Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91633 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] need help with virtumonde.exe


  • This topic is locked This topic is locked
13 replies to this topic

#1 crazywednesday

crazywednesday

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 19 May 2008 - 10:09 PM

I am looking for assistance in getting rid of this nasty virus. Here is my hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:02 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\FredFlinstone.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1DD2B793-883A-4637-9EAD-C4B049CF07AF} - C:\WINDOWS\system32\wvUkHAtu.dll (file missing)
O2 - BHO: (no name) - {3AC3DFDD-2CBD-47DC-8F1F-A8C89BA601B3} - C:\WINDOWS\system32\opnomllJ.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A7E81B89-DF38-40C8-A767-6FBECB65B862} - C:\WINDOWS\system32\byXQHbAQ.dll
O2 - BHO: (no name) - {C55F2A52-31EC-49BB-8876-AA0D55F4D182} - C:\WINDOWS\system32\nnnoMDUm.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BMcbba19da] Rundll32.exe "C:\WINDOWS\system32\gyoadpok.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://fishingchamp....GamesCampus.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170861176296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170861150437
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31A26BB4-45F3-4C91-969B-AE59E64BED47}: NameServer = 68.87.69.146,68.87.85.98
O20 - Winlogon Notify: byXQHbAQ - C:\WINDOWS\SYSTEM32\byXQHbAQ.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8061 bytes


Thank you for your reply
Justin

    Advertisements

Register to Remove


#2 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 20 May 2008 - 09:17 AM

Hello

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

#3 crazywednesday

crazywednesday

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 20 May 2008 - 10:09 PM

Followed all the instructions to the "T". Here are the log files.

ComboFix 08-05-20.1 - Justin 2008-05-20 21:01:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1591 [GMT -7:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\huihefnp.ini
C:\WINDOWS\system32\Jllmonpo.ini
C:\WINDOWS\system32\Jllmonpo.ini2
C:\WINDOWS\system32\launcher.exe
C:\WINDOWS\system32\lwrutimp.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mUDMonnn.ini
C:\WINDOWS\system32\mUDMonnn.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pncmbkoi.ini
C:\WINDOWS\system32\ryafjbxl.ini
C:\WINDOWS\system32\SsBKlnpo.ini
C:\WINDOWS\system32\SsBKlnpo.ini2
C:\WINDOWS\system32\utAHkUvw.ini
C:\WINDOWS\system32\utAHkUvw.ini2
C:\WINDOWS\system32\xmqdpeoy.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 15:12 . 2008-05-20 15:12 1,819,563 --a------ C:\ComboFix.exe
2008-05-20 15:09 . 2008-05-20 15:14 4,614,888 --a------ C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
2008-05-20 15:03 . 2008-05-20 15:03 50,688 --a------ C:\ATF-Cleaner.exe
2008-05-19 21:00 . 2008-05-19 14:10 401,720 --a------ C:\FredFlinstone.exe
2008-05-11 21:01 . 2008-05-11 21:01 94,720 --a------ C:\WINDOWS\system32\yoepdqmx.dll
2008-05-11 20:59 . 2008-05-11 20:59 117,248 --a------ C:\WINDOWS\system32\nsxnaicr.dll
2008-05-11 20:59 . 2008-05-11 20:59 109,056 --a------ C:\WINDOWS\system32\gyoadpok.dll
2008-05-11 20:58 . 2008-05-11 20:58 371,200 --a------ C:\WINDOWS\system32\nnnoMDUm.dll
2008-05-11 13:27 . 2008-05-11 13:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-11 13:26 . 2008-05-11 13:26 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-10 17:51 . 2008-05-10 17:51 116,736 --a------ C:\WINDOWS\system32\cdwltyky.dll
2008-05-10 17:48 . 2008-05-10 17:48 94,720 --a------ C:\WINDOWS\system32\pmiturwl.dll
2008-05-10 17:43 . 2008-05-10 17:43 110,080 --a------ C:\WINDOWS\system32\dmpbahdy.dll
2008-05-10 15:28 . 2008-05-10 15:28 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-10 14:30 . 2008-05-10 14:30 94,720 --a------ C:\WINDOWS\system32\pnfehiuh.dll
2008-05-10 14:27 . 2008-05-10 14:27 116,736 --a------ C:\WINDOWS\system32\admhiwml.dll
2008-05-10 14:22 . 2008-05-10 14:22 110,080 --a------ C:\WINDOWS\system32\mrvnucau.dll
2008-05-10 13:13 . 2008-05-11 15:22 326 --a------ C:\WINDOWS\wininit.ini
2008-05-10 11:43 . 2008-05-10 11:41 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-10 11:43 . 2008-05-10 11:43 2,542 --a------ C:\WINDOWS\unins000.dat
2008-05-10 11:39 . 2008-05-10 11:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-10 04:08 . 2008-05-10 04:08 94,720 --a------ C:\WINDOWS\system32\lxbjfayr.dll
2008-05-10 04:02 . 2008-05-10 04:02 116,736 --a------ C:\WINDOWS\system32\suosriju.dll
2008-05-10 03:59 . 2008-05-10 03:59 110,080 --a------ C:\WINDOWS\system32\xqyyyovk.dll
2008-05-09 21:00 . 2008-05-09 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-09 03:59 . 2008-05-09 03:59 116,736 --a------ C:\WINDOWS\system32\napwlwpj.dll
2008-05-09 03:58 . 2008-05-20 21:04 109,803 --a------ C:\WINDOWS\BMcbba19da.xml
2008-05-09 03:58 . 2008-05-09 03:58 109,056 --a------ C:\WINDOWS\system32\jvkpjdir.dll
2008-05-08 19:22 . 2008-05-08 19:22 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-05-08 15:50 . 2008-05-08 15:51 <DIR> d-------- C:\WINDOWS\system32\bkEur05
2008-05-08 15:50 . 2008-05-08 15:50 <DIR> d-------- C:\Temp\maxsv15
2008-05-08 15:50 . 2008-05-08 15:50 28,672 --a------ C:\WINDOWS\system32\byXQHbAQ.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 04:04 108,628,000 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-21 04:02 1,278,188 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-11 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 20:22 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-11 20:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 15:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-10 04:00 --------- d-----w C:\Program Files\Lavasoft
2008-05-10 04:00 --------- d-----w C:\Documents and Settings\Justin\Application Data\Lavasoft
2008-05-10 03:51 --------- d-----w C:\Documents and Settings\Justin\Application Data\AVG7
2008-05-03 00:27 --------- d-----w C:\Documents and Settings\Justin\Application Data\uTorrent
2008-03-23 02:29 --------- d-----w C:\Documents and Settings\Justin\Application Data\Intuit
2008-03-23 02:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-23 02:21 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-23 02:16 --------- d-----w C:\Program Files\TurboTax
2008-02-27 14:05 6,725,516 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-31 04:27 87,608 ----a-w C:\Documents and Settings\Justin\Application Data\inst.exe
2007-12-31 04:27 47,360 ----a-w C:\Documents and Settings\Justin\Application Data\pcouffin.sys
2007-07-22 04:47 24,896 ----a-w C:\Documents and Settings\Justin\Application Data\GDIPFONTCACHEV1.DAT
2005-11-22 01:58 1,196,121 ----a-w C:\Documents and Settings\Justin\EverQuest.exe
2005-11-22 01:57 307,200 ----a-w C:\Documents and Settings\Justin\OptionsEditor.exe
2005-11-22 01:50 349,696 ----a-w C:\Documents and Settings\Justin\mss32.dll
2005-11-22 01:42 950,272 ----a-w C:\Documents and Settings\Justin\eqmain.dll
2005-11-22 01:42 3,969,024 ----a-w C:\Documents and Settings\Justin\eqgame.exe
2005-11-22 01:41 133,120 ----a-w C:\Documents and Settings\Justin\dpvs.dll
2005-11-22 01:40 60,416 ----a-w C:\Documents and Settings\Justin\DSETUP.dll
2005-11-22 01:40 2,310,144 ----a-w C:\Documents and Settings\Justin\EQGraphicsDX9.dll
2005-11-01 06:40 557,568 ----a-w C:\Documents and Settings\Justin\EscapeToNorrath.exe
2005-10-19 05:43 56 -csha-r C:\WINDOWS\system32\33BD705E36.sys
2005-10-19 05:43 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{01F63716-4397-4159-B6E1-9713D9029C98}]
2008-05-11 20:58 371200 --a------ C:\WINDOWS\system32\nnnoMDUm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DD2B793-883A-4637-9EAD-C4B049CF07AF}]
C:\WINDOWS\system32\wvUkHAtu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3AC3DFDD-2CBD-47DC-8F1F-A8C89BA601B3}]
C:\WINDOWS\system32\opnomllJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7E81B89-DF38-40C8-A767-6FBECB65B862}]
2008-05-08 15:50 28672 --a------ C:\WINDOWS\system32\byXQHbAQ.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-15 08:18 579584]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"PLFFAP"="C:\WINDOWS\system32\HotfixQ0306270.exe" [2003-08-05 10:43 45056]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 17:05 919016]
"Bluetooth Connection Assistant"="LBTWIZ.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"BMcbba19da"="C:\WINDOWS\system32\gyoadpok.dll" [2008-05-11 20:59 109056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:19 219136]

