Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Need Help with Vundo [RESOLVED]

Started by Henny123 , Jan 13 2008 09:58 PM

This topic is locked

#1
Henny123

Posted 13 January 2008 - 09:58 PM

Member

Member
12 posts

Hello,

I got what I suspect is the Vundo virus a few days ago.

I've tried:

Spybot (didn't detect it at all)

Adaware (also didn't detect)

AVG -This detected and removed it, but the files all keep coming back.

Vundofix -This detected and removed stuff the first time I ran it, but now nothing shows up even though the pop-ups are still happening.

Virtumundobegone -Didn't seem to do anything.

Usually if I run an anti-virus program it'll detect and remove a bunch of stuff, but it all ends up coming back eventually.

Also, every time I start windows I get a missing "mmmbjxmy.dll" "pmnnk.dll" "pmn1k.exe" error messages (these started occuring after I ran "Vundofix" the first time).

I no longer get the "pmnk" error messages, but I still get the "mmmbjxmy.dll" one everytime I reboot.

A further problem: Whatever I have seems to also be infecting any processes that I have running when windows starts as Quicktime, my audio program, and several other things all got detected as viruses in AVG and removed from my system. Plus it also keeps messing with my AVG shortcuts in my Programs task bar, so I have to run it directly from the executables to get it to work.

Thanks for your time in advance!

Edited by Henny123, 15 January 2008 - 02:19 AM.

#2
Henny123

Posted 13 January 2008 - 10:00 PM

Member

Topic Starter
Member
12 posts

Here's my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:34 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\KAV\KAVSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {568F616F-FEB0-48B6-9029-E6F527D4F159} - C:\WINDOWS\system32\pmnnk.dll (file missing)
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [ManualRun] "D:\AUTORUN\AutoRun.exe"
O4 - HKLM\..\Run: [sys013466652071] C:\WINDOWS\sys013466652071.exe
O4 - HKLM\..\Run: [OESpamTest] C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
O4 - HKLM\..\Run: [50447a58] rundll32.exe "C:\WINDOWS\system32\mmmbjxmy.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [krfm] C:\PROGRA~1\COMMON~1\krfm\krfmm.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\KAV\KAVSVC.exe
O24 - Desktop Component 0: (no name) - C:\WINDOWS\system32\ad.html

--
End of file - 5243 bytes

#3
Henny123

Posted 13 January 2008 - 10:03 PM

Member

Topic Starter
Member
12 posts

Here's Panda Active Scan:

Incident Status Location

Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/sqwire Not disinfected Windows Registry
Adware:adware/searchexe Not disinfected Windows Registry

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Juan carlo\Desktop\ComboFix.exe[nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Juan carlo\Desktop\ComboFix.exe[nircmd.cfexe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Juan carlo\Desktop\VirtumundoBeGone.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Juan carlo\Local Settings\Application Data\Mozilla\Firefox\Profiles\wosoj4jp.default\Cache\C2152591d01[nircmd.com]
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Juan carlo\Local Settings\Application Data\Mozilla\Firefox\Profiles\wosoj4jp.default\Cache\C2152591d01[nircmd.cfexe]
Virus:Generic Malware Disinfected C:\Program Files\Accessdiver\ad4.401.exe
Adware:Adware/Yazzle Not disinfected C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1552OinUninstaller.exe.vir
Adware:Adware/Adband Not disinfected C:\QooBox\Quarantine\C\Program Files\ISM\ism.exe.vir
Adware:Adware/InternetSpeedMonitor Not disinfected C:\QooBox\Quarantine\C\Program Files\ISM\Uninstall.exe.vir
Adware:Adware/InternetSpeedMonitor Not disinfected C:\QooBox\Quarantine\C\Program Files\QdrDrive\QdrDrive9.dll.vir
Possible Virus. Not disinfected C:\QooBox\Quarantine\C\Program Files\QdrDrive\qdrloader.exe.vir
Adware:Adware/InternetSpeedMonitor Not disinfected C:\QooBox\Quarantine\C\Program Files\QdrModule\QdrModule11.exe.vir
Adware:Adware/InternetSpeedMonitor Not disinfected C:\QooBox\Quarantine\C\Program Files\QdrPack\QdrPack11.exe.vir
Adware:Adware/Adband Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\000080.exe.vir
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\SnVhbiBDYXJsbw\mBp1v21GsrLPvT.vbs
Adware:Adware/Yazzle Not disinfected C:\WINDOWS\system32\000050.exe

#4
Henny123

Posted 13 January 2008 - 11:17 PM

Member

Topic Starter
Member
12 posts

My last AVG scan came out clean, but here's my combofix results:

ComboFix 08-01-14.2 - Juan carlo 2008-01-13 22:55:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.676 [GMT -6:00]
Running from: C:\Documents and Settings\Juan carlo\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-13 21:38 . 2008-01-13 21:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 20:48 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-13 20:34 . 2008-01-13 21:23 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-13 20:34 . 2008-01-13 20:34 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-13 20:34 . 2008-01-13 20:34 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-13 20:34 . 2008-01-13 20:34 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-13 20:22 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 20:01 . 2008-01-12 20:23 <DIR> d-------- C:\VundoFix Backups
2008-01-10 23:53 . 2008-01-10 23:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-10 23:53 . 2008-01-13 22:15 <DIR> d-------- C:\Documents and Settings\Juan carlo\Application Data\AVG7
2008-01-10 23:52 . 2008-01-10 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-10 23:52 . 2008-01-12 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-08 10:03 . 2008-01-08 10:03 <DIR> d-------- C:\Documents and Settings\Juan carlo\Application Data\vlc
2008-01-08 09:11 . 2008-01-08 09:11 <DIR> d-------- C:\Program Files\VideoLAN
2008-01-08 07:49 . 2008-01-08 07:49 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-08 07:49 . 2008-01-08 07:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-08 07:49 . 2008-01-10 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-08 06:18 . 2008-01-10 21:22 <DIR> d-------- C:\Program Files\AllToAVI
2008-01-08 06:13 . 2008-01-08 06:16 <DIR> d-------- C:\Program Files\MKVTOAVI
2008-01-07 09:29 . 2008-01-10 23:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck .exe
2008-01-07 09:29 . 2008-01-10 23:50 32,768 --a------ C:\WINDOWS\system32\rmctrl .exe
2007-12-29 00:31 . 2007-12-29 00:31 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter
2007-12-29 00:27 . 2006-10-02 13:43 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2007-12-29 00:27 . 2006-10-02 13:44 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-29 00:27 . 2006-08-05 12:06 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-12-27 02:23 . 2007-12-27 02:23 268 --ah----- C:\sqmdata02.sqm
2007-12-27 02:23 . 2007-12-27 02:23 244 --ah----- C:\sqmnoopt02.sqm
2007-12-14 00:26 . 2008-01-13 19:59 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-14 00:26 . 2007-12-14 00:26 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-14 03:12 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2008-01-13 02:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 06:37 --------- d-----w C:\Program Files\QuickTime
2008-01-11 06:37 --------- d-----w C:\Program Files\iTunes
2008-01-11 05:50 --------- d-----w C:\Program Files\MSN Messenger
2008-01-11 03:22 --------- d-----w C:\Program Files\Solveig Multimedia
2008-01-11 03:22 --------- d-----w C:\Program Files\Common Files\Elecard
2008-01-11 02:26 --------- d-----w C:\Documents and Settings\Juan carlo\Application Data\uTorrent
2007-12-29 06:27 --------- d-----w C:\Program Files\ffdshow
2007-12-28 03:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-04 07:11 --------- d-----w C:\Documents and Settings\Juan carlo\Application Data\InstallShield
2006-11-14 22:56 16,752 ----a-w C:\Documents and Settings\Juan carlo\Application Data\GDIPFONTCACHEV1.DAT
2006-02-28 10:58 284 ----a-w C:\Documents and Settings\Juan carlo\g.bat
2005-07-29 22:24 472 --sha-r C:\WINDOWS\SnVhbiBDYXJsbw\mBp1v21GsrLPvT.vbs
.

<pre>
----a-w			90,112 2008-01-11 05:50:41  C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
----a-w		   149,024 2008-01-11 05:50:53  C:\Program Files\Common Files\Seagate\Schedule2\schedhlp .exe
----a-w		   102,400 2008-01-08 06:37:33  C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
----a-w		   278,528 2008-01-11 05:50:42  C:\Program Files\Creative\MediaSource5\MtdAcqu .exe
----a-w		   700,416 2008-01-11 02:21:02  C:\Program Files\Creative\Sync Manager Unicode\CTSyncU .exe
----a-w			45,056 2008-01-11 05:50:36  C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck .exe
----a-w		   278,528 2008-01-11 05:50:36  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		 5,674,352 2008-01-11 05:50:51  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w		   532,480 2008-01-11 05:50:33  C:\Program Files\NVIDIA Corporation\nTune\nTune .exe
----a-w		 1,169,744 2008-01-11 05:50:39  C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor .exe
----a-w		 1,945,688 2008-01-11 05:50:40  C:\Program Files\Seagate\DiscWizard\TimounterMonitor .exe
----a-w		 1,460,560 2008-01-11 05:50:43  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		   155,648 2008-01-11 05:50:36  C:\WINDOWS\system32\NeroCheck .exe
----a-w			32,768 2008-01-11 05:50:36  C:\WINDOWS\system32\rmctrl .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-13_20.29.03.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-08-24 14:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2007-03-29 15:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 22:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 20:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 17:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 19:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2007-11-12 15:46:18 26,112 ----a-w C:\WINDOWS\system32\ActiveScan\JID.dll
+ 2006-02-17 00:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-26 00:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2007-11-26 17:10:36 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\NanoWrapper.dll
+ 2004-05-04 21:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 19:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 16:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 19:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-17 00:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 22:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2007-06-04 17:31:52 57,344 ----a-w C:\WINDOWS\system32\ActiveScan\pavsddl.dll
+ 2006-06-30 20:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 20:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2007-10-30 16:04:14 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\Prescan.dll
+ 2006-08-01 19:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2007-11-21 16:00:06 376,832 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2007-10-31 19:05:06 32,768 ----a-w C:\WINDOWS\system32\ActiveScan\PSKAHKPRESCAN.dll
+ 2006-08-17 17:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 17:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 14:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 20:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 16:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 16:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 22:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 15:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 16:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 20:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 20:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 19:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 14:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 14:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-10-18 15:30:16 105,472 ----a-w C:\WINDOWS\system32\ActiveScan\psnahk.dll
+ 2007-11-23 20:29:08 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\psndsk.dll
+ 2007-10-18 15:30:38 42,496 ----a-w C:\WINDOWS\system32\ActiveScan\psnflg.dll
+ 2007-10-30 17:19:22 98,304 ----a-w C:\WINDOWS\system32\ActiveScan\psnglknt.dll
+ 2007-08-22 14:52:00 20,272 ----a-w C:\WINDOWS\system32\ActiveScan\psnhsh.dll
+ 2007-11-12 21:49:34 11,776 ----a-w C:\WINDOWS\system32\ActiveScan\psnjidsign.dll
+ 2007-08-22 14:52:04 76,080 ----a-w C:\WINDOWS\system32\ActiveScan\psnkrnl.dll
+ 2007-08-22 14:52:06 21,296 ----a-w C:\WINDOWS\system32\ActiveScan\psnmem.dll
+ 2007-10-04 21:26:28 28,672 ----a-w C:\WINDOWS\system32\ActiveScan\PsnPen.dll
+ 2007-10-23 17:40:10 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\psntuc.dll
+ 2007-05-24 17:27:36 27,136 ----a-w C:\WINDOWS\system32\ActiveScan\PSNXprs.dll
+ 2007-04-18 23:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 20:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 2007-06-08 15:44:36 8,576 ----a-w C:\WINDOWS\system32\ActiveScan\RKPavProc.sys
+ 2007-06-05 16:56:40 44,928 ----a-w C:\WINDOWS\system32\ActiveScan\sdthook.sys
+ 1997-09-18 12:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 23:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2007-09-17 15:14:08 126,976 ----a-w C:\WINDOWS\system32\ActiveScan\Tucan.dll
+ 2006-08-02 18:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
+ 2003-03-26 00:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{568F616F-FEB0-48B6-9029-E6F527D4F159}]
C:\WINDOWS\system32\pmnnk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"krfm"="C:\PROGRA~1\COMMON~1\krfm\krfmm.exe" [ ]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [ ]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ManualRun"="D:\AUTORUN\AutoRun.exe" [ ]
"sys013466652071"="C:\WINDOWS\sys013466652071.exe" [ ]
"OESpamTest"="C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE" [ ]
"50447a58"="C:\WINDOWS\system32\mmmbjxmy.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-12 19:39 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 19:38 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\WINDOWS\system32\ad.html
FriendlyName=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

R1 atitray;atitray;C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys [2007-05-22 03:04]
R2 ithsgt;ithsgt;C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2006-03-20 01:08]
R2 lilsgt;lilsgt;C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2006-03-20 01:08]
R3 RegKill;RegKill;C:\WINDOWS\system32\Drivers\RegKill.sys [2002-11-27 15:46]
R3 Tetri5;Tetri5 driver;C:\WINDOWS\system32\Drivers\Tetri5.sys [2006-03-20 01:38]
S0 Klpf;Klpf;C:\WINDOWS\system32\drivers\Klpf.sys []
S0 Klpid;Klpid;C:\WINDOWS\system32\drivers\Klpid.sys []
S1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 22:58:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-13 23:01:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-14 05:01:08
ComboFix2.txt 2008-01-14 02:29:26
.
2007-11-12 09:44:41 --- E O F ---

#5
Henny123

Posted 13 January 2008 - 11:30 PM

Member

Topic Starter
Member
12 posts

And finally, here's my vundofix log. It includes the files it originally found when I first ran it, although when I run it now it doesn't detect anything:

undoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:01:00 PM 1/12/2008

Listing files found while scanning....

C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\pmnnk.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\knnmp.ini
C:\WINDOWS\system32\knnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\knnmp.ini2
C:\WINDOWS\system32\knnmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\pmnnk.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:23:30 PM 1/12/2008

Listing files found while scanning....

No infected files were found.

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 8:02:46 PM 1/13/2008

Listing files found while scanning....

No infected files were found.

#6
sage5

Posted 17 January 2008 - 06:16 AM

RIP 10/2009

Retired Staff
2,646 posts

Hi Henny123,

Welcome to Geeks to Go!
My name is sage5, and I will be helping you with this problem.

Run HijackThis.

Click the Do a system scan only button.
Check the boxes for the all the entries listed below:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {568F616F-FEB0-48B6-9029-E6F527D4F159} - C:\WINDOWS\system32\pmnnk.dll (file missing)
O4 - HKLM\..\Run: [ManualRun] "D:\AUTORUN\AutoRun.exe"
O4 - HKLM\..\Run: [sys013466652071] C:\WINDOWS\sys013466652071.exe
O4 - HKLM\..\Run: [50447a58] rundll32.exe "C:\WINDOWS\system32\mmmbjxmy.dll",b
O4 - HKCU\..\Run: [krfm] C:\PROGRA~1\COMMON~1\krfm\krfmm.exe
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O24 - Desktop Component 0: (no name) - C:\WINDOWS\system32\ad.html

Now close all windows other than HijackThis and click Fix Checked.
Close HijackThis.

Remove folders & files:

Please go to Start > Control Panel > Add/Remove Programs and remove the following, (if present):
GameSpot
Please take note of any other programs that you don't recognise in that list, and include them in your next response

Create a CombFix Script:

Please open Notepad
- Click Start , then Run
- Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\sys013466652071.exe
C:\WINDOWS\system32\mmmbjxmy.dll
C:\WINDOWS\SnVhbiBDYXJsbw\mBp1v21GsrLPvT.vbs
C:\WINDOWS\system32\000050.exe
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\Documents and Settings\Juan carlo\g.bat

Folder::
C:\Program Files\GameSpot

RENV::
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp .exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect .exe
C:\Program Files\Creative\MediaSource5\MtdAcqu .exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU .exe
C:\Program Files\Elaborate Bytes\DVD Region Killer\ElbyCheck .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\MSN Messenger\MsnMsgr .Exe
C:\Program Files\NVIDIA Corporation\nTune\nTune .exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor .exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINDOWS\system32\NeroCheck .exe
C:\WINDOWS\system32\rmctrl .exe

Registry::
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save the above as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt
A new HijackThis log.

Cheers,

sage5

#7
Henny123

Posted 17 January 2008 - 07:03 AM

Member

Topic Starter
Member
12 posts

Thanks for your time Sage5.

I didn't see an uninstall for the gamespot ap. I also didn't see a folder for it, so I assume it's no longer there.

Everything worked fine though.

Here's my new Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:01 AM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\KAV\KAVSVC.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [OESpamTest] C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\KAV\KAVSVC.exe

--
End of file - 4362 bytes

#8
Henny123

Posted 17 January 2008 - 07:08 AM

Member

Topic Starter
Member
12 posts

And here's combofix:

ComboFix 08-01-14.2 - Juan carlo 2008-01-17 6:46:50.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.686 [GMT -6:00]
Running from: C:\Documents and Settings\Juan carlo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Juan carlo\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\Documents and Settings\Juan carlo\g.bat
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\WINDOWS\SnVhbiBDYXJsbw\mBp1v21GsrLPvT.vbs
C:\WINDOWS\sys013466652071.exe
C:\WINDOWS\system32\000050.exe
C:\WINDOWS\system32\mmmbjxmy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Juan carlo\g.bat
C:\sqmdata02.sqm
C:\sqmnoopt02.sqm
C:\WINDOWS\SnVhbiBDYXJsbw\mBp1v21GsrLPvT.vbs
C:\WINDOWS\system32\000050.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-14 00:00 . 2008-01-14 00:00 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-01-14 00:00 . 2008-01-14 00:00 <DIR> d-------- C:\Documents and Settings\Juan carlo\Application Data\SystemRequirementsLab
2008-01-13 21:38 . 2008-01-13 21:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-13 20:48 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-13 20:34 . 2008-01-13 21:23 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-01-13 20:34 . 2008-01-13 20:34 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-01-13 20:34 . 2008-01-13 20:34 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-01-13 20:34 . 2008-01-13 20:34 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-13 20:22 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-12 20:01 . 2008-01-12 20:23 <DIR> d-------- C:\VundoFix Backups
2008-01-10 23:53 . 2008-01-10 23:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-10 23:53 . 2008-01-13 22:15 <DIR> d-------- C:\Documents and Settings\Juan carlo\Application Data\AVG7
2008-01-10 23:52 . 2008-01-10 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-10 23:52 . 2008-01-12 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-08 10:03 . 2008-01-08 10:03 <DIR> d-------- C:\Documents and Settings\Juan carlo\Application Data\vlc
2008-01-08 09:11 . 2008-01-08 09:11 <DIR> d-------- C:\Program Files\VideoLAN
2008-01-08 07:49 . 2008-01-08 07:49 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-08 07:49 . 2008-01-10 21:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-08 06:18 . 2008-01-10 21:22 <DIR> d-------- C:\Program Files\AllToAVI
2008-01-08 06:13 . 2008-01-08 06:16 <DIR> d-------- C:\Program Files\MKVTOAVI
2008-01-07 09:29 . 2008-01-10 23:50 155,648 --a------ C:\WINDOWS\system32\NeroCheck.exe
2008-01-07 09:29 . 2008-01-10 23:50 32,768 --a------ C:\WINDOWS\system32\rmctrl.exe
2007-12-29 00:31 . 2007-12-29 00:31 <DIR> d-------- C:\Program Files\OpenSource Flash Video Splitter
2007-12-29 00:27 . 2006-10-02 13:43 6,144 --a------ C:\WINDOWS\system32\ff_acm.acm
2007-12-29 00:27 . 2006-10-02 13:44 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-29 00:27 . 2006-08-05 12:06 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 12:46 --------- d-----w C:\Program Files\MSN Messenger
2008-01-17 12:46 --------- d-----w C:\Program Files\iTunes
2008-01-17 12:46 --------- d-----w C:\Documents and Settings\Juan carlo\Application Data\uTorrent
2008-01-17 12:39 --------- d-----w C:\Program Files\Matroska Pack
2008-01-14 03:12 --------- d-----w C:\Program Files\SmartFTP Client 2.0
2008-01-13 02:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-11 06:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-11 06:37 --------- d-----w C:\Program Files\QuickTime
2008-01-11 03:22 --------- d-----w C:\Program Files\Solveig Multimedia
2008-01-11 03:22 --------- d-----w C:\Program Files\Common Files\Elecard
2007-12-29 06:27 --------- d-----w C:\Program Files\ffdshow
2007-12-28 03:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-04 07:11 --------- d-----w C:\Documents and Settings\Juan carlo\Application Data\InstallShield
2006-11-14 22:56 16,752 ----a-w C:\Documents and Settings\Juan carlo\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-01-13_23.01.00.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-14 02:22:32 479,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 12:46:41 479,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-14 02:22:32 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 12:46:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-14 02:22:32 479,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-17 12:46:41 479,232 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-14 02:22:32 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 12:46:41 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-14 02:22:32 8,896,512 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-17 12:46:41 8,896,512 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-14 02:22:32 118,784 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 12:46:41 118,784 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="" []
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2008-01-08 00:37 102400]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2008-01-10 20:21 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OESpamTest"="C:\PROGRA~1\KASPER~1\KASPER~1\KASPER~3\OESpamTest.ExE" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-12 19:39 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-12 19:38 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

R1 atitray;atitray;C:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys [2007-05-22 03:04]
R2 ithsgt;ithsgt;C:\WINDOWS\system32\DRIVERS\ithsgt.sys [2006-03-20 01:08]
R2 lilsgt;lilsgt;C:\WINDOWS\system32\DRIVERS\lilsgt.sys [2006-03-20 01:08]
R3 RegKill;RegKill;C:\WINDOWS\system32\Drivers\RegKill.sys [2002-11-27 15:46]
R3 Tetri5;Tetri5 driver;C:\WINDOWS\system32\Drivers\Tetri5.sys [2006-03-20 01:38]
S0 Klpf;Klpf;C:\WINDOWS\system32\drivers\Klpf.sys []
S0 Klpid;Klpid;C:\WINDOWS\system32\drivers\Klpid.sys []
S1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys []

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 06:51:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 6:54:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 12:53:47
ComboFix2.txt 2008-01-14 05:01:28
ComboFix3.txt 2008-01-14 02:29:26
.
2007-11-12 09:44:41 --- E O F ---

#9
sage5

Posted 17 January 2008 - 07:52 AM

RIP 10/2009

Retired Staff
2,646 posts

Hi Henny123,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:

Download the latest version of Java Runtime Environment (JRE) 6 Update 4.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

Clean up Registry with a Reg file:

Please open a new Notepad file by clicking Start\All Programs\Accessories\Notepad
Copy the text from the following Code box, by highlighting all the text and right click, Select Copy. (or use the Ctrl+C keyboard shortcut)

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OESpamTest"=-

Paste it into Notepad. Right click in the window and select Paste. (or use Ctrl+V)
Save the file to the Desktop, make sure Type is All Files, and name it Fixreg.reg
Double click on the file created and click Yes when asked to merge the information into the Registry

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!

Read the FAQ and information about Supported Browsers
Click the Start Scanning button
If you get a Security warning, or the Information Bar at the top of the IE7 page flashes, Allow permission for the ActiveX to run
click the Accept button
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy & Paste the entire report into a new Notepad file, saved as C:\ f_secure.txt

It looks as if the Kaspersky Suite will need re loading, because bits of it have been corrupted/deleted by the infection.
Does the Kaspersky Suite you are using have a firewall component?
If not you should consider using one of the freeware 3rd party firewalls below.

You should check out:- Comodo Firewall Pro or Sunbelt Personal Firewall

User manuals are available for both:
Comodo's manual is built in and accessable from the Help Menu.

Sunbelt Manual Here

Both are simple to install & free to use.
Please install only 1

I need you to post me a fresh HijackThis log to confirm correct installation of the Anti-virus and Firewall programs.

Run HijackThis:

Select the Run a system scan and save a logfile option. The logfile opens in Notepad.
Start your Web Browser and navigate back to this thread.
Click the Add Reply button
Copy and Paste the text into the Reply window.
Also paste me the text from C:\avscan.txt

Cheers,

sage5

#10
Henny123

Posted 17 January 2008 - 05:10 PM

Member

Topic Starter
Member
12 posts

Here's the new Highjackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:08:07 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\KAV\KAVSVC.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download all by NetXfer - C:\Program Files\Xi\NetXfer\NXAddList.html
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O8 - Extra context menu item: Download by NetXfer - C:\Program Files\Xi\NetXfer\NXAddLink.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Security Suite\Kaspersky Anti-Spam Personal\KAV\KAVSVC.exe

--
End of file - 5297 bytes

#11
Henny123

Posted 17 January 2008 - 05:11 PM

Member

Topic Starter
Member
12 posts

Here's f_secure scan:

Scanning Report
Thursday, January 17, 2008 16:12:08 - 16:58:01

Computer name: JCARLO
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ F:\
Result: 2 malware found
Tracking Cookie (spyware)

* System (Disinfected)
* System

Statistics
Scanned:

* Files: 48477
* System: 4402
* Not scanned: 3

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 1
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

Options
Scanning engines:

* F-Secure Libra: 2.4.2, 2008-01-17
* F-Secure AVP: 7.0.171, 2008-01-17
* F-Secure Orion: 1.2.37, 2008-01-17
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0597-150-72
* F-Secure Pegasus: 1.19.0, 2008-00-16

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQXSWF
* Use Advanced heuristics

#12
sage5

Posted 17 January 2008 - 08:00 PM

RIP 10/2009

Retired Staff
2,646 posts

Hi Henny123

Congratulations, your new log looks clear, so we can now deal with some final clean up jobs.

You will probably need to uninstall & re install your Kaspersky email scanner, some parts of it may have been corrupted during the infection & fix.

Clean out cookies, temp files etc:
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
- Click Firefox at the top and choose: Select All
- Click the Empty Selected button.
  
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
- Click the Empty Selected button.
  
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Time for some housekeeping:

Click START then RUN
Now type Combofix /u in the runbox and click OK
When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Lastly, some extra or better security for your PC:

The programs recommended below are freeware alternatives to some of your security software & might reduce the potential for spyware infection in the future:-

Spyware Prevention:
Spyware Blaster by JavaCool Software, prevents spyware installing and consumes no system resources.
IE/SpyAd, stops suspect sites loading ActiveX, popups etc onto your PC. An excellent tutorial is Here

Spyware Detection:
AVG Anti-Spyware is my favourite here.

Anti-Virus:
The first line of defence, especially since some will now detect trojans as well.
Avira's Antivir PersonalEdition Classic and Grisoft's Avast! Free Edition are among the best freebies.
*Please note* You should never install more than one anti-virus program on a PC, as it will cause conflicts.

Firewall:
A Firewall is an essential tool in the security of any PC connected to the Internet.
Sunbelt Personal Firewall and Comodo are both excellent freeware.

Alternate Browsers:
Thankfully, there are now some excellent alternatives to MS Internet Explorer. They offer better security, more stability, and better speed.
A couple of good examples are: Firefox and Opera

Other Updates:
Vital security patches and updates are available for Microsoft Windows and Internet Explorer at the Windows Update Site
It is equally important to update the other security software you use, like your AVG Anti-virus, on a regular basis.

Further reading about these issues is available in a very good article: How did I get infected in the first place ? (by Tony Klein and dvk01)

All the best & safe surfing in the future,

sage5

#13
Henny123

Posted 17 January 2008 - 10:41 PM

Member

Topic Starter
Member
12 posts

Done.

Thanks for your time and help sage5!

I'm recommending this site to everyone I know.

#14
sage5

Posted 17 January 2008 - 10:54 PM

RIP 10/2009

Retired Staff
2,646 posts

You are very welcome Henny123

#15
sage5

Posted 17 January 2008 - 10:54 PM

RIP 10/2009

Retired Staff
2,646 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.