9358CB63-6746-4EF2-BDA5-1165FC152D1D} - (no file)
BHO-{944FA61B-91B2-4A08-A465-F248B1781E2B} - C:\WINDOWS\system32\hgGWPJBs.dll
BHO-{C4DBDFC8-DCE8-403E-A2BA-21FBB5A033C9} - C:\WINDOWS\system32\yayxwTJB.dll
HKCU-Run-Steam - (no file)
HKLM-Run-d462aa0a - C:\WINDOWS\system32\hwvkwfqx.dll
HKLM-RunOnce-SpybotDeletingA5693 - command
HKLM-RunOnce-SpybotDeletingC4855 - del
HKLM-RunOnce-SpybotDeletingA3708 - command
HKLM-RunOnce-SpybotDeletingC1756 - del
HKLM-RunOnce-SpybotDeletingA7162 - command
HKLM-RunOnce-SpybotDeletingC1472 - del
HKLM-RunOnce-SpybotDeletingC8701 - del
HKLM-RunOnce-SpybotDeletingA3029 - command
HKLM-RunOnce-SpybotDeletingC7641 - del
HKLM-RunOnce-SpybotDeletingA6471 - command
ShellExecuteHooks-{BAFFE38C-C38F-421D-A619-854106535705} - (no file)
MSConfigStartUp-swg - C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 18:49:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
.
**************************************************************************
.
Completion time: 2008-07-01 18:52:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-01 17:52:52

Pre-Run: 151,613,370,368 bytes free
Post-Run: 152,485,531,648 bytes free

254 --- E O F --- 2008-06-19 19:48:53


After the program had finished - Kaspersky picked up on a trojan.generic, it was called something like CF10224.txt I believed it was something to do with the combo fix program so I allowed it...

Spybot also had messages popping up about new browser helper objects (which didn't give me the option to deny)

As soon as I logged onto here another pop up came up :)
  • 0

#4
greyknight17
Posted 01 July 2008 - 07:05 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, that belongs to Combofix :)

Did you install Kontiki? If not, uninstall it. I see you have GameSpyArcade there also. It's a known adware program. You may uninstall it also unless you don't mind the adware...

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\qqdvfbbn.dll
C:\WINDOWS\system32\acdubu.dll
C:\WINDOWS\system32\fgfcCS.dll
C:\WINDOWS\system32\mhmecbfy.dll
C:\WINDOWS\system32\ibjqub.dll
C:\WINDOWS\system32\sadasdasdadsad.dll
C:\WINDOWS\system32\mpomnevd.dll
C:\WINDOWS\system32\kmapug.dll
C:\WINDOWS\system32\geBrqrrQ.dll.vir
C:\WINDOWS\system32\actskn45.ocx
C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\filterclsid.dat
C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\internaldb8467.dat
C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\internaldb6334.dat
C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\internaldb41.dat
C:\WINDOWS\system32\acdubu.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4c2a6f8a-bc55-4d24-bf7d-467e66f09bd8}]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#5
FD_IT_Student
Posted 02 July 2008 - 06:53 AM

FD_IT_Student

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 08-06-30.2 - Ash 2008-07-02 13:38:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.588 [GMT 1:00]
Running from: C:\Documents and Settings\Ash\Desktop\Combo Folder\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ash\Desktop\Combo Folder\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\filterclsid.dat
C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\internaldb41.dat
C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\internaldb6334.dat
C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\internaldb8467.dat
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\acdubu.dll
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\system32\fgfcCS.dll
C:\WINDOWS\system32\geBrqrrQ.dll.vir
C:\WINDOWS\system32\ibjqub.dll
C:\WINDOWS\system32\kmapug.dll
C:\WINDOWS\system32\mhmecbfy.dll
C:\WINDOWS\system32\mpomnevd.dll
C:\WINDOWS\system32\qqdvfbbn.dll
C:\WINDOWS\system32\sadasdasdadsad.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\filterclsid.dat
C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\internaldb41.dat
C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\internaldb6334.dat
C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\internaldb8467.dat
C:\WINDOWS\imsins.BAK
C:\WINDOWS\system32\acdubu.dll
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\system32\fgfcCS.dll
C:\WINDOWS\system32\geBrqrrQ.dll.vir
C:\WINDOWS\system32\ibjqub.dll
C:\WINDOWS\system32\kmapug.dll
C:\WINDOWS\system32\mhmecbfy.dll
C:\WINDOWS\system32\mpomnevd.dll
C:\WINDOWS\system32\qqdvfbbn.dll
C:\WINDOWS\system32\sadasdasdadsad.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.