C:\Documents and Settings\Justin\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2008-03-11 00:00:26 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-23 20:26:56 784912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A7E81B89-DF38-40C8-A767-6FBECB65B862}"= C:\WINDOWS\system32\byXQHbAQ.dll [2008-05-08 15:50 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQHbAQ]
byXQHbAQ.dll 2008-05-08 15:50 28672 C:\WINDOWS\system32\byXQHbAQ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= ucdvfw.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-10-02 12:16 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R3 PLFF;USB Flash Disk Driver;C:\WINDOWS\system32\Drivers\PLFF.sys [2003-10-06 11:29]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 13:12]
S3 PacketNTx;Packet helper driver;C:\WINDOWS\system32\drivers\PacketNTx.sys [2002-01-22 15:13]
S3 Wdm1;PL-2303X OnlyUSB Driver;C:\WINDOWS\system32\Drivers\USBSERVH.sys [2004-04-29 19:12]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2004-01-26 21:42]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 21:04:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\byXQHbAQ.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-05-20 21:05:48 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 04:05:43

Pre-Run: 41,130,049,536 bytes free
Post-Run: 41,006,387,200 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

203





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:07:56 PM, on 5/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\rundll32.exe
C:\FredFlinstone.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1DD2B793-883A-4637-9EAD-C4B049CF07AF} - C:\WINDOWS\system32\wvUkHAtu.dll (file missing)
O2 - BHO: (no name) - {24CD35D8-D9F5-4BE7-AF0D-7284D1B02952} - C:\WINDOWS\system32\nnnoMDUm.dll
O2 - BHO: (no name) - {3AC3DFDD-2CBD-47DC-8F1F-A8C89BA601B3} - C:\WINDOWS\system32\opnomllJ.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A7E81B89-DF38-40C8-A767-6FBECB65B862} - C:\WINDOWS\system32\byXQHbAQ.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BMcbba19da] Rundll32.exe "C:\WINDOWS\system32\gyoadpok.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://fishingchamp....GamesCampus.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170861176296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170861150437
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31A26BB4-45F3-4C91-969B-AE59E64BED47}: NameServer = 68.87.69.146,68.87.85.98
O20 - Winlogon Notify: byXQHbAQ - C:\WINDOWS\SYSTEM32\byXQHbAQ.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8509 bytes


Thanks

Justin

#4 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 21 May 2008 - 04:33 AM

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\yoepdqmx.dll
C:\WINDOWS\system32\nsxnaicr.dll
C:\WINDOWS\system32\gyoadpok.dll
C:\WINDOWS\system32\nnnoMDUm.dll
C:\WINDOWS\system32\cdwltyky.dll
C:\WINDOWS\system32\pmiturwl.dll
C:\WINDOWS\system32\dmpbahdy.dll
C:\WINDOWS\system32\pnfehiuh.dll
C:\WINDOWS\system32\admhiwml.dll
C:\WINDOWS\system32\mrvnucau.dll
C:\WINDOWS\system32\lxbjfayr.dll
C:\WINDOWS\system32\suosriju.dll
C:\WINDOWS\system32\xqyyyovk.dll
C:\WINDOWS\system32\napwlwpj.dll
C:\WINDOWS\BMcbba19da.xml
C:\WINDOWS\system32\jvkpjdir.dll
C:\WINDOWS\system32\byXQHbAQ.dll

Folder::
C:\WINDOWS\system32\bkEur05
C:\Temp\maxsv15

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A7E81B89-DF38-40C8-A767-6FBECB65B862}"=-

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also post a new HijackThis log

#5 crazywednesday

crazywednesday

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 21 May 2008 - 10:17 AM

Here is the new combofix and hijack log files

ComboFix 08-05-20.1 - Justin 2008-05-21 8:21:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1593 [GMT -7:00]
Running from: C:\ComboFix.exe
Command switches used :: F:\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMcbba19da.xml
C:\WINDOWS\system32\admhiwml.dll
C:\WINDOWS\system32\byXQHbAQ.dll
C:\WINDOWS\system32\cdwltyky.dll
C:\WINDOWS\system32\dmpbahdy.dll
C:\WINDOWS\system32\gyoadpok.dll
C:\WINDOWS\system32\jvkpjdir.dll
C:\WINDOWS\system32\lxbjfayr.dll
C:\WINDOWS\system32\mrvnucau.dll
C:\WINDOWS\system32\napwlwpj.dll
C:\WINDOWS\system32\nnnoMDUm.dll
C:\WINDOWS\system32\nsxnaicr.dll
C:\WINDOWS\system32\pmiturwl.dll
C:\WINDOWS\system32\pnfehiuh.dll
C:\WINDOWS\system32\suosriju.dll
C:\WINDOWS\system32\xqyyyovk.dll
C:\WINDOWS\system32\yoepdqmx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Justin\Application Data\inst.exe
C:\Temp\maxsv15
C:\WINDOWS\BMcbba19da.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\admhiwml.dll
C:\WINDOWS\system32\bkEur05
C:\WINDOWS\system32\byXQHbAQ.dll
C:\WINDOWS\system32\cdwltyky.dll
C:\WINDOWS\system32\dmpbahdy.dll
C:\WINDOWS\system32\gyoadpok.dll
C:\WINDOWS\system32\jvkpjdir.dll
C:\WINDOWS\system32\lxbjfayr.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mrvnucau.dll
C:\WINDOWS\system32\mUDMonnn.ini
C:\WINDOWS\system32\mUDMonnn.ini2
C:\WINDOWS\system32\napwlwpj.dll
C:\WINDOWS\system32\nnnoMDUm.dll
C:\WINDOWS\system32\nsxnaicr.dll
C:\WINDOWS\system32\pmiturwl.dll
C:\WINDOWS\system32\pnfehiuh.dll
C:\WINDOWS\system32\suosriju.dll
C:\WINDOWS\system32\xqyyyovk.dll
C:\WINDOWS\system32\yoepdqmx.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-21 08:17 . 2008-05-21 08:17 109,056 --a------ C:\WINDOWS\system32\weunrlab.dll
2008-05-20 15:12 . 2008-05-20 15:12 1,819,563 --a------ C:\ComboFix.exe
2008-05-20 15:09 . 2008-05-20 15:14 4,614,888 --a------ C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
2008-05-20 15:03 . 2008-05-20 15:03 50,688 --a------ C:\ATF-Cleaner.exe
2008-05-19 21:00 . 2008-05-19 14:10 401,720 --a------ C:\FredFlinstone.exe
2008-05-11 13:27 . 2008-05-11 13:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-11 13:26 . 2008-05-11 13:26 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-10 15:28 . 2008-05-10 15:28 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-10 13:13 . 2008-05-11 15:22 326 --a------ C:\WINDOWS\wininit.ini
2008-05-10 11:43 . 2008-05-10 11:41 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-10 11:43 . 2008-05-10 11:43 2,542 --a------ C:\WINDOWS\unins000.dat
2008-05-10 11:39 . 2008-05-10 11:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-09 21:00 . 2008-05-09 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-08 19:22 . 2008-05-08 19:22 <DIR> d-------- C:\Program Files\Western Digital Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 15:27 108,681,248 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-21 15:26 1,278,812 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-21 04:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-21 04:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 20:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 15:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-10 04:00 --------- d-----w C:\Program Files\Lavasoft
2008-05-10 04:00 --------- d-----w C:\Documents and Settings\Justin\Application Data\Lavasoft
2008-05-10 03:51 --------- d-----w C:\Documents and Settings\Justin\Application Data\AVG7
2008-05-03 00:27 --------- d-----w C:\Documents and Settings\Justin\Application Data\uTorrent
2008-03-23 02:29 --------- d-----w C:\Documents and Settings\Justin\Application Data\Intuit
2008-03-23 02:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-23 02:21 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-23 02:16 --------- d-----w C:\Program Files\TurboTax
2008-02-27 14:05 6,725,516 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2007-12-31 04:27 47,360 ----a-w C:\Documents and Settings\Justin\Application Data\pcouffin.sys
2007-07-22 04:47 24,896 ----a-w C:\Documents and Settings\Justin\Application Data\GDIPFONTCACHEV1.DAT
2005-11-22 01:58 1,196,121 ----a-w C:\Documents and Settings\Justin\EverQuest.exe
2005-11-22 01:57 307,200 ----a-w C:\Documents and Settings\Justin\OptionsEditor.exe
2005-11-22 01:50 349,696 ----a-w C:\Documents and Settings\Justin\mss32.dll
2005-11-22 01:42 950,272 ----a-w C:\Documents and Settings\Justin\eqmain.dll
2005-11-22 01:42 3,969,024 ----a-w C:\Documents and Settings\Justin\eqgame.exe
2005-11-22 01:41 133,120 ----a-w C:\Documents and Settings\Justin\dpvs.dll
2005-11-22 01:40 60,416 ----a-w C:\Documents and Settings\Justin\DSETUP.dll
2005-11-22 01:40 2,310,144 ----a-w C:\Documents and Settings\Justin\EQGraphicsDX9.dll
2005-11-01 06:40 557,568 ----a-w C:\Documents and Settings\Justin\EscapeToNorrath.exe
2005-10-19 05:43 56 -csha-r C:\WINDOWS\system32\33BD705E36.sys
2005-10-19 05:43 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-20_21.05.25.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 04:03:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 15:27:09 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1DD2B793-883A-4637-9EAD-C4B049CF07AF}]
C:\WINDOWS\system32\wvUkHAtu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3AC3DFDD-2CBD-47DC-8F1F-A8C89BA601B3}]
C:\WINDOWS\system32\opnomllJ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-04-15 08:18 579584]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"PLFFAP"="C:\WINDOWS\system32\HotfixQ0306270.exe" [2003-08-05 10:43 45056]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 17:05 919016]
"Bluetooth Connection Assistant"="LBTWIZ.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"BMcbba19da"="C:\WINDOWS\system32\weunrlab.dll" [2008-05-21 08:17 109056]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:19 219136]

C:\Documents and Settings\Justin\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2008-03-11 00:00:26 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-23 20:26:56 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXQHbAQ]
byXQHbAQ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= ucdvfw.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-10-02 12:16 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R3 PLFF;USB Flash Disk Driver;C:\WINDOWS\system32\Drivers\PLFF.sys [2003-10-06 11:29]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 13:12]
S3 PacketNTx;Packet helper driver;C:\WINDOWS\system32\drivers\PacketNTx.sys [2002-01-22 15:13]
S3 Wdm1;PL-2303X OnlyUSB Driver;C:\WINDOWS\system32\Drivers\USBSERVH.sys [2004-04-29 19:12]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2004-01-26 21:42]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 08:27:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-05-21 8:28:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 15:28:42
ComboFix2.txt 2008-05-21 04:05:49

Pre-Run: 41,231,130,624 bytes free
Post-Run: 41,208,332,288 bytes free

193




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:31 AM, on 5/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\FredFlinstone.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1DD2B793-883A-4637-9EAD-C4B049CF07AF} - C:\WINDOWS\system32\wvUkHAtu.dll (file missing)
O2 - BHO: (no name) - {3AC3DFDD-2CBD-47DC-8F1F-A8C89BA601B3} - C:\WINDOWS\system32\opnomllJ.dll (file missing)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BMcbba19da] Rundll32.exe "C:\WINDOWS\system32\weunrlab.dll",s
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://fishingchamp....GamesCampus.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170861176296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170861150437
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31A26BB4-45F3-4C91-969B-AE59E64BED47}: NameServer = 68.87.69.146,68.87.85.98
O20 - Winlogon Notify: byXQHbAQ - byXQHbAQ.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7519 bytes


Thank you for your help

Justin

#6 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 21 May 2008 - 10:32 AM

Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {1DD2B793-883A-4637-9EAD-C4B049CF07AF} - C:\WINDOWS\system32\wvUkHAtu.dll (file missing)
O2 - BHO: (no name) - {3AC3DFDD-2CBD-47DC-8F1F-A8C89BA601B3} - C:\WINDOWS\system32\opnomllJ.dll (file missing)
O4 - HKLM\..\Run: [BMcbba19da] Rundll32.exe "C:\WINDOWS\system32\weunrlab.dll",s
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O20 - Winlogon Notify: byXQHbAQ - byXQHbAQ.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\weunrlab.dll

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Also post a new HijackThis log

#7 crazywednesday

crazywednesday

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 21 May 2008 - 10:19 PM

Here is the malware and combofix log files. As a side note, when the computer restarted after running combofix i got a windows error message.

It read

"Error loading c:\windows\system32\weunrlab.dll
The specified module could not be found"



Malwarebytes' Anti-Malware 1.12
Database version: 722

Scan type: Quick Scan
Objects scanned: 34450
Time elapsed: 2 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f63b171-e2f3-4362-a484-8563144d62e6} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BMcbba19da (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



ComboFix 08-05-20.1 - Justin 2008-05-21 20:46:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1602 [GMT -7:00]
Running from: C:\ComboFix.exe
Command switches used :: F:\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\weunrlab.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\weunrlab.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-21 20:43 . 2008-05-21 20:43 <DIR> d-------- C:\backups
2008-05-21 15:37 . 2008-05-21 15:37 1,649,976 --a------ C:\mbam-setup.exe
2008-05-21 08:28 . 2008-05-21 08:28 0 --a------ C:\WINDOWS\BMcbba19da.xml
2008-05-20 15:12 . 2008-05-20 15:12 1,819,563 --a------ C:\ComboFix.exe
2008-05-20 15:09 . 2008-05-20 15:14 4,614,888 --a------ C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
2008-05-20 15:03 . 2008-05-20 15:03 50,688 --a------ C:\ATF-Cleaner.exe
2008-05-19 21:00 . 2008-05-19 14:10 401,720 --a------ C:\FredFlinstone.exe
2008-05-11 13:27 . 2008-05-11 13:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-11 13:26 . 2008-05-11 13:26 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-10 15:28 . 2008-05-10 15:28 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-10 13:13 . 2008-05-11 15:22 326 --a------ C:\WINDOWS\wininit.ini
2008-05-10 11:43 . 2008-05-10 11:41 691,545 --a------ C:\WINDOWS\unins000.exe
2008-05-10 11:43 . 2008-05-10 11:43 2,542 --a------ C:\WINDOWS\unins000.dat
2008-05-10 11:39 . 2008-05-10 11:39 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-05-09 21:00 . 2008-05-09 21:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-08 19:22 . 2008-05-08 19:22 <DIR> d-------- C:\Program Files\Western Digital Technologies

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 03:49 8,263,744 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-05-22 03:49 108,716,064 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-05-22 03:48 1,279,220 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-05-21 04:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-21 04:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 20:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-11 15:00 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-05-10 04:00 --------- d-----w C:\Program Files\Lavasoft
2008-05-10 04:00 --------- d-----w C:\Documents and Settings\Justin\Application Data\Lavasoft
2008-05-10 03:51 --------- d-----w C:\Documents and Settings\Justin\Application Data\AVG7
2008-05-03 00:27 --------- d-----w C:\Documents and Settings\Justin\Application Data\uTorrent
2008-03-23 02:29 --------- d-----w C:\Documents and Settings\Justin\Application Data\Intuit
2008-03-23 02:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-23 02:21 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-23 02:16 --------- d-----w C:\Program Files\TurboTax
2007-12-31 04:27 47,360 ----a-w C:\Documents and Settings\Justin\Application Data\pcouffin.sys
2007-07-22 04:47 24,896 ----a-w C:\Documents and Settings\Justin\Application Data\GDIPFONTCACHEV1.DAT
2005-11-22 01:58 1,196,121 ----a-w C:\Documents and Settings\Justin\EverQuest.exe
2005-11-22 01:57 307,200 ----a-w C:\Documents and Settings\Justin\OptionsEditor.exe
2005-11-22 01:50 349,696 ----a-w C:\Documents and Settings\Justin\mss32.dll
2005-11-22 01:42 950,272 ----a-w C:\Documents and Settings\Justin\eqmain.dll
2005-11-22 01:42 3,969,024 ----a-w C:\Documents and Settings\Justin\eqgame.exe
2005-11-22 01:41 133,120 ----a-w C:\Documents and Settings\Justin\dpvs.dll
2005-11-22 01:40 60,416 ----a-w C:\Documents and Settings\Justin\DSETUP.dll
2005-11-22 01:40 2,310,144 ----a-w C:\Documents and Settings\Justin\EQGraphicsDX9.dll
2005-11-01 06:40 557,568 ----a-w C:\Documents and Settings\Justin\EscapeToNorrath.exe
2005-10-19 05:43 56 -csha-r C:\WINDOWS\system32\33BD705E36.sys
2005-10-19 05:43 3,350 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-20_21.05.25.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 04:03:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-22 03:49:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 04:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"PLFFAP"="C:\WINDOWS\system32\HotfixQ0306270.exe" [2003-08-05 10:43 45056]
"Bluetooth Connection Assistant"="LBTWIZ.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"BMcbba19da"="C:\WINDOWS\system32\weunrlab.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-10-24 08:19 219136]

C:\Documents and Settings\Justin\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2008-03-11 00:00:26 225280]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-04-23 20:26:56 784912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo"= ucdvfw.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-10-02 12:16 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R3 PLFF;USB Flash Disk Driver;C:\WINDOWS\system32\Drivers\PLFF.sys [2003-10-06 11:29]
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys [2001-08-17 13:12]
S3 PacketNTx;Packet helper driver;C:\WINDOWS\system32\drivers\PacketNTx.sys [2002-01-22 15:13]
S3 Wdm1;PL-2303X OnlyUSB Driver;C:\WINDOWS\system32\Drivers\USBSERVH.sys [2004-04-29 19:12]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;C:\WINDOWS\system32\DRIVERS\ucdnt.sys [2004-01-26 21:42]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 20:49:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-05-21 20:50:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-22 03:50:30
ComboFix2.txt 2008-05-21 15:28:47
ComboFix3.txt 2008-05-21 04:05:49

Pre-Run: 41,192,202,240 bytes free
Post-Run: 41,186,193,408 bytes free

150


Thanks

Justin

#8 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 22 May 2008 - 07:07 AM

Hello

Delete this file in bold

C:\WINDOWS\BMcbba19da.xml


Also post a new HijackThis log

#9 crazywednesday

crazywednesday

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 22 May 2008 - 07:51 PM

I deleted C:\WINDOWS\BMcbba19da.xml

I noticed right next to it was a C:\WINDOWS\BMcbba19da.txt didnt delete this one because i wasnt instructed to, but wanted you to know that it existed

Here is my hijackthis log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:49:34 PM, on 5/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\FredFlinstone.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://fishingchamp....GamesCampus.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170861176296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170861150437
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{31A26BB4-45F3-4C91-969B-AE59E64BED47}: NameServer = 68.87.69.146,68.87.85.98
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6867 bytes


Thanks

Justin

#10 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 23 May 2008 - 05:41 AM

Delete that file and do this

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.


#11 crazywednesday

crazywednesday

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 23 May 2008 - 07:14 AM

Ok, deleted the text file. Here is the main.txt file and extra.txt file

Deckard's System Scanner v20071014.68
Run by Justin on 2008-05-23 06:08:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
34: 2008-05-23 13:08:12 UTC - RP430 - Deckard's System Scanner Restore Point
33: 2008-05-23 03:49:23 UTC - RP429 - System Checkpoint
32: 2008-05-22 03:45:53 UTC - RP428 - ComboFix created restore point
31: 2008-05-21 15:21:21 UTC - RP427 - ComboFix created restore point
30: 2008-05-21 04:07:54 UTC - RP426 - Last known good configuration


-- First Restore Point --
1: 2008-05-21 04:07:44 UTC - RP397 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-23 06:09:31
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\HotFixQ0306270.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
C:\WINDOWS\system32\wltrysvc.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\NPJPI150_04.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://turbotax.com (HKCU)
O16 - DPF: {02ECD07A-22D0-4AF0-BA0A-3F6B06086D08} (GamesCampus Control) - http://fishingchamp....GamesCampus.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} () - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {33564D57-9980-0010-8000-00AA00389B71} () - http://download.micr...D0C/wmv9dmo.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} () - http://www.fileplane...C_2.3.6.108.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1170861176296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1170861150437
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comne...login-devel.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.5.0_04) - http://java.sun.com/...indows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ent/swflash.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/...s/msnchat45.cab
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\..\{31A26BB4-45F3-4C91-969B-AE59E64BED47}: NameServer = 68.87.69.146,68.87.85.98
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - (no file)
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - C:\Program Files\Microsoft ActiveSync\AATP.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG Free\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\system32\wltrysvc.exe


--
End of file - 8304 bytes

-- HijackThis Fixed Entries (C:\\backups\) -------------------------------------

backup-20080521-204350-253 O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
backup-20080521-204350-284 O2 - BHO: (no name) - {1DD2B793-883A-4637-9EAD-C4B049CF07AF} - C:\WINDOWS\system32\wvUkHAtu.dll (file missing)
backup-20080521-204350-439 O4 - HKLM\..\Run: [BMcbba19da] Rundll32.exe "C:\WINDOWS\system32\weunrlab.dll",s
backup-20080521-204350-732 O2 - BHO: (no name) - {3AC3DFDD-2CBD-47DC-8F1F-A8C89BA601B3} - C:\WINDOWS\system32\opnomllJ.dll (file missing)
backup-20080521-204351-336 O20 - Winlogon Notify: byXQHbAQ - byXQHbAQ.dll (file missing)

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 MDC8021X (AEGIS Protocol (IEEE 802.1x) v2.3.0.0) - c:\windows\system32\drivers\mdc8021x.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 2.3.1>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 PLFF (USB Flash Disk Driver) - c:\windows\system32\drivers\plff.sys <Not Verified; Prolific Technology Inc.; Prolific Flash Disk>
R3 vsbus (Virtual Serial Bus Enumerator) - c:\windows\system32\drivers\vsb.sys <Not Verified; ELTIMA Software; ELTIMA Virtual Serial Bus>
R3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver>

S1 InCDPass - c:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - c:\windows\system32\drivers\incdrm.sys (file missing)
S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 PacketNTx (Packet helper driver) - c:\windows\system32\drivers\packetntx.sys <Not Verified; Sumix Co.; Sumix Packet Helper Driver>
S3 vserial (ELTIMA Virtual Serial Ports Driver) - c:\windows\system32\drivers\vserial.sys <Not Verified; ELTIMA Software; ELTIMA Virtual Serial Ports>
S3 Wdm1 (PL-2303X OnlyUSB Driver) - c:\windows\system32\drivers\usbservh.sys <Not Verified; SEIKO EPSON; PL-2303X OnlyUSB Driver>
S3 yukonwxp (NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter) - c:\windows\system32\drivers\yukonwxp.sys <Not Verified; Marvell Semiconductor Inc.; Marvell Yukon Gigabit Ethernet Adapter>
S4 InCDFs (InCD File System) - c:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PLFlash DeviceIoControl Service - c:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NETGEAR FA311 Fast Ethernet Adapter
Device ID: PCI\VEN_100B&DEV_0020&SUBSYS_F3111385&REV_00\4&3191A3E6&0&4870
Manufacturer: Netgear
Name: NETGEAR FA311 Fast Ethernet Adapter
PNP Device ID: PCI\VEN_100B&DEV_0020&SUBSYS_F3111385&REV_00\4&3191A3E6&0&4870
Service: FA312


-- Files created between 2008-04-23 and 2008-05-23 -----------------------------

2008-05-23 06:06:51 686630 --a------ C:\dss.exe
2008-05-21 20:53:56 0 d-------- C:\Documents and Settings\Justin\Application Data\Malwarebytes
2008-05-21 20:53:50 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-21 20:53:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-21 20:43:50 0 d-------- C:\backups
2008-05-20 21:01:09 0 d-------- C:\cmdcons
2008-05-20 20:58:40 68096 --a------ C:\WINDOWS\zip.exe
2008-05-20 20:58:40 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-20 20:58:40 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-20 20:58:40 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-20 20:58:40 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-20 20:58:40 98816 --a------ C:\WINDOWS\sed.exe
2008-05-20 20:58:40 80412 --a------ C:\WINDOWS\grep.exe
2008-05-20 20:58:40 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-20 15:12:01 1819563 --a------ C:\ComboFix.exe
2008-05-20 15:03:29 50688 --a------ C:\ATF-Cleaner.exe <ATF-CL~1.EXE> <Not Verified; Atribune.org; ATF Cleaner>
2008-05-11 13:27:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-11 13:26:30 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-05-11 13:26:30 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-05-11 13:26:30 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-05-11 13:26:30 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-05-11 13:26:30 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-05-11 13:26:30 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-11 13:26:30 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-05-11 13:26:30 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-05-11 13:26:30 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-05-11 13:26:30 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-05-11 13:26:30 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-05-11 13:26:30 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-05-11 13:26:30 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-05-11 13:26:30 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-11 13:22:42 0 dr-h----- C:\Documents and Settings\Justin\Recent
2008-05-10 15:28:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-10 15:28:31 0 d-------- C:\Documents and Settings\Justin\Application Data\Mozilla
2008-05-10 11:43:47 691545 --a------ C:\WINDOWS\unins000.exe
2008-05-10 11:43:47 2542 --a------ C:\WINDOWS\unins000.dat
2008-05-10 11:39:22 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-05-09 21:00:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-08 19:22:15 0 d-------- C:\Program Files\Western Digital Technologies


-- Find3M Report ---------------------------------------------------------------

2008-05-11 13:22:33 0 d-------- C:\Program Files\Common Files
2008-05-11 13:22:25 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-09 21:00:52 0 d-------- C:\Program Files\Lavasoft
2008-05-09 21:00:51 0 d-------- C:\Documents and Settings\Justin\Application Data\Lavasoft
2008-05-09 20:51:35 0 d-------- C:\Documents and Settings\Justin\Application Data\AVG7
2008-05-02 17:27:20 0 d-------- C:\Documents and Settings\Justin\Application Data\uTorrent
2008-03-10 22:51:44 0 --a------ C:\WINDOWS\PowerReg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [09/21/2007 04:10 AM C:\WINDOWS\KHALMNPR.Exe]
"PLFFAP"="C:\WINDOWS\system32\HotfixQ0306270.exe" [08/05/2003 10:43 AM]
"Bluetooth Connection Assistant"="LBTWIZ.exe" []
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/01/2006 05:22 PM]

C:\Documents and Settings\Justin\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [3/11/2008 12:00:26 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [4/23/2008 8:26:56 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 11/15/2007 10:10 AM 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet




-- End of Deckard's System Scanner: finished at 2008-05-23 06:10:39 ------------




Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ 64 Processor 3000+
Percentage of Memory in Use: 20%
Physical Memory (total/avail): 2047.48 MiB / 1617.55 MiB
Pagefile Memory (total/avail): 3940.57 MiB / 3663.07 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.65 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 68.95 GiB total, 38.34 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 3.81 GiB total, 3.29 GiB free.
Q: is Fixed (NTFS) - 149.05 GiB total, 69.14 GiB free.

\\.\PHYSICALDRIVE0 - WDC WD1600JB-22REA0 - 149.05 GiB - 1 partition
\PARTITION0 - Installable File System - 149.05 GiB - Q:

\\.\PHYSICALDRIVE1 - NVIDIA STRIPE 68.95G - 68.95 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 68.95 GiB - C:

\\.\PHYSICALDRIVE2 - - 3.81 GiB - 1 partition
\PARTITION0 - Installable File System - 3.81 GiB - F:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

FW: ZoneAlarm Firewall v7.0.462.000 (Check Point, LTD.)
AV: AVG 7.5.524 v7.5.524 (Grisoft)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Deluxe 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Justin\Application Data
CLASSPATH=C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
COLLECTIONID=COL7299
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MUERTE
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HMSERVER=https://wwss1proa.cce.hp.com/wuss/servlet/WUSSServlet
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Justin
ITEMID=oj-21918-1
LANG=1033
LOGONSERVER=\\MUERTE
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
OSVER=winXPH
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 47 Stepping 0, AuthenticAMD
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=2f00
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONID=1148492619029htx60603778cf:10b8b0a487a:-4250
SESSIONNAME=Console
SWUTVER=1.0.18.30716
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Justin\LOCALS~1\Temp
TIMEOUT=0
TMP=C:\DOCUME~1\Justin\LOCALS~1\Temp
TOOLPATH=/C:\Program%20Files\Hewlett-Packard\HP%20Software%20Update\install.htm
tvdumpflags=8
UPDATEDIR=C:\DOCUME~1\Justin\LOCALS~1\Temp\radF1BAC.tmp
USERDOMAIN=MUERTE
USERNAME=Justin
USERPROFILE=C:\Documents and Settings\Justin
VERSION=2.1.5
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Justin (admin)
Administrator (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
AVI Codec Pack --> C:\Program Files\AVI Codec Pack\uninstall.exe
Belkin Wireless Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45401A03-BDF0-448F-9B0F-3882B96F6692}\setup.exe" -l0x9
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CDDRV_Installer --> MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
Dive Rite NiTek Logic --> C:\PROGRA~1\DiveRite\UNWISE.EXE C:\PROGRA~1\DiveRite\INSTALL.LOG
DVDFab Platinum 4.0.6.2 --> "C:\Program Files\DVDFab Platinum 4\unins000.exe"
Enable S3 for USB Device --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Gigabyte\Enable S3 for USB Device\Uninst.isu"
EverQuest II: Play the Fae --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{31EF8B2A-1332-4A0E-8B35-2E3491727922}\setup.exe" -l0x9 -removeonly
FTDI USB Serial Converter Drivers --> C:\WINDOWS\system32\ftdiunin.exe C:\WINDOWS\system32\ftdiun2k.ini
Garmin Trip and Waypoint Manager v4 --> MsiExec.exe /X{67B9AF41-C0B9-4960-84D9-A61D23DE85D8}
Garmin WebUpdater --> MsiExec.exe /X{996EC44B-38E1-4898-8E47-3EE3D15F2712}
HijackThis 2.0.2 --> "C:\HijackThis.exe" /uninstall
HotFix Q0306270 -->
hp deskjet 5600 --> msiexec /x{DB5518BE-F40F-407A-B451-012625D4497B}
Hunt'n'Map --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hunt'n'Map\HuntNMapUninst.isu"
J2SE Runtime Environment 5.0 Update 4 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150040}
KhalInstallWrapper --> MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
LimeWire PRO 4.16.6 --> "C:\Program Files\LimeWire\uninstall.exe"
Logger Pro 3.3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CEF1E430-28D2-4123-B03C-EC45E41FE362}\Setup.exe" -l0x9
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapSource - US Topo v3.02 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AD4203ED-7683-435E-B436-C299773A9936}\Setup.exe" -l0x9 AddRemove
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft ActiveSync 3.7 --> "C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Outlook 2002 --> MsiExec.exe /I{911A0409-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.14) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MUSICMATCH Jukebox --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\Uninst.isu" -cC:\PROGRA~1\MUSICM~1\MUSICM~1\unmatch.dll
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Nero 7 Demo --> MsiExec.exe /I{84B2CF01-194D-2284-B313-F2E0D78D1033}
NVIDIA Drivers --> C:\WINDOWS\System32\nvudisp.exe UninstallGUI
overland --> MsiExec.exe /I{766273C1-A39B-47EB-ACE8-DEBDD8094BCC}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
Pro Bass Fishing 2003 --> C:\Program Files\Infogrames\Pro Bass Fishing 2003\Setup.exe /Uninstall
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{4E5E22C2-1386-47AE-8EDE-32DDCDCD6653} /l1033
Realtek AC'97 Audio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
The Rosetta Stone --> C:\WINDOWS\unvise32.exe C:\Program Files\The Rosetta Stone\TRS Support\uninstal.log
TOPO! 4 --> MsiExec.exe /I{5B3FB6D4-1B88-413D-8DE7-A7E2D58DE5B2}
TurboTax Deluxe 2007 --> C:\Program Files\TurboTax\Deluxe 2007\TaxUnst.EXE "C:\Program Files\TurboTax\Deluxe 2007\Uninstall.log" -NoGui
USB Flash Disk Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F67AC89-5FA6-4F3F-95DB-92F322C8C2EB}\Setup.exe" -l0x9
WD Diagnostics --> MsiExec.exe /X{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}
WIDCOMM Bluetooth Software --> MsiExec.exe /X{84814E6B-2581-46EC-926A-823BD1C670F6}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
World of Warcraft --> C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft\Uninstall.exe
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type3153 / Error
Event Submitted/Written: 05/10/2008 03:14:54 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application iexplore.exe, version 6.0.2900.2180, faulting module unknown, version 0.0.0.0, fault address 0x015e1569.
Processing media-specific event for [iexplore.exe!ws!]

Event Record #/Type3152 / Error
Event Submitted/Written: 05/10/2008 02:34:26 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application teatimer.exe, version 1.5.2.16, faulting module teatimer.exe, version 1.5.2.16, fault address 0x000042b2.
Processing media-specific event for [teatimer.exe!ws!]

Event Record #/Type3139 / Error
Event Submitted/Written: 05/10/2008 11:16:42 AM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed

Event Record #/Type3130 / Error
Event Submitted/Written: 05/09/2008 06:20:56 AM
Event ID/Source: 2 / WLTRYSVC
Event Description:
SetServiceStatus() failed

Event Record #/Type3126 / Error
Event Submitted/Written: 05/08/2008 03:50:55 PM
Event ID/Source: 100 / AVG7
Event Description:
2008-05-08 22:50:55,015 MUERTE [001616:001636] ERROR 000 AVG7.WTS.CAvgAmWts ProcessIdToSessionId(3004) call failed with WIN32 error 87, returning session id is 0



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type27123 / Error
Event Submitted/Written: 05/23/2008 06:01:59 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type27105 / Warning
Event Submitted/Written: 05/22/2008 06:50:14 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type27081 / Warning
Event Submitted/Written: 05/21/2008 09:14:22 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type27080 / Warning
Event Submitted/Written: 05/21/2008 09:14:22 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.

Event Record #/Type27079 / Warning
Event Submitted/Written: 05/21/2008 09:14:22 PM
Event ID/Source: 57 / Ftdisk
Event Description:
The system failed to flush data to the transaction log. Corruption may occur.



-- End of Deckard's System Scanner: finished at 2008-05-23 06:10:39 ------------

Thanks

Justin

#12 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 23 May 2008 - 07:27 AM

Your logs are clean

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

#13 crazywednesday

crazywednesday

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 23 May 2008 - 07:59 AM

Rorschach112, Thank you for leading me through a painless process. I really appreciate your help. I will follow your advice to prevent future infection. The service you provide is invaluable.. Justin

#14 Rorschach112

Rorschach112

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPip
  • 3,651 posts

Posted 23 May 2008 - 08:17 AM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users