WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] help with malware infection

Started by NoodleTech , May 16 2008 05:06 PM

This topic is locked

18 replies to this topic

#1 NoodleTech

Malware Eradicator

Visiting Fellow
2,380 posts

Posted 16 May 2008 - 05:06 PM

Hi, my computer recently got infected with malware after a friend visited some malicious sites on it. My computer has suspicious things loading at startup and when I try to go to a URL in internet explorer, it redirects to porno sites and I also get ad popups.

Explorer crashes for no reason as well. Here is a screenshot of that happening:
Screenshot

I have not scanned with antivirus yet or antispyware but I plan to.

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:44:16 PM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [34eb1b4b] rundll32.exe "C:\WINDOWS\system32\bpficqgg.dll",b
O4 - HKLM\..\Run: [BM37d828d7] Rundll32.exe "C:\WINDOWS\system32\thhcvhpv.dll",s
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

Please help me clean this infection.

Thanks!

Edited by HumpATree123, 17 May 2008 - 10:49 AM.

Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation.

Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

Advertisements

Register to Remove

#2 NoodleTech

Malware Eradicator

Visiting Fellow
2,380 posts

Posted 16 May 2008 - 06:41 PM

I just scanned with AVG Free 8.0 and it detected these viruses.

Here's the screenshot:
Screenshot

Here's the screenshot of what pops up when I start up my computer after scanning and removing the detected viruses:
Startup

I'm going to run combo fix and scan with malware bytes anti malware scanner then post a new hijack this log.

Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation.

Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#3 NoodleTech

Malware Eradicator

Visiting Fellow
2,380 posts

Posted 16 May 2008 - 06:59 PM

I scanned with combo fix, did a quick scan with malware bytes anti malware, and again with hijackthis after disinfecting the files discovered by MBAM and CF.

Here are the logs:

Combofix log:

ComboFix 08-05-15.3 - James 2008-05-16 17:43:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1671 [GMT -7:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\ggqcifpb.ini
C:\WINDOWS\system32\jxtonxat.ini
C:\WINDOWS\system32\UxGgNXyb.ini
C:\WINDOWS\system32\UxGgNXyb.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip

((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-16 17:43 . 2008-05-16 17:43 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-16 16:28 . 2008-05-16 16:33 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-16 16:27 . 2008-05-16 16:29 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-16 16:27 . 2008-05-16 16:27 <DIR> d-------- C:\Program Files\AVG
2008-05-16 16:27 . 2008-05-16 16:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-16 16:27 . 2008-05-16 16:27 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-16 16:27 . 2008-05-16 16:27 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-16 16:27 . 2008-05-16 16:27 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-13 19:18 . 2008-05-15 19:33 109,826 --a------ C:\WINDOWS\BM37d828d7.xml
2008-05-11 15:11 . 2008-05-11 15:11 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-05-11 15:11 . 2008-05-14 16:45 <DIR> d-------- C:\Program Files\Crimsonland
2008-05-11 14:56 . 2008-05-11 14:56 <DIR> d-------- C:\Program Files\VstPlugins
2008-05-11 14:56 . 2008-05-11 14:56 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-05-11 14:56 . 2002-07-07 15:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-05-11 14:56 . 2006-06-20 01:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-05-11 14:55 . 2008-05-11 14:55 <DIR> d-------- C:\Program Files\Outsim
2008-05-11 14:54 . 2008-05-11 14:56 <DIR> d-------- C:\Program Files\Image-Line
2008-05-11 12:06 . 2008-05-11 12:06 <DIR> d-------- C:\Program Files\uTorrent
2008-05-11 12:06 . 2008-05-14 16:55 <DIR> d-------- C:\Documents and Settings\James\Application Data\uTorrent
2008-05-09 21:49 . 2008-05-09 21:49 <DIR> d-------- C:\WINDOWS\vocoder
2008-05-09 18:20 . 2008-05-09 20:43 <DIR> d-------- C:\UT2004
2008-05-02 22:21 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-05-02 22:21 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 00:47 --------- d-----w C:\Program Files\Steam
2008-05-16 22:53 --------- d-----w C:\Documents and Settings\James\Application Data\foobar2000
2008-05-11 04:26 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-14 00:20 --------- d-----w C:\Program Files\Real Alternative
2008-04-13 20:31 --------- d-----w C:\Program Files\D-Tools
2008-04-13 20:29 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-13 20:17 --------- d-----w C:\Documents and Settings\James\Application Data\dvdcss
2008-04-13 20:16 --------- d-----w C:\Program Files\Handbrake
2008-04-13 19:52 --------- d-----w C:\Program Files\Paint.NET
2008-04-13 19:52 --------- d-----w C:\Program Files\GIMP-2.0
2008-04-13 09:30 --------- d-----w C:\Program Files\hp deskjet 5550 series
2008-04-13 09:30 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-13 04:26 --------- d-----w C:\Program Files\Unlocker
2008-04-13 03:45 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-13 03:45 --------- d-----w C:\Program Files\EA GAMES
2008-04-13 03:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-13 03:16 --------- d-----w C:\Program Files\CCleaner
2008-04-13 03:03 --------- d-----w C:\Program Files\foobar2000
2008-04-13 02:52 --------- d-----w C:\Program Files\Gabest
2008-04-13 02:49 --------- d-----w C:\Program Files\Auto Shutdown
2008-04-13 02:44 --------- d-----w C:\Documents and Settings\James\Application Data\vlc
2008-04-13 02:43 --------- d-----w C:\Program Files\VideoLAN
2008-04-13 02:40 --------- d-----w C:\Documents and Settings\James\Application Data\Media Player Classic
2008-04-13 02:38 --------- d-----w C:\Program Files\ffdshow
2008-04-12 23:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-12 23:11 --------- d-----w C:\Program Files\Intel
2008-04-12 23:10 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-04-12 23:10 --------- d-----w C:\Program Files\Realtek AC97
2008-04-12 23:10 --------- d-----w C:\Program Files\AvRack
2008-04-12 23:01 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-30 05:55 5,717,248 ----a-w C:\Program Files\Foxit Reader.exe
2006-03-20 22:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