2008-06-30 22:06 . 2008-06-30 22:07 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-06-30 21:59 . 2008-04-23 05:16 6,066,176 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-06-30 21:59 . 2007-04-17 10:32 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-06-30 21:59 . 2007-03-08 06:10 991,232 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-06-30 21:59 . 2008-04-23 05:16 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-06-30 21:59 . 2008-04-23 05:16 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-06-30 21:59 . 2008-04-23 05:16 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-06-30 21:59 . 2008-04-23 05:16 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-06-30 21:59 . 2008-04-23 05:16 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-06-30 21:59 . 2008-04-22 08:39 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-30 21:56 . 2008-07-01 21:38 <DIR> d-------- C:\b30ad7822cbfca4503e5df91
2008-06-30 21:38 . 2008-06-30 21:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-30 17:45 . 2008-06-30 17:54 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-06-30 17:45 . 2008-06-30 17:54 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-06-30 17:44 . 2008-06-30 17:44 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-30 17:44 . 2008-07-02 13:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-30 17:44 . 2008-07-02 13:49 3,933,472 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-30 17:44 . 2008-07-02 13:49 85,536 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-06-30 17:44 . 2008-07-02 09:52 53,720 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-30 17:44 . 2008-07-02 09:52 8,756 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-06-30 17:35 . 2008-06-30 17:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-06-29 12:47 . 2008-06-29 12:45 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-29 12:47 . 2008-06-29 12:47 2,538 --a------ C:\WINDOWS\unins000.dat
2008-06-29 10:10 . 2008-06-29 10:10 <DIR> d-------- C:\Program Files\Microsoft Games
2008-06-29 10:09 . 2008-06-29 10:10 <DIR> d-------- C:\Program Files\Vietcong MP demo
2008-06-29 10:09 . 2008-06-29 10:09 <DIR> d-------- C:\Program Files\Symantec
2008-06-28 22:41 . 2008-06-28 22:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-23 23:20 . 2008-06-23 23:20 <DIR> d-------- C:\Documents and Settings\Ash\Application Data\PC Suite
2008-06-11 14:31 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 14:31 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 12:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-07-01 20:54 --------- d-----w C:\Program Files\Kontiki
2008-06-30 21:56 --------- d-----w C:\Program Files\Google
2008-06-30 17:32 --------- d-----w C:\Program Files\Common Files\Carlson
2008-06-30 16:54 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-06-30 16:38 --------- d-----w C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\AVG7
2008-06-30 16:38 --------- d-----w C:\Documents and Settings\Ash\Application Data\AVG7
2008-06-30 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-29 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-29 11:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-29 09:09 --------- d-----w C:\Program Files\Call of Duty
2008-06-29 06:20 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-28 07:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-22 23:12 --------- d-----w C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\LimeWire
2008-06-10 09:14 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-28 20:10 --------- d-----w C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\PC Suite
2008-05-19 23:12 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-11 20:17 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-05-11 20:17 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-05-11 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-05-11 20:14 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-05-11 20:14 --------- d-----w C:\Program Files\Nokia
2008-05-11 20:14 --------- d-----w C:\Program Files\DIFX
2008-05-11 20:14 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-05-11 20:14 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-11 20:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2002-07-10 20:32 327,680 ----a-w C:\Documents and Settings\Ash\ArcadeRes.dll
2002-07-10 20:32 2,916,407 -c--a-w C:\Documents and Settings\Ash\Aphex.exe
2002-07-10 20:32 163,840 -c--a-w C:\Documents and Settings\Ash\rwvoice.dll
2002-07-10 20:32 106,496 -c--a-w C:\Documents and Settings\Ash\rwnet.dll
2002-07-10 14:59 94,208 ----a-w C:\Documents and Settings\Ash\gsws.dll
2002-07-10 14:59 81,920 ----a-w C:\Documents and Settings\Ash\gslan.dll
2002-05-27 22:05 77,824 ----a-w C:\Documents and Settings\Ash\GSAPak.exe
2001-12-20 10:46 4,396 -c--a-w C:\Documents and Settings\Ash\4dca9208.dat
2001-12-20 10:46 118,784 -c--a-w C:\Documents and Settings\Ash\pw32.dll
1999-11-12 18:16 224,768 ----a-w C:\Documents and Settings\Ash\fpupdate.exe
1999-06-25 10:55 149,504 -c--a-w C:\Documents and Settings\Ash\UNWISE.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 20:49 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 08:15 151552]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 04:12 94208]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-17 14:05 98304]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 16:30 58992]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 06:20 122940]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 17:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 17:50 81920]
"BuildBU"="c:\dell\bldbubg.exe" [2006-12-17 13:42 61440]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 12:38 866816]
"tsnp2std"="C:\WINDOWS\tsnp2std.exe" [2006-11-02 14:04 258048]
"snp2std"="C:\WINDOWS\vsnp2std.exe" [2006-09-15 13:21 675840]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-03 22:52 185896]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-24 18:20 282624 C:\WINDOWS\stsystra.exe]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 06:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
--a------ 2005-12-07 17:05 1537696 C:\Program Files\Norton Ghost\Agent\GhostTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
-ra------ 2006-01-30 17:00 98304 C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"C:\\Program Files\\Valve\\Steam\\Steam.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\laurie101\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Call of Duty\\CoDMP.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\ashymartin\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.325\\English\\setup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"3721:TCP"= 3721:TCP:LimeWire

R2 hnmwrlspkt;HomeNet Manager Wireless Protocol;C:\WINDOWS\system32\DRIVERS\hnm_wrls_pkt.sys [2006-07-14 02:01]
R2 wsppkt;Wireless Security Protocol;C:\WINDOWS\system32\DRIVERS\wsp_pkt.sys [2006-07-14 02:02]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 04:39]
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys [2006-11-08 14:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-13 17:30:00 C:\WINDOWS\Tasks\McAfee.com Scan for Viruses - My Computer (DG0NJN2J-Kelsa).job"
- c:\program files\mcafee.com\vso\mcmnhdlr.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-d462aa0a - C:\WINDOWS\system32\hwvkwfqx.dll
HKLM-RunOnce-SpybotDeletingA5693 - command
HKLM-RunOnce-SpybotDeletingC4855 - del
HKLM-RunOnce-SpybotDeletingA3708 - command
HKLM-RunOnce-SpybotDeletingC1756 - del
HKLM-RunOnce-SpybotDeletingA7162 - command
HKLM-RunOnce-SpybotDeletingC1472 - del
HKLM-RunOnce-SpybotDeletingC8701 - del
HKLM-RunOnce-SpybotDeletingA3029 - command
HKLM-RunOnce-SpybotDeletingC7641 - del
HKLM-RunOnce-SpybotDeletingA6471 - command


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 13:49:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-02 13:51:09
ComboFix-quarantined-files.txt 2008-07-02 12:51:04
ComboFix2.txt 2008-07-01 17:53:04

Pre-Run: 152,760,053,760 bytes free
Post-Run: 152,801,968,128 bytes free

218 --- E O F --- 2008-07-01 18:01:20


Seems ok so far (in terms of pop ups etc) thanks for your time and help grey knight :)
  • 0

#6
greyknight17
Posted 02 July 2008 - 06:43 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#7
FD_IT_Student
Posted 03 July 2008 - 02:24 AM

FD_IT_Student

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
The only problem there is now, is that I may have accidentally deleted a .dll file which maybe needed by the system and when I boot the machine up an error message pops up straight away "cannot find file xxxxx.dll" :)

and I notice that spybot-S&D deletes either one file many times or lots of files (the spybot message box in the bottom right hand corner appears about 10 times)

Kaspersky also says that there are immediate threats but I think that's just it getting scared of combofix!!!

Anyway thank you very much Grey Knight :)
  • 0

#8
greyknight17
Posted 04 July 2008 - 01:22 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
What is the name of that dll?

Download HijackThis at http://www.greyknigh.../HijackThis.exe Create a folder at C:\HJT and move HijackThis.exe there. Double-click on the program to run it.

1. If it gives you an intro screen, just choose Do a system scan and save a logfile.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post the hijackthis.log file here. Do not fix anything in HijackThis since they may be harmless.
  • 0

#9
greyknight17
Posted 09 July 2008 - 11:35 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#10
greyknight17
Posted 17 July 2008 - 09:42 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Topic re-opened per user's request.
  • 0

Advertisements

#11
FD_IT_Student
Posted 17 July 2008 - 04:22 PM

FD_IT_Student

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Kevin,

Here is the log from HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:17:46, on 17/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Ash\Desktop\Un-used Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2061217
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co...amp;ibd=2061217
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {4c2a6f8a-bc55-4d24-bf7d-467e66f09bd8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [d462aa0a] rundll32.exe "C:\WINDOWS\system32\hwvkwfqx.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5693] command /c del "C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\ErrorSmart\Log\2007 Dec 05 - 06_49_39 PM_109.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4855] cmd /c del "C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\ErrorSmart\Log\2007 Dec 05 - 06_49_39 PM_109.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3708] command /c del "C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\ErrorSmart\Log\2007 Dec 05 - 06_49_45 PM_046.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1756] cmd /c del "C:\WINDOWS\PROGRAM.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7162] command /c del "C:\WINDOWS\system32\hgGWPJBs.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1472] cmd /c del "C:\WINDOWS\system32\hgGWPJBs.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8701] cmd /c del "C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\ErrorSmart\Log\2007 Dec 05 - 06_49_45 PM_046.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3029] command /c del "C:\Documents and Settings\Laurie.DG0NJN2J\Local Settings\Temp\removalfile.bat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7641] cmd /c del "C:\Documents and Settings\Laurie.DG0NJN2J\Local Settings\Temp\removalfile.bat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6471] command /c del "C:\WINDOWS\PROGRAM.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 11479 bytes


I've noticed that it still has that errorsmart problem which is constantly being deleted by spybot S&D... is there anyway of permanently getting rid of this?

My brother has installed god knows what since a few weeks back when we had the other problem, but the machine seems to be running ok :)

The missing dll file is called "hwvkwfqx.dll" (system32) hope this helps

Thanks

Ash
  • 0

#12
greyknight17
Posted 17 July 2008 - 06:18 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall Kontiki via the Add/Remove Programs panel unless you installed it and want to keep it.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {4c2a6f8a-bc55-4d24-bf7d-467e66f09bd8} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [d462aa0a] rundll32.exe "C:\WINDOWS\system32\hwvkwfqx.dll",b
O4 - HKLM\..\RunOnce: [SpybotDeletingA5693] command /c del "C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\ErrorSmart\Log\2007 Dec 05 - 06_49_39 PM_109.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4855] cmd /c del "C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\ErrorSmart\Log\2007 Dec 05 - 06_49_39 PM_109.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3708] command /c del "C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\ErrorSmart\Log\2007 Dec 05 - 06_49_45 PM_046.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1756] cmd /c del "C:\WINDOWS\PROGRAM.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7162] command /c del "C:\WINDOWS\system32\hgGWPJBs.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1472] cmd /c del "C:\WINDOWS\system32\hgGWPJBs.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8701] cmd /c del "C:\Documents and Settings\Laurie.DG0NJN2J\Application Data\ErrorSmart\Log\2007 Dec 05 - 06_49_45 PM_046.log"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3029] command /c del "C:\Documents and Settings\Laurie.DG0NJN2J\Local Settings\Temp\removalfile.bat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7641] cmd /c del "C:\Documents and Settings\Laurie.DG0NJN2J\Local Settings\Temp\removalfile.bat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6471] command /c del "C:\WINDOWS\PROGRAM.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

Run Combofix again by double clicking on it. Post the log here when it's ready.
  • 0

#13
FD_IT_Student
Posted 18 July 2008 - 02:10 AM

FD_IT_Student

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok, will check this later - I'm at work at the moment...

I will try and fix the above mentioned and get back to you today

Just to add as well spybot notified me that "bravia.exe" had been added - however I denied the change

Thanks

Ash

Edited by FD_IT_Student, 18 July 2008 - 04:34 AM.

  • 0

#14
greyknight17
Posted 18 July 2008 - 03:31 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Hi Ash, try to disable TeaTimer during the fixing phase here. Let whatever changes go through (good or bad) so we know if it's clean or not.
  • 0

#15
FD_IT_Student
Posted 18 July 2008 - 07:00 PM

FD_IT_Student

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Kev,

I disabled Spybot and then removed what you told me to above ^^

here is the new log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:58:26, on 19/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Ash\Desktop\Un-used Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2061217
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co...amp;ibd=2061217
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9251 bytes


I am going to restart and then check again to make sure it's all ok!!!

Here is the newer log (the one after the restart)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:04:55, on 19/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ash\Desktop\Un-used Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=2061217
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co...amp;ibd=2061217
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [BuildBU] c:\dell\bldbubg.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Program Files\Monopoly\Images\stg_drm.ocx
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoe...ggPublisher.exe
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Program Files\Monopoly\Images\armhelper.ocx
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9304 bytes

Spybot popped up saying that the old "runonce" files had been deleted and this time I told it to allow this... I think it looks clean :)

Edited by FD_IT_Student, 18 July 2008 - 07:07 PM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP