Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vurtumonde & Smitfruad [RESOLVED]


  • This topic is locked This topic is locked

#1
NervousXians

NervousXians

    Member

  • Member
  • PipPip
  • 17 posts
Haven't been able to get rid of these with Spybot or Pc Tools AntiVirus.

AntiVirus seemed to catch the problems at first, now when i scan my computer it doesn't find a thing. Spybot finds them, says it corrects the problems then they are back at reboot.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:08 PM, on 8/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Documents and Settings\Christen\winlogon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\slrundll.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Christen\Desktop\HiJackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Christen\winlogon.exe
O4 - HKLM\..\Run: [3cb538a7] rundll32.exe "C:\WINDOWS\system32\mxqsjasi.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingC6445] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{80C15E45-ABE7-40D5-9998-274FAF1145A8}: NameServer = 66.19.192.200 216.126.128.40
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4276 bytes
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello NervousXians

Welcome to G2Go. :)
=====================
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
This includes installing the Windows Recovery Console. Vista users do not need to do this
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.
  • 0

#3
NervousXians

NervousXians

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks so much for your quick response!
Here is the ComboFix log



ComboFix 08-08-11.01 - Christen 2008-08-12 8:46:54.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.133 [GMT -4:00]
Running from: C:\Documents and Settings\Christen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Christen\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Christen\Application Data\macromedia\Flash Player\#SharedObjects\3Z5XWYDM\interclick.com
C:\Documents and Settings\Christen\Application Data\macromedia\Flash Player\#SharedObjects\3Z5XWYDM\interclick.com\ud.sol
C:\Documents and Settings\Christen\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Christen\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Christen\services.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BM3f860b3b.txt
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\system32\blskdqqb.ini
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\mssmbioss.sys
C:\WINDOWS\system32\fivfqj.dll
C:\WINDOWS\system32\fvjwgc.dll
C:\WINDOWS\system32\gryavsij.dll
C:\WINDOWS\system32\isajsqxm.ini
C:\WINDOWS\system32\izmuyt.dll
C:\WINDOWS\system32\jkkjGwVP.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mknejybv.dll
C:\WINDOWS\system32\mrgxfwyu.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mxqsjasi.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\PVwGjkkj.ini
C:\WINDOWS\system32\PVwGjkkj.ini2
C:\WINDOWS\system32\remtpgkg.dll
C:\WINDOWS\system32\seikry.dll
C:\WINDOWS\system32\svbvkpkk.dll
C:\WINDOWS\system32\wfxmvmjw.ini
C:\WINDOWS\system32\xthoyyfy.dll
C:\WINDOWS\system32\yfyyohtx.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSSMBIOSS
-------\Service_mssmbioss


((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-11 19:15 . 2008-08-11 19:15 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-11 19:06 . 2008-08-11 19:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-11 19:06 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-08-10 13:28 . 2008-08-10 13:28 2,048 --a------ C:\WINDOWS\system32\ecfovwee.exe
2008-08-10 12:34 . 2008-08-10 12:34 2,048 --a------ C:\WINDOWS\system32\ckglwbna.exe
2008-08-09 13:31 . 2008-08-11 17:34 722 --a------ C:\WINDOWS\wininit.ini
2008-08-09 12:28 . 2008-08-09 12:28 2,048 --a------ C:\WINDOWS\system32\nywukcwu.exe
2008-08-09 12:23 . 2008-08-09 12:23 0 --a------ C:\WINDOWS\BM3f860b3b.xml
2008-08-09 09:05 . 2008-08-09 09:05 <DIR> d-------- C:\WINDOWS\system32\gps
2008-08-09 09:05 . 2008-08-09 09:06 <DIR> d-------- C:\WINDOWS\system32\fx
2008-08-09 09:04 . 2008-08-09 09:04 <DIR> d-------- C:\WINDOWS\system32\kBin02
2008-08-09 09:04 . 2008-08-09 09:05 <DIR> d-------- C:\Temp\epr1
2008-08-09 09:03 . 2008-08-09 09:03 77 --a------ C:\Documents and Settings\Christen\7870.bat
2008-08-01 22:35 . 2008-08-01 22:35 <DIR> d-------- C:\Documents and Settings\Christen\dwhelper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 12:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-12 12:52 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-08-11 14:59 --------- d-----w C:\Program Files\Common Files\Intuit
2008-07-12 00:54 --------- d--h--r C:\Documents and Settings\Christen\Application Data\yahoo!
2008-07-12 00:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-08 17:48 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-07 23:56 --------- d-----w C:\Program Files\Java
2008-06-27 22:38 53,248 --sh--w C:\Documents and Settings\Christen\winlogon.exe
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-08-13 11:50 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2006-05-28 13:11 0 -c--a-w C:\Documents and Settings\Christen\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 17:10 1871872]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Logon Applicationedc"="C:\Documents and Settings\Christen\winlogon.exe" [2008-06-27 18:38 53248]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RestoreIT!"="C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" [2005-05-02 20:32 118784]
"Guard"="C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" [2005-05-02 20:31 573440]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"SoundMan"="SOUNDMAN.EXE" [2004-02-08 22:54 65024 C:\WINDOWS\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [2003-08-19 17:56 45056 C:\WINDOWS\system32\VTTimer.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingC6445"="del" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Christen\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 17:32:57 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 ptpd;Disk Filter Driver;C:\WINDOWS\system32\drivers\ptpd.sys [2005-05-02 20:32]
R0 RITCPT;RITCPT;C:\WINDOWS\system32\drivers\RITCPT.sys [2005-05-02 20:32]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-30 17:22]
R0 VVBackd5;VVBackd5;C:\WINDOWS\system32\drivers\VVBackd5.sys [2005-05-02 20:32]
R2 FBAPI;FBAPI;C:\WINDOWS\system32\drivers\FBAPI.sys [2005-05-02 20:32]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2005-05-02 20:32]
R3 PhnxVcd;PhnxVcd;C:\WINDOWS\system32\Drivers\PhnxVcd.sys [2005-05-02 20:31]
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys []
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-08-02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{10990D5B-D686-4CD2-81EB-C7540450A1BA} - C:\WINDOWS\system32\pmnmllMD.dll
BHO-{13FC51EB-A186-47D8-8880-658D7B59687F} - (no file)
BHO-{6207304C-B9D5-42D6-B02F-517BBCD72783} - (no file)
BHO-{97D4C613-319E-451D-9CA7-FBD43314562F} - (no file)
BHO-{BB51B425-7B83-4B6E-8EC5-63DAF474A622} - (no file)
BHO-{CE549E4D-562F-49F7-B980-D2C3EEF476A4} - (no file)
BHO-{D6F134C7-25D9-4099-9BF1-3D5DB0ABCA2D} - (no file)
BHO-{eda91881-06a7-41bd-a5c9-6cdff0b15136} - (no file)
BHO-{F351E6DC-5719-4B13-B5A6-0B94FFBBCFD5} - (no file)
BHO-{F7B3D965-EA04-4534-9C7E-3BCC1E13F0F7} - (no file)
HKLM-Run-3cb538a7 - C:\WINDOWS\system32\mxqsjasi.dll
HKLM-Run-farstone - (no file)
ShellExecuteHooks-{10990D5B-D686-4CD2-81EB-C7540450A1BA} - C:\WINDOWS\system32\pmnmllMD.dll
Notify-pmnmllMD - pmnmllMD.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Christen\Application Data\Mozilla\Firefox\Profiles\nfe0nwuu.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npgcplug.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\npracplug.dll
FF -: plugin - C:\Program Files\Real\RealArcade\Plugins\Mozilla\npracplug.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 08:52:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [1392] 0x81AE2608

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\Documents and Settings\Christen\winlogon.exe
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-12 8:58:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-12 12:58:31

Pre-Run: 125,069,672,448 bytes free
Post-Run: 127,365,955,584 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

194 --- E O F --- 2008-07-08 19:26:27





NEW HIJACKTHIS LOG






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:29 AM, on 8/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Christen\winlogon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\PC Tools AntiVirus\PCTAV.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Christen\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Christen\winlogon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\RunOnce: [SpybotDeletingC6445] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4436 bytes
  • 0

#4
NervousXians

NervousXians

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I should also mention that when i restart my computer a run DLL error message pops up...Also Sypbot tries to get me to change registry keys...Not sure if i should be doing that, so i've just been ignoring them.