<pre>
----a-w			57,191 2006-07-04 04:09:08  C:\Documents and Settings\James\Desktop\Pictures\tempoary files\New installs\autoshutdownnew .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477E96FD-D287-435B-82BE-26D75FDB8C40}]
C:\WINDOWS\system32\byXNgGxU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3102264-D09D-4322-B625-503FBF18DD7E}]
C:\WINDOWS\system32\wvUoNHwV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cdb0dad8-691e-434d-86cb-aae059f205d2}]
C:\WINDOWS\system32\jyhnmjux.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-04-12 20:17 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 18:39 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 04:00 188416]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-03-12 22:43 81920]
"34eb1b4b"="C:\WINDOWS\system32\bpficqgg.dll" [ ]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-16 16:27 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B3102264-D09D-4322-B625-503FBF18DD7E}"= C:\WINDOWS\system32\wvUoNHwV.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUoNHwV]
wvUoNHwV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Steam\\steamapps\\yaostao2\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\steamapps\\yaostao2\\counter-strike\\hl.exe"=
"C:\\UT2004\\System\\UT2004.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-16 16:27]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-16 16:27]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-16 16:27]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-16 16:27]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{75c37ece-180a-11dd-aee2-00508df7329e}]
\Shell\AutoRun\command - F:\imt8.cmd
\Shell\explore\Command - F:\imt8.cmd
\Shell\open\Command - F:\imt8.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a22cb481-0902-11dd-bac0-00508df7329e}]
\Shell\AutoRun\command - F:\vt6e.cmd
\Shell\explore\Command - F:\vt6e.cmd
\Shell\open\Command - F:\vt6e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abafae33-098e-11dd-bac6-00508df7329e}]
\Shell\AutoRun\command - F:\vt6e.cmd
\Shell\explore\Command - F:\vt6e.cmd
\Shell\open\Command - F:\vt6e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0c8c2c1-08e4-11dd-babd-00508df7329e}]
\Shell\AutoRun\command - G:\vt6e.cmd
\Shell\explore\Command - G:\vt6e.cmd
\Shell\open\Command - G:\vt6e.cmd

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-16 17:46:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-05-16 17:48:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-17 00:48:48

Pre-Run: 47,368,167,424 bytes free
Post-Run: 47,536,410,624 bytes free

181 --- E O F --- 2008-04-14 01:56:18

Malwarebytes log:

Malwarebytes' Anti-Malware 1.12
Database version: 755

Scan type: Quick Scan
Objects scanned: 32648
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{b3102264-d09d-4322-b625-503fbf18dd7e} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b3102264-d09d-4322-b625-503fbf18dd7e} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{b3102264-d09d-4322-b625-503fbf18dd7e} (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 5:57:37 PM, on 5/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {477E96FD-D287-435B-82BE-26D75FDB8C40} - C:\WINDOWS\system32\byXNgGxU.dll (file missing)
O2 - BHO: {2d502f95-0eaa-bc68-d434-e1968dad0bdc} - {cdb0dad8-691e-434d-86cb-aae059f205d2} - C:\WINDOWS\system32\jyhnmjux.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [34eb1b4b] rundll32.exe "C:\WINDOWS\system32\bpficqgg.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvUoNHwV - wvUoNHwV.dll (file missing)
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

Edited by HumpATree123, 17 May 2008 - 10:54 AM.

Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation.

Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#4 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 22 May 2008 - 06:59 AM

Guess you didn't read this.
http://forums.whatth...ING_t86364.html

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#5 NoodleTech

Malware Eradicator

Visiting Fellow
2,380 posts

Posted 22 May 2008 - 08:54 PM

sorry for not reading the rules. i just went through it now.

Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation.

Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#6 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 23 May 2008 - 07:33 AM

Download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
Please do not re-connect your machine back to the Internet until Combofix has completely finished.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Give it atleast 20-30 minutes to finish

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#7 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 28 May 2008 - 04:28 PM

Do you still need help with this?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#8 NoodleTech

Malware Eradicator

Visiting Fellow
2,380 posts

Posted 28 May 2008 - 11:03 PM

ComboFix 08-05-28.4 - James 2008-05-28 21:57:52.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1677 [GMT -7:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
C:\WINDOWS\BM37d828d7.xml
C:\WINDOWS\system32\kavo.exe
C:\WINDOWS\system32\kavo0.dll
C:\WINDOWS\system32\kavo1.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-28 16:10 . 2008-05-28 16:10 122,238 -r-hs---- C:\yp.bat
2008-05-27 17:57 . 2008-05-27 17:57 119,463 -r-hs---- C:\sdc.bat
2008-05-26 10:51 . 2008-05-25 17:55 121,998 -r-hs---- C:\2.cmd
2008-05-25 17:56 . 2008-05-25 17:55 121,998 -r-hs---- C:\9mf.exe
2008-05-25 00:01 . 2008-05-25 00:01 <DIR> d-------- C:\Program Files\dayam NFO Viewer
2008-05-24 23:26 . 2008-05-24 23:26 <DIR> d-------- C:\Program Files\Rockstar Games
2008-05-24 23:26 . 2003-05-23 13:28 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-05-24 14:00 . 2008-05-11 20:26 119,106 -r-hs---- C:\uqb0julr.bat
2008-05-23 22:45 . 2008-05-25 00:48 118,852 -r-hs---- C:\ocbqsqj.bat
2008-05-22 19:44 . 2008-05-23 00:26 118,580 -r-hs---- C:\m.exe
2008-05-17 21:41 . 2008-05-17 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-17 21:33 . 2008-05-17 21:33 <DIR> d-------- C:\Documents and Settings\James\Application Data\Talkback
2008-05-16 17:50 . 2008-05-16 17:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 17:50 . 2008-05-16 17:50 <DIR> d-------- C:\Documents and Settings\James\Application Data\Malwarebytes
2008-05-16 17:50 . 2008-05-16 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 17:50 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-16 17:50 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-16 16:27 . 2008-05-16 16:27 <DIR> d-------- C:\Program Files\AVG
2008-05-11 15:11 . 2008-05-11 15:11 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-05-11 15:11 . 2008-05-14 16:45 <DIR> d-------- C:\Program Files\Crimsonland
2008-05-11 14:56 . 2008-05-11 14:56 <DIR> d-------- C:\Program Files\VstPlugins
2008-05-11 14:56 . 2008-05-11 14:56 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-05-11 14:56 . 2002-07-07 15:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-05-11 14:56 . 2006-06-20 01:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-05-11 14:55 . 2008-05-11 14:55 <DIR> d-------- C:\Program Files\Outsim
2008-05-11 14:54 . 2008-05-11 14:56 <DIR> d-------- C:\Program Files\Image-Line
2008-05-11 12:06 . 2008-05-11 12:06 <DIR> d-------- C:\Program Files\uTorrent
2008-05-11 12:06 . 2008-05-14 16:55 <DIR> d-------- C:\Documents and Settings\James\Application Data\uTorrent
2008-05-09 21:49 . 2008-05-09 21:49 <DIR> d-------- C:\WINDOWS\vocoder
2008-05-02 22:21 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-05-02 22:21 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 04:34 --------- d-----w C:\Program Files\Steam
2008-05-25 06:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 22:53 --------- d-----w C:\Documents and Settings\James\Application Data\foobar2000
2008-05-11 04:26 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-11 04:24 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-14 00:20 --------- d-----w C:\Program Files\Real Alternative
2008-04-13 20:31 --------- d-----w C:\Program Files\D-Tools
2008-04-13 20:29 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-13 20:17 --------- d-----w C:\Documents and Settings\James\Application Data\dvdcss
2008-04-13 20:16 --------- d-----w C:\Program Files\Handbrake
2008-04-13 19:52 --------- d-----w C:\Program Files\Paint.NET
2008-04-13 19:52 --------- d-----w C:\Program Files\GIMP-2.0
2008-04-13 14:12 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-04-13 09:30 --------- d-----w C:\Program Files\hp deskjet 5550 series
2008-04-13 09:30 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-13 04:26 --------- d-----w C:\Program Files\Unlocker
2008-04-13 03:45 --------- d-----w C:\Program Files\EA GAMES
2008-04-13 03:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-13 03:16 --------- d-----w C:\Program Files\CCleaner
2008-04-13 03:03 --------- d-----w C:\Program Files\foobar2000
2008-04-13 02:52 --------- d-----w C:\Program Files\Gabest
2008-04-13 02:49 --------- d-----w C:\Program Files\Auto Shutdown
2008-04-13 02:44 --------- d-----w C:\Documents and Settings\James\Application Data\vlc
2008-04-13 02:43 --------- d-----w C:\Program Files\VideoLAN
2008-04-13 02:40 --------- d-----w C:\Documents and Settings\James\Application Data\Media Player Classic
2008-04-13 02:38 --------- d-----w C:\Program Files\ffdshow
2008-04-12 23:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-12 23:11 --------- d-----w C:\Program Files\Intel
2008-04-12 23:10 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-04-12 23:10 --------- d-----w C:\Program Files\Realtek AC97
2008-04-12 23:10 --------- d-----w C:\Program Files\AvRack
2008-04-12 23:01 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 23:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 23:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 23:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 22:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 22:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2007-09-30 05:55 5,717,248 ----a-w C:\Program Files\Foxit Reader.exe
2006-03-20 22:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

<pre>
----a-w			57,191 2006-07-04 04:09:08  C:\Documents and Settings\James\Desktop\Pictures\tempoary files\New installs\autoshutdownnew .exe
</pre>

((((((((((((((((((((((((((((( snapshot_2008-05-18_15.59.09.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 22:29:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-29 04:34:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 15:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 15:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
- 2008-05-18 22:30:03 227,959 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-29 04:34:32 227,959 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-05-29 04:34:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_22c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477E96FD-D287-435B-82BE-26D75FDB8C40}]
C:\WINDOWS\system32\byXNgGxU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cdb0dad8-691e-434d-86cb-aae059f205d2}]
C:\WINDOWS\system32\jyhnmjux.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-04-12 20:17 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 18:39 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 04:00 188416]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-03-12 22:43 81920]
"34eb1b4b"="C:\WINDOWS\system32\bpficqgg.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUoNHwV]
wvUoNHwV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Steam\\steamapps\\yaostao2\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\steamapps\\yaostao2\\counter-strike\\hl.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
S3 ewdmaudn;ewdmaudn;C:\DOCUME~1\James\LOCALS~1\Temp\ewdmaudn.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{75c37ece-180a-11dd-aee2-00508df7329e}]
\Shell\AutoRun\command - F:\imt8.cmd
\Shell\explore\Command - F:\imt8.cmd
\Shell\open\Command - F:\imt8.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a22cb481-0902-11dd-bac0-00508df7329e}]
\Shell\AutoRun\command - F:\ocbqsqj.bat
\Shell\explore\Command - F:\ocbqsqj.bat
\Shell\open\Command - F:\ocbqsqj.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abafae33-098e-11dd-bac6-00508df7329e}]
\Shell\AutoRun\command - F:\vt6e.cmd
\Shell\explore\Command - F:\vt6e.cmd
\Shell\open\Command - F:\vt6e.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0c8c2c1-08e4-11dd-babd-00508df7329e}]
\Shell\AutoRun\command - G:\vt6e.cmd
\Shell\explore\Command - G:\vt6e.cmd
\Shell\open\Command - G:\vt6e.cmd

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-28 21:58:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-28 21:59:11
ComboFix-quarantined-files.txt 2008-05-29 04:59:09
ComboFix2.txt 2008-05-25 06:01:11
ComboFix3.txt 2008-05-24 21:30:35
ComboFix4.txt 2008-05-24 20:59:15
ComboFix5.txt 2008-05-23 03:36:26

Pre-Run: 44,872,134,656 bytes free
Post-Run: 44,862,369,792 bytes free

182 --- E O F --- 2008-05-17 02:15:57

HIJACK THIS:

Logfile of HijackThis v1.99.1
Scan saved at 10:04:22 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: (no name) - {477E96FD-D287-435B-82BE-26D75FDB8C40} - C:\WINDOWS\system32\byXNgGxU.dll (file missing)
O2 - BHO: {2d502f95-0eaa-bc68-d434-e1968dad0bdc} - {cdb0dad8-691e-434d-86cb-aae059f205d2} - C:\WINDOWS\system32\jyhnmjux.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [34eb1b4b] rundll32.exe "C:\WINDOWS\system32\bpficqgg.dll",b
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wvUoNHwV - wvUoNHwV.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

Edited by HumpATree123, 28 May 2008 - 11:04 PM.

Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation.

Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#9 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 29 May 2008 - 06:02 AM

Open notepad and copy/paste the text in the Codebox below into it:

File::
C:\yp.bat
C:\sdc.bat
C:\2.cmd
C:\9mf.exe
C:\uqb0julr.bat
C:\ocbqsqj.bat
C:\m.exe
C:\WINDOWS\system32\byXNgGxU.dll
C:\WINDOWS\system32\jyhnmjux.dll
C:\DOCUME~1\James\LOCALS~1\Temp\ewdmaudn.sys
C:\WINDOWS\system32\bpficqgg.dll


RenV::
C:\Documents and Settings\James\Desktop\Pictures\tempoary files\New installs\autoshutdownnew .exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477E96FD-D287-435B-82BE-26D75FDB8C40}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cdb0dad8-691e-434d-86cb-aae059f205d2}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"34eb1b4b"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUoNHwV]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{75c37ece-180a-11dd-aee2-00508df7329e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a22cb481-0902-11dd-bac0-00508df7329e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abafae33-098e-11dd-bac6-00508df7329e}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0c8c2c1-08e4-11dd-babd-00508df7329e}]

Save this as Save this as "CFScript"

Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#10 NoodleTech

Malware Eradicator

Visiting Fellow
2,380 posts

Posted 01 June 2008 - 02:12 PM

ComboFix 08-05-28.4 - James 2008-06-01 13:05:23.9 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1722 [GMT -7:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\2.cmd
C:\9mf.exe
C:\DOCUME~1\James\LOCALS~1\Temp\ewdmaudn.sys
C:\m.exe
C:\ocbqsqj.bat
C:\sdc.bat
C:\uqb0julr.bat
C:\WINDOWS\system32\bpficqgg.dll
C:\WINDOWS\system32\byXNgGxU.dll
C:\WINDOWS\system32\jyhnmjux.dll
C:\yp.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\2.cmd
C:\9mf.exe
C:\ocbqsqj.bat
C:\sdc.bat
C:\uqb0julr.bat
C:\yp.bat

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-28 22:51 . 2008-04-13 20:31 116,759 -r-hs---- C:\vt6e.cmd
2008-05-25 00:01 . 2008-05-25 00:01 <DIR> d-------- C:\Program Files\dayam NFO Viewer
2008-05-24 23:26 . 2008-05-24 23:26 <DIR> d-------- C:\Program Files\Rockstar Games
2008-05-24 23:26 . 2003-05-23 13:28 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-05-17 21:41 . 2008-05-17 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-17 21:33 . 2008-05-17 21:33 <DIR> d-------- C:\Documents and Settings\James\Application Data\Talkback
2008-05-16 17:50 . 2008-05-16 17:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 17:50 . 2008-05-16 17:50 <DIR> d-------- C:\Documents and Settings\James\Application Data\Malwarebytes
2008-05-16 17:50 . 2008-05-16 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 17:50 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-16 17:50 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-16 16:27 . 2008-05-16 16:27 <DIR> d-------- C:\Program Files\AVG
2008-05-11 15:11 . 2008-05-11 15:11 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-05-11 15:11 . 2008-05-14 16:45 <DIR> d-------- C:\Program Files\Crimsonland
2008-05-11 14:56 . 2008-05-11 14:56 <DIR> d-------- C:\Program Files\VstPlugins
2008-05-11 14:56 . 2008-05-11 14:56 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-05-11 14:56 . 2002-07-07 15:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-05-11 14:56 . 2006-06-20 01:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-05-11 14:55 . 2008-05-11 14:55 <DIR> d-------- C:\Program Files\Outsim
2008-05-11 14:54 . 2008-05-11 14:56 <DIR> d-------- C:\Program Files\Image-Line
2008-05-11 12:06 . 2008-05-11 12:06 <DIR> d-------- C:\Program Files\uTorrent
2008-05-11 12:06 . 2008-05-14 16:55 <DIR> d-------- C:\Documents and Settings\James\Application Data\uTorrent
2008-05-09 21:49 . 2008-05-09 21:49 <DIR> d-------- C:\WINDOWS\vocoder
2008-05-02 22:21 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-05-02 22:21 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-01 18:46 --------- d-----w C:\Program Files\Steam
2008-05-25 06:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 22:53 --------- d-----w C:\Documents and Settings\James\Application Data\foobar2000
2008-05-11 04:26 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-11 04:24 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-14 00:20 --------- d-----w C:\Program Files\Real Alternative
2008-04-13 20:31 --------- d-----w C:\Program Files\D-Tools
2008-04-13 20:29 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-13 20:17 --------- d-----w C:\Documents and Settings\James\Application Data\dvdcss
2008-04-13 20:16 --------- d-----w C:\Program Files\Handbrake
2008-04-13 19:52 --------- d-----w C:\Program Files\Paint.NET
2008-04-13 19:52 --------- d-----w C:\Program Files\GIMP-2.0
2008-04-13 14:12 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-04-13 09:30 --------- d-----w C:\Program Files\hp deskjet 5550 series
2008-04-13 09:30 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-13 04:26 --------- d-----w C:\Program Files\Unlocker
2008-04-13 03:45 --------- d-----w C:\Program Files\EA GAMES
2008-04-13 03:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-13 03:16 --------- d-----w C:\Program Files\CCleaner
2008-04-13 03:03 --------- d-----w C:\Program Files\foobar2000
2008-04-13 02:52 --------- d-----w C:\Program Files\Gabest
2008-04-13 02:49 --------- d-----w C:\Program Files\Auto Shutdown
2008-04-13 02:44 --------- d-----w C:\Documents and Settings\James\Application Data\vlc
2008-04-13 02:43 --------- d-----w C:\Program Files\VideoLAN
2008-04-13 02:40 --------- d-----w C:\Documents and Settings\James\Application Data\Media Player Classic
2008-04-13 02:38 --------- d-----w C:\Program Files\ffdshow
2008-04-12 23:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-12 23:11 --------- d-----w C:\Program Files\Intel
2008-04-12 23:10 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-04-12 23:10 --------- d-----w C:\Program Files\Realtek AC97
2008-04-12 23:10 --------- d-----w C:\Program Files\AvRack
2008-04-12 23:01 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 23:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 23:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 23:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 22:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 22:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2007-09-30 05:55 5,717,248 ----a-w C:\Program Files\Foxit Reader.exe
2006-03-20 22:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

((((((((((((((((((((((((((((( snapshot_2008-05-18_15.59.09.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 22:29:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 18:46:37 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 15:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 15:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
- 2008-05-18 22:30:03 227,959 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-06-01 18:46:51 227,964 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-06-01 18:47:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-04-12 20:17 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 18:39 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 04:00 188416]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-03-12 22:43 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Steam\\steamapps\\yaostao2\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\steamapps\\yaostao2\\counter-strike\\hl.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
S3 ewdmaudn;ewdmaudn;C:\DOCUME~1\James\LOCALS~1\Temp\ewdmaudn.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 13:06:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-01 13:07:11
ComboFix-quarantined-files.txt 2008-06-01 20:07:09
ComboFix2.txt 2008-05-30 02:41:16
ComboFix3.txt 2008-05-29 04:59:12
ComboFix4.txt 2008-05-25 06:01:11
ComboFix5.txt 2008-05-24 21:30:35

Pre-Run: 44,711,735,296 bytes free
Post-Run: 44,822,859,776 bytes free

164 --- E O F --- 2008-05-17 02:15:57

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:09:12 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\program files\steam\steam.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

ad popups and browser redirects are gone. the computer doesn't lag as much now

Edited by HumpATree123, 01 June 2008 - 02:14 PM.

Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation.

Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

Advertisements

Register to Remove

#11 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 01 June 2008 - 02:20 PM

Open notepad and copy/paste the text in the Codebox below into it:

File::
C:\vt6e.cmd

Save this as Save this as "CFScript"

Posted Image

Drag CFScript.txt into ComboFix.exe

Then post a new HijackThis log.

Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#12 NoodleTech

Malware Eradicator

Visiting Fellow
2,380 posts

Posted 01 June 2008 - 10:22 PM

ComboFix 08-05-28.4 - James 2008-06-01 21:19:16.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1720 [GMT -7:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\vt6e.cmd
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\vt6e.cmd

.
((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-05-25 00:01 . 2008-05-25 00:01 <DIR> d-------- C:\Program Files\dayam NFO Viewer
2008-05-24 23:26 . 2008-05-24 23:26 <DIR> d-------- C:\Program Files\Rockstar Games
2008-05-24 23:26 . 2003-05-23 13:28 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-05-17 21:41 . 2008-05-17 21:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-17 21:33 . 2008-05-17 21:33 <DIR> d-------- C:\Documents and Settings\James\Application Data\Talkback
2008-05-16 17:50 . 2008-05-16 17:50 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-16 17:50 . 2008-05-16 17:50 <DIR> d-------- C:\Documents and Settings\James\Application Data\Malwarebytes
2008-05-16 17:50 . 2008-05-16 17:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-16 17:50 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-16 17:50 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-16 16:27 . 2008-05-16 16:27 <DIR> d-------- C:\Program Files\AVG
2008-05-11 15:11 . 2008-05-11 15:11 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-05-11 15:11 . 2008-05-14 16:45 <DIR> d-------- C:\Program Files\Crimsonland
2008-05-11 14:56 . 2008-05-11 14:56 <DIR> d-------- C:\Program Files\VstPlugins
2008-05-11 14:56 . 2008-05-11 14:56 <DIR> d-------- C:\Program Files\ASIO4ALL v2
2008-05-11 14:56 . 2002-07-07 15:14 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2008-05-11 14:56 . 2006-06-20 01:56 225,280 --a------ C:\WINDOWS\system32\rewire.dll
2008-05-11 14:55 . 2008-05-11 14:55 <DIR> d-------- C:\Program Files\Outsim
2008-05-11 14:54 . 2008-05-11 14:56 <DIR> d-------- C:\Program Files\Image-Line
2008-05-11 12:06 . 2008-05-11 12:06 <DIR> d-------- C:\Program Files\uTorrent
2008-05-11 12:06 . 2008-05-14 16:55 <DIR> d-------- C:\Documents and Settings\James\Application Data\uTorrent
2008-05-09 21:49 . 2008-05-09 21:49 <DIR> d-------- C:\WINDOWS\vocoder
2008-05-02 22:21 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-05-02 22:21 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-02 03:43 --------- d-----w C:\Program Files\Steam
2008-05-25 06:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-16 22:53 --------- d-----w C:\Documents and Settings\James\Application Data\foobar2000
2008-05-11 04:26 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-11 04:24 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-14 00:20 --------- d-----w C:\Program Files\Real Alternative
2008-04-13 20:31 --------- d-----w C:\Program Files\D-Tools
2008-04-13 20:29 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-04-13 20:17 --------- d-----w C:\Documents and Settings\James\Application Data\dvdcss
2008-04-13 20:16 --------- d-----w C:\Program Files\Handbrake
2008-04-13 19:52 --------- d-----w C:\Program Files\Paint.NET
2008-04-13 19:52 --------- d-----w C:\Program Files\GIMP-2.0
2008-04-13 14:12 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-04-13 09:30 --------- d-----w C:\Program Files\hp deskjet 5550 series
2008-04-13 09:30 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-13 04:26 --------- d-----w C:\Program Files\Unlocker
2008-04-13 03:45 --------- d-----w C:\Program Files\EA GAMES
2008-04-13 03:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-13 03:16 --------- d-----w C:\Program Files\CCleaner
2008-04-13 03:03 --------- d-----w C:\Program Files\foobar2000
2008-04-13 02:52 --------- d-----w C:\Program Files\Gabest
2008-04-13 02:49 --------- d-----w C:\Program Files\Auto Shutdown
2008-04-13 02:44 --------- d-----w C:\Documents and Settings\James\Application Data\vlc
2008-04-13 02:43 --------- d-----w C:\Program Files\VideoLAN
2008-04-13 02:40 --------- d-----w C:\Documents and Settings\James\Application Data\Media Player Classic
2008-04-13 02:38 --------- d-----w C:\Program Files\ffdshow
2008-04-12 23:19 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-12 23:11 --------- d-----w C:\Program Files\Intel
2008-04-12 23:10 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-04-12 23:10 --------- d-----w C:\Program Files\Realtek AC97
2008-04-12 23:10 --------- d-----w C:\Program Files\AvRack
2008-04-12 23:01 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 23:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 23:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 23:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 22:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 22:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2007-09-30 05:55 5,717,248 ----a-w C:\Program Files\Foxit Reader.exe
2006-03-20 22:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

((((((((((((((((((((((((((((( snapshot_2008-05-18_15.59.09.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 22:29:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-02 03:43:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 15:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 15:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
- 2008-05-18 22:30:03 227,959 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-06-02 03:44:00 227,962 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-06-02 03:44:09 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_19c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\steam\steam.exe" [2008-04-12 20:17 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32 208952]
"PHIME2002ASync"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32 455168]
"SoundMan"="SOUNDMAN.EXE" [2005-08-17 18:39 90112 C:\WINDOWS\soundman.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-03-18 04:00 188416]
"DAEMON Tools-1033"="C:\Program Files\D-Tools\daemon.exe" [2004-03-12 22:43 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"=
"C:\\Program Files\\Steam\\steamapps\\yaostao2\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Steam\\steamapps\\yaostao2\\counter-strike\\hl.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R0 d346bus;d346bus;C:\WINDOWS\system32\DRIVERS\d346bus.sys [2004-03-12 22:41]
R0 d346prt;d346prt;C:\WINDOWS\system32\Drivers\d346prt.sys [2004-03-12 22:41]
S3 ewdmaudn;ewdmaudn;C:\DOCUME~1\James\LOCALS~1\Temp\ewdmaudn.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 21:20:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-01 21:20:57
ComboFix-quarantined-files.txt 2008-06-02 04:20:55
ComboFix2.txt 2008-06-01 20:07:12
ComboFix3.txt 2008-05-30 02:41:16
ComboFix4.txt 2008-05-29 04:59:12
ComboFix5.txt 2008-05-25 06:01:11

Pre-Run: 44,833,751,040 bytes free
Post-Run: 44,821,901,312 bytes free

148 --- E O F --- 2008-05-17 02:15:57

Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 9:22:58 PM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\program files\steam\steam.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\James\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation.

Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#13 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 02 June 2008 - 06:02 AM

Did you disable your anti-virus program?

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

#14 NoodleTech

Malware Eradicator

Visiting Fellow
2,380 posts

Posted 03 June 2008 - 07:53 PM

i uninstalled it

Proud Graduate of the WTT Malware Classroom.
If you feel I have helped you, please consider a donation.

Topics will be closed after three days if there is no response.
Please do not PM me for malware removal assistance.

#15 LDTate

Grand Poobah

Root Admin
57,211 posts

Posted 04 June 2008 - 02:05 PM

You have to have an anti-virus program running.

Click the link, Download Now and Save, Install, Update and run a full scan.

Avira AntiVir Personal - FREE Antivirus
http://www.free-av.c..._antivirus.html

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

If you would like to for the help you received.

Proud graduate of TC/WTT Classroom

Body Background

skin color theme

[Resolved] help with malware infection

#1 NoodleTech

Advertisements

Register to Remove

#2 NoodleTech

#3 NoodleTech

#4 LDTate

#5 NoodleTech

#6 LDTate

#7 LDTate

#8 NoodleTech

#9 LDTate

#10 NoodleTech

Advertisements

Register to Remove

#11 LDTate

#12 NoodleTech

#13 LDTate

#14 NoodleTech

#15 LDTate

Related Topics

0 user(s) are reading this topic

About What the Tech

Follow Us

Body Background

skin color theme

[Resolved] help with malware infection

#1 NoodleTech

Advertisements Register to Remove

#2 NoodleTech

#3 NoodleTech

#4 LDTate

#5 NoodleTech

#6 LDTate

#7 LDTate

#8 NoodleTech

#9 LDTate

#10 NoodleTech

Advertisements Register to Remove

#11 LDTate

#12 NoodleTech

#13 LDTate

#14 NoodleTech

#15 LDTate

Related Topics

0 user(s) are reading this topic

About What the Tech

Follow Us

Sign In

Advertisements

Register to Remove

Advertisements

Register to Remove