Other than that i haven't really noticed anything major happening, not getting any tabs popping up in Firefox since i made the Combofix log either.
  • 0

#5
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download DirLook by jpshortstuff from here.
  • Double-click DirLook.exe to run it.
  • Ensure that Show Hidden Files/Folders and BBCode Ouput are both checked.
  • Copy the content of the following codebox into the main textfield:

    C:\WINDOWS\system32\gps
    C:\WINDOWS\system32\fx
    C:\WINDOWS\system32\kBin02
    C:\Temp\epr1
  • Click the DirLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply. (Note: The log can also be found at C:\dl_log.txt)
Note: Scanning may take longer for large folders.
  • 0

#6
NervousXians

NervousXians

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
DirLook.exe by jpshortstuff
Log created at 1:27:29 on Wed 08/13/2008

==============================

Contents of "C:\WINDOWS\system32\gps" (inc. hidden/system files/folders)

---FOLDERS---


---FILES---

LOTv33781.exe (127488 bytes, created: 05/05/2008 12:16 PM) --a------

==============================

Contents of "C:\WINDOWS\system32\fx" (inc. hidden/system files/folders)

---FOLDERS---


---FILES---


==============================

Contents of "C:\WINDOWS\system32\kBin02" (inc. hidden/system files/folders)

---FOLDERS---


---FILES---

kBin022328.exe (32768 bytes, created: 07/21/2008 09:25 AM) --a------

==============================

Contents of "C:\Temp\epr1" (inc. hidden/system files/folders)

---FOLDERS---


---FILES---

K19i.log (1858 bytes, created: 08/09/2008 09:05 AM) --a------

==============================

=EOF=
  • 0

#7
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.

================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\ecfovwee.exe
C:\WINDOWS\system32\ckglwbna.exe
C:\WINDOWS\system32\nywukcwu.exe
C:\Documents and Settings\Christen\7870.bat
C:\Documents and Settings\Christen\winlogon.exe
C:\WINDOWS\BM3f860b3b.xml
Folder::
C:\WINDOWS\system32\gps
C:\WINDOWS\system32\fx
C:\WINDOWS\system32\kBin02
C:\Temp\epr1


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#8
NervousXians

NervousXians

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ComboFix 08-08-11.01 - Christen 2008-08-13 10:17:15.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.204 [GMT -4:00]
Running from: C:\Documents and Settings\Christen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Christen\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Christen\7870.bat
C:\Documents and Settings\Christen\winlogon.exe
C:\WINDOWS\BM3f860b3b.xml
C:\WINDOWS\system32\ckglwbna.exe
C:\WINDOWS\system32\ecfovwee.exe
C:\WINDOWS\system32\nywukcwu.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Christen\7870.bat
C:\Documents and Settings\Christen\winlogon.exe
C:\Temp\epr1
C:\Temp\epr1\K19i.log
C:\WINDOWS\BM3f860b3b.xml
C:\WINDOWS\system32\ckglwbna.exe
C:\WINDOWS\system32\ecfovwee.exe
C:\WINDOWS\system32\fx
C:\WINDOWS\system32\gps
C:\WINDOWS\system32\gps\LOTv33781.exe
C:\WINDOWS\system32\kBin02
C:\WINDOWS\system32\kBin02\kBin022328.exe
C:\WINDOWS\system32\nywukcwu.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.

2008-08-13 10:04 . 2008-08-13 10:04 <DIR> d-------- C:\WINDOWS\LastGood
2008-08-11 19:15 . 2008-08-11 19:15 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-08-11 19:06 . 2008-08-11 19:06 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-11 19:06 . 2005-08-25 19:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-08-09 13:31 . 2008-08-11 17:34 722 --a------ C:\WINDOWS\wininit.ini
2008-08-01 22:35 . 2008-08-01 22:35 <DIR> d-------- C:\Documents and Settings\Christen\dwhelper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 14:07 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-13 13:54 --------- d-----w C:\Program Files\PC Tools AntiVirus
2008-08-11 14:59 --------- d-----w C:\Program Files\Common Files\Intuit
2008-07-12 00:54 --------- d--h--r C:\Documents and Settings\Christen\Application Data\yahoo!
2008-07-12 00:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-07-08 17:48 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-07 23:56 --------- d-----w C:\Program Files\Java
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2007-08-13 11:50 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2006-05-28 13:11 0 -c--a-w C:\Documents and Settings\Christen\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( [email protected]_ 8.58.06.07 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-22 17:10 1871872]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"RestoreIT!"="C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" [2005-05-02 20:32 118784]
"Guard"="C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" [2005-05-02 20:31 573440]
"PCTAVApp"="C:\Program Files\PC Tools AntiVirus\PCTAV.exe" [2008-03-05 09:37 1238928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"SoundMan"="SOUNDMAN.EXE" [2004-02-08 22:54 65024 C:\WINDOWS\SOUNDMAN.EXE]
"VTTimer"="VTTimer.exe" [2003-08-19 17:56 45056 C:\WINDOWS\system32\VTTimer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-12-18 21:47 8720384]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 03:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\Christen\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-02-08 17:32:57 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

R0 ptpd;Disk Filter Driver;C:\WINDOWS\system32\drivers\ptpd.sys [2005-05-02 20:32]
R0 RITCPT;RITCPT;C:\WINDOWS\system32\drivers\RITCPT.sys [2005-05-02 20:32]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-30 17:22]
R0 VVBackd5;VVBackd5;C:\WINDOWS\system32\drivers\VVBackd5.sys [2005-05-02 20:32]
R2 FBAPI;FBAPI;C:\WINDOWS\system32\drivers\FBAPI.sys [2005-05-02 20:32]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2005-05-02 20:32]
R3 PhnxVcd;PhnxVcd;C:\WINDOWS\system32\Drivers\PhnxVcd.sys [2005-05-02 20:31]
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys []
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys []

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-08-02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 15:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Windows Logon Applicationedc - C:\Documents and Settings\Christen\winlogon.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 10:19:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-13 10:21:12
ComboFix-quarantined-files.txt 2008-08-13 14:20:53
ComboFix2.txt 2008-08-12 12:58:39

Pre-Run: 127,345,061,888 bytes free
Post-Run: 127,335,284,736 bytes free

125 --- E O F --- 2008-07-08 19:26:27





































































Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:10 AM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Christen\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Christen\winlogon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{80C15E45-ABE7-40D5-9998-274FAF1145A8}: NameServer = 66.19.192.200 216.126.128.40
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4273 bytes
  • 0

#9
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O4 - HKLM\..\Run: [Windows Logon Applicationedc] C:\Documents and Settings\Christen\winlogon.exe


Now click on Fix Checked and then close Hijackthis.
===================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

#10
NervousXians

NervousXians

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Downloaded Malwarebytes a few minutes ago & now it's saying it's Looking for It-Mate...It's been doing that for a while now...doesn't seem like anythings happening. I'm on dial up, so there's no telling how long this might take.
I'll send a scan as soon as it's done.
  • 0

Advertisements


#11
NervousXians

NervousXians

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Malwarebytes' Anti-Malware 1.24
Database version: 1012
Windows 5.1.2600 Service Pack 2

12:52:07 PM 8/13/2008
mbam-log-8-13-2008 (12-52-07).txt

Scan type: Quick Scan
Objects scanned: 39181
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\WhoisCL.exe (Adware.BHO) -> Quarantined and deleted successfully.






This place is GREAT! And so are you! :)
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Thanks you are very kind. :)

Please post one more Hijackthis log and let me know if things are back to normal and wewill wrap it up.
  • 0

#13
NervousXians

NervousXians

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:17 PM, on 8/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\WINDOWS\system32\PhnxCDSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Christen\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{80C15E45-ABE7-40D5-9998-274FAF1145A8}: NameServer = 66.19.192.200 216.126.128.40
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\system32\PhnxCDSvr.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 4142 bytes



















Everything seems to be back to normal. Do i need to delete any of the programs you had me install earlier?
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Doing the below will get rid of all of the programs except for Mbam you will need to manually uninstall it.
===================
Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
===============
Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
======================
Use a Firewall:

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Sunbelt Free Firewall or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.


=============================
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us

If you are using Vista then see this link > http://www.bleepingc...143.html#manual
=====================================
After that your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
  • 0

#15
NervousXians

NervousXians

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
OTMoveit2? Not seeing it anywhere on my computer, is it something i need to d/l?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP