Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

I got it and need some help. Trojan.Virtumonde

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: I got it and need some help. Trojan.Virtumonde

Unread postby Scotty » February 6th, 2008, 5:29 am

How's it going here?
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland
Advertisement
Register to Remove

Re: I got it and need some help. Trojan.Virtumonde

Unread postby phxmark123 » February 6th, 2008, 10:02 am

Here is the CF-RF log
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
phxmark123
Regular Member
 
Posts: 36
Joined: January 24th, 2008, 10:38 am

Re: I got it and need some help. Trojan.Virtumonde

Unread postby phxmark123 » February 6th, 2008, 10:04 am

Its my weekend again, 4 days this time. Its hard to do anything other than sleep and get ready for work when you work a 12 hour night shift. I'm ready now though, thanks
phxmark123
Regular Member
 
Posts: 36
Joined: January 24th, 2008, 10:38 am

Re: I got it and need some help. Trojan.Virtumonde

Unread postby Scotty » February 7th, 2008, 5:29 pm

Hi

Reboot into SAFE MODE
    By pressing the F8 key right when Windows starts, usually right after you hear your computer
    beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
    you will be brought to a menu where you can choose to boot into safe mode.

    If it does not work on the first try, reboot and try again, as you have to be quick when you press it.

    I have found that during boot up, right after the computer displays the equipment , memory, etc
    installed on your computer, if you start lightly tapping the F8 key, the system will usually display the menu.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
File::
C:\WINDOWS\Fonts\svchost .exe

RenV::
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU .exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
C:\Program Files\Digital Media Reader\shwiconem .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\McAfee.com\Agent\mcagent .exe
C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray .exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher .exe
C:\Program Files\Spyware Doctor\SDTrayApp .exe
C:\Program Files\Spyware Doctor\swdoctor .exe
C:\Program Files\Yahoo!\Messenger\ypager .exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine .exe
C:\WINDOWS\SMINST\RECGUARD .EXE
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04 .exe
 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Image


Refering to the picture above, drag CFScript into ComboFix.exe

Combofix will then reboot back into Normal Mode and produce a new log.

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run
Last edited by Scotty on February 9th, 2008, 9:14 am, edited 1 time in total.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: I got it and need some help. Trojan.Virtumonde

Unread postby phxmark123 » February 9th, 2008, 8:09 am

Well that wasn't to fun. I was unable to connect to the internet while in safe mode. So I was unable to reach our conversation to copy the above info and drag it into combofix. Do you think it would be ok to copy and save that BEFORE rebooting into safe mode and then do that procedure?
phxmark123
Regular Member
 
Posts: 36
Joined: January 24th, 2008, 10:38 am

Re: I got it and need some help. Trojan.Virtumonde

Unread postby Scotty » February 9th, 2008, 9:11 am

Hi

Yes. I should have adapted the instructions that way. :oops:
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: I got it and need some help. Trojan.Virtumonde

Unread postby phxmark123 » February 10th, 2008, 8:33 am

Combofix log

ComboFix 08-01-31.5 - Owner 2008-02-10 5:48:27.3 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.253 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt

FILE
C:\WINDOWS\Fonts\svchost .exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Fonts\svchost .exe
D:\Autorun.inf . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-09 05:24 . 2004-08-27 03:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-09 05:24 . 2005-01-20 17:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-09 05:24 . 2005-01-20 17:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-02-06 07:58 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-02-06 07:58 . 2008-01-31 10:18 211 --a------ C:\Boot.bak
2008-01-24 08:20 . 2008-01-24 08:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 06:28 . 2004-08-04 13:00 101,888 --a------ C:\WINDOWS\system32\evntagnt.dll
2008-01-22 16:33 . 2008-01-22 17:20 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Creative
2008-01-20 20:08 . 2008-01-28 15:18 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-20 19:32 . 2008-01-20 19:32 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-20 08:31 . 2008-01-20 15:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Creative
2008-01-20 07:55 . 2008-01-20 07:55 417,792 --a------ C:\WINDOWS\system32\awrdscdc.ax
2008-01-20 07:55 . 1999-10-10 11:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-01-20 07:40 . 2008-01-24 06:05 <DIR> d-------- C:\Program Files\Audible
2008-01-20 07:36 . 2008-01-20 07:38 <DIR> d--h----- C:\Program Files\Creative Installation Information
2008-01-20 07:36 . 2008-01-20 07:36 <DIR> d-------- C:\Program Files\Common Files\Creative
2008-01-20 07:36 . 1999-12-12 11:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-20 07:36 . 1999-11-17 11:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-20 07:33 . 2008-01-20 07:33 <DIR> d-------- C:\Program Files\illiminable
2008-01-20 07:33 . 2008-01-20 07:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YAHOO
2008-01-20 07:30 . 2008-01-20 07:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative
2008-01-20 07:28 . 2008-01-20 07:55 <DIR> d-------- C:\Program Files\Creative
2008-01-18 09:17 . 2008-01-31 10:42 <DIR> d-------- C:\pics
2008-01-13 18:18 . 2008-01-20 16:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MusicIP
2008-01-13 18:09 . 2008-01-13 18:09 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-13 18:04 . 2008-01-13 18:29 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-13 16:54 . 2008-01-20 16:28 <DIR> d-------- C:\Program Files\MusicIP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 17:08 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-31 17:08 --------- d-----w C:\Program Files\SP2 Connection Patcher
2008-01-31 17:08 --------- d-----w C:\Program Files\QuickTime
2008-01-31 17:08 --------- d-----w C:\Program Files\Digital Media Reader
2008-01-31 16:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-31 10:40 --------- d-----w C:\Program Files\SymNetDrv
2008-01-31 09:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-24 12:43 --------- d-----w C:\Program Files\Symantec
2008-01-24 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 12:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 12:33 --------- d-----w C:\Program Files\Thomson
2008-01-24 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-21 02:35 1,290 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-01-21 00:16 --------- d-----w C:\Program Files\LimeWire
2008-01-20 13:34 --------- d-----w C:\Program Files\Yahoo!
2008-01-09 10:58 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-01-03 02:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Atari
2008-01-03 02:30 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-01-03 02:13 --------- d-----w C:\Program Files\Safari
2008-01-03 02:05 --------- d-----w C:\Program Files\eBay
2008-01-03 01:06 --------- d-----w C:\Program Files\The Weather Channel FW
2007-12-13 00:45 --------- d-----w C:\Program Files\FaceOnBody
2007-01-17 02:25 633,856 ----a-w C:\Documents and Settings\Guest\EscapeToNorrath.exe
2007-01-17 02:25 633,856 ----a-w C:\Documents and Settings\Guest\_scapeToNorrath.exe
2006-06-06 22:39 380 ----a-w C:\Documents and Settings\Guest\Application Data\wklnhst.dat
2005-12-19 18:25 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-05-30 20:42 56 --sh--r C:\WINDOWS\system32\0336349AD7.sys
2005-07-07 07:02 80 -csh--r C:\WINDOWS\system32\F681545F93.dll
2005-05-30 20:44 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
Code: Select all
<pre>
----a-w            57,344 2008-01-31 16:21:59  C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy .exe
----a-w            40,048 2008-01-31 16:21:59  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w           185,896 2008-01-31 16:22:01  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            59,040 2008-01-24 11:56:32  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           700,416 2008-01-31 16:22:39  C:\Program Files\Creative\Sync Manager Unicode\CTSyncU .exe
----a-w            32,768 2008-01-31 16:21:48  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w           135,168 2008-01-31 16:21:50  C:\Program Files\Digital Media Reader\shwiconem .exe
----a-w            68,856 2008-01-31 09:52:46  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           132,496 2008-01-31 16:22:01  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           303,104 2008-01-31 16:48:19  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w           212,992 2008-01-31 11:04:05  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
----a-w         1,694,208 2008-01-31 09:52:46  C:\Program Files\Messenger\msmsgs .exe
----a-w           131,072 2008-01-25 19:04:26  C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray .exe
----a-w            57,344 2008-01-25 11:29:09  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
----a-w           409,600 2008-01-31 16:22:23  C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher .exe
----a-w         1,065,288 2008-01-31 16:21:06  C:\Program Files\Spyware Doctor\SDTrayApp .exe
----a-w         2,510,664 2008-01-31 16:46:05  C:\Program Files\Spyware Doctor\swdoctor .exe
----a-w         3,096,576 2008-01-21 02:28:34  C:\Program Files\Yahoo!\Messenger\ypager .exe
----a-w           224,248 2008-01-25 11:19:02  C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w         5,541,888 2008-01-31 16:22:20  C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine .exe
----a-w           212,992 2008-01-31 16:21:46  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w            15,360 2008-01-28 21:18:42  C:\WINDOWS\system32\ctfmon .exe
----a-w           196,608 2008-01-31 16:21:58  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04 .exe
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-12 03:50 4112384]
"NvMediaCenter"="NvMCTray.dll" [2004-07-12 03:50 81920 C:\WINDOWS\system32\nvmctray.dll]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [ ]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [ ]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [ ]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [ ]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"ymetray"="C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34 5419008]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
C:\Program Files\Dealio\DealioAu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LyraHD2TrayApp]
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 19:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-12 03:50 843776 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"navapsvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"gusvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95fae826-9427-11dc-b495-0040ca2274d0}]
\Shell\AutoRun\command - J:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b090ad61-6b37-11d9-9c11-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-10 10:51:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 06:12:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2008-02-10 6:17:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-10 12:17:04
ComboFix2.txt 2008-02-01 15:07:49
ComboFix3.txt 2008-01-31 17:29:08
.
2008-01-25 09:02:25 --- E O F ---


HJ log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:32, on 2008-02-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\iseeu.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Kelly Job Search - {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - C:\Program Files\IEToolbar\kelly_services.dll (file missing)
O3 - Toolbar: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?2f724e3d190543d49695a57fc2a724c9
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?2f724e3d190543d49695a57fc2a724c9
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/l ... uncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b53083.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/g ... anager.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/diner ... 0.0.72.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/w ... der_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.com/a ... Atchmt.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 11409 bytes
phxmark123
Regular Member
 
Posts: 36
Joined: January 24th, 2008, 10:38 am

Re: I got it and need some help. Trojan.Virtumonde

Unread postby Scotty » February 10th, 2008, 5:12 pm

Hi

Because Combofix is regularly updated, and you have had your copy a couple of weeks now, please delete the copy you have by deleting the icon on your Desktop only, and follow these instructions again.


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.



In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: I got it and need some help. Trojan.Virtumonde

Unread postby phxmark123 » February 11th, 2008, 5:56 pm

ComboFix 08-02-12.1 - Owner 2008-02-11 15:21:52.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.214 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-12 to 2008-02-12 )))))))))))))))))))))))))))))))
.

2008-02-09 05:24 . 2004-08-27 03:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-09 05:24 . 2005-01-20 17:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-09 05:24 . 2005-01-20 17:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-01-24 08:20 . 2008-01-24 08:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 06:28 . 2004-08-04 13:00 101,888 --a------ C:\WINDOWS\system32\evntagnt.dll
2008-01-22 16:33 . 2008-01-22 17:20 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Creative
2008-01-20 20:08 . 2008-01-28 15:18 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-20 19:32 . 2008-01-20 19:32 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-20 08:31 . 2008-01-20 15:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Creative
2008-01-20 07:55 . 2008-01-20 07:55 417,792 --a------ C:\WINDOWS\system32\awrdscdc.ax
2008-01-20 07:55 . 1999-10-10 11:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-01-20 07:40 . 2008-01-24 06:05 <DIR> d-------- C:\Program Files\Audible
2008-01-20 07:36 . 2008-01-20 07:38 <DIR> d--h----- C:\Program Files\Creative Installation Information
2008-01-20 07:36 . 2008-01-20 07:36 <DIR> d-------- C:\Program Files\Common Files\Creative
2008-01-20 07:36 . 1999-12-12 11:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-20 07:36 . 1999-11-17 11:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-20 07:33 . 2008-01-20 07:33 <DIR> d-------- C:\Program Files\illiminable
2008-01-20 07:33 . 2008-01-20 07:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YAHOO
2008-01-20 07:30 . 2008-01-20 07:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative
2008-01-20 07:28 . 2008-01-20 07:55 <DIR> d-------- C:\Program Files\Creative
2008-01-18 09:17 . 2008-01-31 10:42 <DIR> d-------- C:\pics
2008-01-13 18:18 . 2008-01-20 16:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MusicIP
2008-01-13 18:09 . 2008-01-13 18:09 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-13 18:04 . 2008-01-13 18:29 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-13 16:54 . 2008-01-20 16:28 <DIR> d-------- C:\Program Files\MusicIP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 17:08 --------- d-----w C:\Program Files\Spyware Doctor
2008-01-31 17:08 --------- d-----w C:\Program Files\SP2 Connection Patcher
2008-01-31 17:08 --------- d-----w C:\Program Files\QuickTime
2008-01-31 17:08 --------- d-----w C:\Program Files\Digital Media Reader
2008-01-31 16:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-31 10:40 --------- d-----w C:\Program Files\SymNetDrv
2008-01-31 09:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-24 12:43 --------- d-----w C:\Program Files\Symantec
2008-01-24 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 12:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 12:33 --------- d-----w C:\Program Files\Thomson
2008-01-24 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-21 02:35 1,290 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-01-21 00:16 --------- d-----w C:\Program Files\LimeWire
2008-01-20 13:34 --------- d-----w C:\Program Files\Yahoo!
2008-01-09 10:58 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-01-03 02:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Atari
2008-01-03 02:30 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-01-03 02:13 --------- d-----w C:\Program Files\Safari
2008-01-03 02:05 --------- d-----w C:\Program Files\eBay
2008-01-03 01:06 --------- d-----w C:\Program Files\The Weather Channel FW
2007-12-13 00:45 --------- d-----w C:\Program Files\FaceOnBody
2007-01-17 02:25 633,856 ----a-w C:\Documents and Settings\Guest\EscapeToNorrath.exe
2007-01-17 02:25 633,856 ----a-w C:\Documents and Settings\Guest\_scapeToNorrath.exe
2006-06-06 22:39 380 ----a-w C:\Documents and Settings\Guest\Application Data\wklnhst.dat
2005-12-19 18:25 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-05-30 20:42 56 --sh--r C:\WINDOWS\system32\0336349AD7.sys
2005-07-07 07:02 80 -csh--r C:\WINDOWS\system32\F681545F93.dll
2005-05-30 20:44 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
Code: Select all
<pre>
----a-w            57,344 2008-01-31 16:21:59  C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy .exe
----a-w            40,048 2008-01-31 16:21:59  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w           185,896 2008-01-31 16:22:01  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            59,040 2008-01-24 11:56:32  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           700,416 2008-01-31 16:22:39  C:\Program Files\Creative\Sync Manager Unicode\CTSyncU .exe
----a-w            32,768 2008-01-31 16:21:48  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w           135,168 2008-01-31 16:21:50  C:\Program Files\Digital Media Reader\shwiconem .exe
----a-w            68,856 2008-01-31 09:52:46  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           132,496 2008-01-31 16:22:01  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           303,104 2008-01-31 16:48:19  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w           212,992 2008-01-31 11:04:05  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
----a-w         1,694,208 2008-01-31 09:52:46  C:\Program Files\Messenger\msmsgs .exe
----a-w           131,072 2008-01-25 19:04:26  C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray .exe
----a-w            57,344 2008-01-25 11:29:09  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
----a-w           409,600 2008-01-31 16:22:23  C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher .exe
----a-w         1,065,288 2008-01-31 16:21:06  C:\Program Files\Spyware Doctor\SDTrayApp .exe
----a-w         2,510,664 2008-01-31 16:46:05  C:\Program Files\Spyware Doctor\swdoctor .exe
----a-w         3,096,576 2008-01-21 02:28:34  C:\Program Files\Yahoo!\Messenger\ypager .exe
----a-w           224,248 2008-01-25 11:19:02  C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w         5,541,888 2008-01-31 16:22:20  C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine .exe
----a-w           212,992 2008-01-31 16:21:46  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w            15,360 2008-01-28 21:18:42  C:\WINDOWS\system32\ctfmon .exe
----a-w           196,608 2008-01-31 16:21:58  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04 .exe
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-12 03:50 4112384]
"NvMediaCenter"="NvMCTray.dll" [2004-07-12 03:50 81920 C:\WINDOWS\system32\nvmctray.dll]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [ ]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [ ]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [ ]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [ ]
"MCUpdateExe"="C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"ymetray"="C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34 5419008]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
C:\Program Files\Dealio\DealioAu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LyraHD2TrayApp]
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 19:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-12 03:50 843776 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"navapsvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"gusvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95fae826-9427-11dc-b495-0040ca2274d0}]
\Shell\AutoRun\command - J:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b090ad61-6b37-11d9-9c11-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-11 20:51:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-12 15:28:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2008-02-12 15:35:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-12 21:35:37
ComboFix2.txt 2008-02-10 12:17:08
ComboFix3.txt 2008-02-01 15:07:49
ComboFix4.txt 2008-01-31 17:29:08
.
2008-01-25 09:02:25 --- E O F ---
phxmark123
Regular Member
 
Posts: 36
Joined: January 24th, 2008, 10:38 am

Re: I got it and need some help. Trojan.Virtumonde

Unread postby phxmark123 » February 11th, 2008, 6:15 pm

Hi,
How's it going? What all are you seeing about with what is going on with this computer? You keep telling me to remember to run my spyware and antivirus programs. I told you that I cannot because both of those exe files have a .vir at the end of them like this "spywaredoctor.exe.vir" Can you talk to me about what that is all about? I think we have spent about 3 weeks or more doing this and I would really like to cure this soon. Let me know how you think its going because I am considering reformating this computer. All I really have on here that I might lose is some resent pictures and some music. Talk to me and let me know what you think. Thanks
phxmark123
Regular Member
 
Posts: 36
Joined: January 24th, 2008, 10:38 am

Re: I got it and need some help. Trojan.Virtumonde

Unread postby Scotty » February 12th, 2008, 3:25 pm

Hi

I know this is taking a while, but between us and my teacher, we are in different time zones with other commitments. This particular infection is proving to be stubborn but we are getting there, so lets now hit it once again.

Please delete the the copy of Combofix from your Desktop again, and follow these instructions.

Please download Combofix from Bleeping Computer.

Save it to your Desktop.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go



Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
KillAll::
 
RenV::
----a-w            57,344 2008-01-31 16:21:59  C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy .exe
----a-w            40,048 2008-01-31 16:21:59  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w           185,896 2008-01-31 16:22:01  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w            59,040 2008-01-24 11:56:32  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w           700,416 2008-01-31 16:22:39  C:\Program Files\Creative\Sync Manager Unicode\CTSyncU .exe
----a-w            32,768 2008-01-31 16:21:48  C:\Program Files\CyberLink\PowerDVD\PDVDServ .exe
----a-w           135,168 2008-01-31 16:21:50  C:\Program Files\Digital Media Reader\shwiconem .exe
----a-w            68,856 2008-01-31 09:52:46  C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
----a-w           132,496 2008-01-31 16:22:01  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           303,104 2008-01-31 16:48:19  C:\Program Files\McAfee.com\Agent\mcagent .exe
----a-w           212,992 2008-01-31 11:04:05  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
----a-w         1,694,208 2008-01-31 09:52:46  C:\Program Files\Messenger\msmsgs .exe
----a-w           131,072 2008-01-25 19:04:26  C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray .exe
----a-w            57,344 2008-01-25 11:29:09  C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor .exe
----a-w           409,600 2008-01-31 16:22:23  C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher .exe
----a-w         1,065,288 2008-01-31 16:21:06  C:\Program Files\Spyware Doctor\SDTrayApp .exe
----a-w         2,510,664 2008-01-31 16:46:05  C:\Program Files\Spyware Doctor\swdoctor .exe
----a-w         3,096,576 2008-01-21 02:28:34  C:\Program Files\Yahoo!\Messenger\ypager .exe
----a-w           224,248 2008-01-25 11:19:02  C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w         5,541,888 2008-01-31 16:22:20  C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine .exe
----a-w           212,992 2008-01-31 16:21:46  C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w            15,360 2008-01-28 21:18:42  C:\WINDOWS\system32\ctfmon .exe
----a-w           196,608 2008-01-31 16:21:58  C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04 .exe
 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Image


Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: I got it and need some help. Trojan.Virtumonde

Unread postby phxmark123 » February 12th, 2008, 5:26 pm

ComboFix 08-02-13.1 - Owner 2008-02-13 15:08:30.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.193 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.

2008-02-09 05:24 . 2004-08-27 03:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-09 05:24 . 2005-01-20 17:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-09 05:24 . 2005-01-20 17:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-01-24 08:20 . 2008-01-24 08:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 06:28 . 2004-08-04 13:00 101,888 --a------ C:\WINDOWS\system32\evntagnt.dll
2008-01-22 16:33 . 2008-01-22 17:20 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Creative
2008-01-20 20:08 . 2008-01-28 15:18 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-20 20:08 . 2008-01-28 15:18 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-20 19:32 . 2008-01-20 19:32 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-20 08:31 . 2008-01-20 15:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Creative
2008-01-20 07:55 . 2008-01-20 07:55 417,792 --a------ C:\WINDOWS\system32\awrdscdc.ax
2008-01-20 07:55 . 1999-10-10 11:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-01-20 07:40 . 2008-01-24 06:05 <DIR> d-------- C:\Program Files\Audible
2008-01-20 07:36 . 2008-01-20 07:38 <DIR> d--h----- C:\Program Files\Creative Installation Information
2008-01-20 07:36 . 2008-01-20 07:36 <DIR> d-------- C:\Program Files\Common Files\Creative
2008-01-20 07:36 . 1999-12-12 11:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-20 07:36 . 1999-11-17 11:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-20 07:33 . 2008-01-20 07:33 <DIR> d-------- C:\Program Files\illiminable
2008-01-20 07:33 . 2008-01-20 07:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YAHOO
2008-01-20 07:30 . 2008-01-20 07:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative
2008-01-20 07:28 . 2008-01-20 07:55 <DIR> d-------- C:\Program Files\Creative
2008-01-18 09:17 . 2008-01-31 10:42 <DIR> d-------- C:\pics
2008-01-13 18:18 . 2008-01-20 16:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\MusicIP
2008-01-13 18:09 . 2008-01-13 18:09 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-01-13 18:04 . 2008-01-13 18:29 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-01-13 16:54 . 2008-01-20 16:28 <DIR> d-------- C:\Program Files\MusicIP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-13 21:16 --------- d-----w C:\Program Files\SP2 Connection Patcher
2008-02-13 21:08 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-13 21:08 --------- d-----w C:\Program Files\Digital Media Reader
2008-02-13 21:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-31 17:08 --------- d-----w C:\Program Files\QuickTime
2008-01-31 16:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-31 10:40 --------- d-----w C:\Program Files\SymNetDrv
2008-01-24 12:43 --------- d-----w C:\Program Files\Symantec
2008-01-24 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 12:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 12:33 --------- d-----w C:\Program Files\Thomson
2008-01-24 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-21 02:35 1,290 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-01-21 00:16 --------- d-----w C:\Program Files\LimeWire
2008-01-20 13:34 --------- d-----w C:\Program Files\Yahoo!
2008-01-09 10:58 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-01-03 02:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Atari
2008-01-03 02:30 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-01-03 02:13 --------- d-----w C:\Program Files\Safari
2008-01-03 02:05 --------- d-----w C:\Program Files\eBay
2008-01-03 01:06 --------- d-----w C:\Program Files\The Weather Channel FW
2007-12-13 00:45 --------- d-----w C:\Program Files\FaceOnBody
2007-01-17 02:25 633,856 ----a-w C:\Documents and Settings\Guest\EscapeToNorrath.exe
2007-01-17 02:25 633,856 ----a-w C:\Documents and Settings\Guest\_scapeToNorrath.exe
2006-06-06 22:39 380 ----a-w C:\Documents and Settings\Guest\Application Data\wklnhst.dat
2005-12-19 18:25 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-05-30 20:42 56 --sh--r C:\WINDOWS\system32\0336349AD7.sys
2005-07-07 07:02 80 -csh--r C:\WINDOWS\system32\F681545F93.dll
2005-05-30 20:44 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
Code: Select all
<pre>
----a-w           212,992 2008-01-31 11:04:05  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2008-01-31 10:22 409600]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-28 15:18 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-31 03:52 1694208]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2008-01-25 05:29 57344]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-25 05:19 224248]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-31 03:52 68856]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2008-01-31 10:22 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-01-31 10:21 212992]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-12 03:50 4112384]
"NvMediaCenter"="NvMCTray.dll" [2004-07-12 03:50 81920 C:\WINDOWS\system32\nvmctray.dll]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2008-01-25 13:04 131072]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-31 10:21 32768]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2008-01-31 10:21 135168]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2008-01-31 10:48 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2008-01-31 10:21 196608]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2008-01-31 10:21 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-31 10:21 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-31 10:22 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-31 10:22 185896]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-25 05:19 224248]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"ymetray"="C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" [2008-01-31 10:22 5541888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34 5419008]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
C:\Program Files\Dealio\DealioAu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LyraHD2TrayApp]
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 19:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-12 03:50 843776 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-31 03:52 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-31 10:22 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-01-20 20:28 3096576 C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"navapsvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"gusvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95fae826-9427-11dc-b495-0040ca2274d0}]
\Shell\AutoRun\command - J:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b090ad61-6b37-11d9-9c11-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-13 20:51:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 15:15:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
.
**************************************************************************
.
Completion time: 2008-02-13 15:23:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-13 21:23:43
ComboFix2.txt 2008-02-12 21:35:41
ComboFix3.txt 2008-02-10 12:17:08
ComboFix4.txt 2008-02-01 15:07:49
ComboFix5.txt 2008-01-31 17:29:08
.
2008-01-25 09:02:25 --- E O F ---


ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:26, on 2008-02-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Yahoo!\Yahoo! Music Engine\ymetray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\iseeu.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Kelly Job Search - {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - C:\Program Files\IEToolbar\kelly_services.dll (file missing)
O3 - Toolbar: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?2f724e3d190543d49695a57fc2a724c9
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?2f724e3d190543d49695a57fc2a724c9
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/l ... uncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b53083.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/g ... anager.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/diner ... 0.0.72.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/w ... der_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.com/a ... Atchmt.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 12064 bytes
phxmark123
Regular Member
 
Posts: 36
Joined: January 24th, 2008, 10:38 am

Re: I got it and need some help. Trojan.Virtumonde

Unread postby Scotty » February 14th, 2008, 7:52 am

Hi

Delete your current copy of Combofix again, and download and save the newest version.

Open Notepad - it must be Notepad, not Wordpad.

Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
KillAll::
 
RenV::
----a-w           212,992 2008-01-31 11:04:05  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)

Save the file to your Desktop

Image

Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: I got it and need some help. Trojan.Virtumonde

Unread postby phxmark123 » February 14th, 2008, 4:34 pm

Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31, on 2008-02-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\iseeu.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: OLE (Part 1 of 5) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Kelly Job Search - {5776A2BC-D803-47F6-9DC0-8344DB8D604C} - C:\Program Files\IEToolbar\kelly_services.dll (file missing)
O3 - Toolbar: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask .exe" -atboottime
O4 - HKLM\..\Run: [ymetray] "C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" -preload
O4 - HKCU\..\Run: [SP2 Connection Patcher] "C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" -n=200
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe -NoStart
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?2f724e3d190543d49695a57fc2a724c9
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?2f724e3d190543d49695a57fc2a724c9
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://sympatico.zone.msn.com/bingame/l ... uncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v ... b53083.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/g ... anager.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://aolsvc.aol.com/onlinegames/diner ... 0.0.72.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://download.games.yahoo.com/games/w ... der_v6.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by121fd.bay121.hotmail.msn.com/a ... Atchmt.ocx
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 11347 bytes


Combofix log:

ComboFix 08-02-15.1 - Owner 2008-02-15 13:44:31.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.184 [GMT -6:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdaõj
.
((((((((((((((((((((((((( Files Created from 2008-01-15 to 2008-02-15 )))))))))))))))))))))))))))))))
.

2008-02-09 05:24 . 2004-08-27 03:54 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-02-09 05:24 . 2005-01-20 17:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SampleView
2008-02-09 05:24 . 2005-01-20 17:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\McAfee
2008-01-24 08:20 . 2008-01-24 08:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-24 06:28 . 2004-08-04 13:00 101,888 --a------ C:\WINDOWS\system32\evntagnt.dll
2008-01-22 16:33 . 2008-01-22 17:20 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Creative
2008-01-20 20:08 . 2008-01-28 15:18 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-20 20:08 . 2008-01-28 15:18 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-20 19:32 . 2008-01-20 19:32 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-01-20 08:31 . 2008-01-20 15:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Creative
2008-01-20 07:55 . 2008-01-20 07:55 417,792 --a------ C:\WINDOWS\system32\awrdscdc.ax
2008-01-20 07:55 . 1999-10-10 11:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-01-20 07:40 . 2008-01-24 06:05 <DIR> d-------- C:\Program Files\Audible
2008-01-20 07:36 . 2008-01-20 07:38 <DIR> d--h----- C:\Program Files\Creative Installation Information
2008-01-20 07:36 . 2008-01-20 07:36 <DIR> d-------- C:\Program Files\Common Files\Creative
2008-01-20 07:36 . 1999-12-12 11:01 44,032 --a------ C:\WINDOWS\system32\CTSVCCDA.EXE
2008-01-20 07:36 . 1999-11-17 11:00 25,088 --a------ C:\WINDOWS\system32\CTSVCCTL.EXE
2008-01-20 07:33 . 2008-01-20 07:33 <DIR> d-------- C:\Program Files\illiminable
2008-01-20 07:33 . 2008-01-20 07:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YAHOO
2008-01-20 07:30 . 2008-01-20 07:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative
2008-01-20 07:28 . 2008-01-20 07:55 <DIR> d-------- C:\Program Files\Creative
2008-01-18 09:17 . 2008-01-31 10:42 <DIR> d-------- C:\pics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-15 10:57 --------- d-----w C:\Program Files\SP2 Connection Patcher
2008-02-13 21:08 --------- d-----w C:\Program Files\Spyware Doctor
2008-02-13 21:08 --------- d-----w C:\Program Files\Digital Media Reader
2008-02-13 21:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-31 17:08 --------- d-----w C:\Program Files\QuickTime
2008-01-31 16:47 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-31 10:40 --------- d-----w C:\Program Files\SymNetDrv
2008-01-24 12:43 --------- d-----w C:\Program Files\Symantec
2008-01-24 12:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-24 12:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 12:33 --------- d-----w C:\Program Files\Thomson
2008-01-24 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-21 02:35 1,290 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-01-21 00:16 --------- d-----w C:\Program Files\LimeWire
2008-01-20 22:28 --------- d-----w C:\Program Files\MusicIP
2008-01-20 22:17 --------- d-----w C:\Documents and Settings\Owner\Application Data\MusicIP
2008-01-20 13:34 --------- d-----w C:\Program Files\Yahoo!
2008-01-14 00:09 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-09 10:58 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-01-03 02:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\Atari
2008-01-03 02:30 --------- d-----w C:\Program Files\Common Files\PocketSoft
2008-01-03 02:13 --------- d-----w C:\Program Files\Safari
2008-01-03 02:05 --------- d-----w C:\Program Files\eBay
2008-01-03 01:06 --------- d-----w C:\Program Files\The Weather Channel FW
2007-12-18 09:51 179,584 ----a-w C:\WINDOWS\system32\drivers\mrxdav.sys
2007-01-17 02:25 633,856 ----a-w C:\Documents and Settings\Guest\EscapeToNorrath.exe
2007-01-17 02:25 633,856 ----a-w C:\Documents and Settings\Guest\_scapeToNorrath.exe
2006-06-06 22:39 380 ----a-w C:\Documents and Settings\Guest\Application Data\wklnhst.dat
2005-12-19 18:25 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-05-30 20:42 56 --sh--r C:\WINDOWS\system32\0336349AD7.sys
2005-07-07 07:02 80 -csh--r C:\WINDOWS\system32\F681545F93.dll
2005-05-30 20:44 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
Code: Select all
<pre>
----a-w           212,992 2008-01-31 11:04:05  C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
</pre>



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SP2 Connection Patcher"="C:\Program Files\SP2 Connection Patcher\SP2ConnPatcher.exe" [2008-01-31 10:22 409600]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-28 15:18 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-01-31 03:52 1694208]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2008-01-25 05:29 57344]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-25 05:19 224248]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-31 03:52 68856]
"CTSyncU.exe"="C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe" [2008-01-31 10:22 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-01-31 10:21 212992]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-12 03:50 4112384]
"NvMediaCenter"="NvMCTray.dll" [2004-07-12 03:50 81920 C:\WINDOWS\system32\nvmctray.dll]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2008-01-25 13:04 131072]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-31 10:21 32768]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2008-01-31 10:21 135168]
"MCAgentExe"="c:\PROGRA~1\mcafee.com\agent\mcagent.exe" [2008-01-31 10:48 303104]
"MCUpdateExe"="C:\PROGRA~1\mcafee.com\agent\McUpdate.exe" [ ]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2008-01-31 10:21 196608]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2008-01-31 10:21 57344]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-31 10:21 40048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-31 10:22 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-31 10:22 185896]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-25 05:19 224248]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask .exe" [ ]
"ymetray"="C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" [2008-01-31 10:22 5541888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-05-29 19:34 5419008]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=C:\WINDOWS\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINDOWS\pss\HotSync Manager.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
C:\Program Files\Dealio\DealioAu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LyraHD2TrayApp]
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2007-05-29 19:34 5419008 C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-07-12 03:50 843776 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-01-31 03:52 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-31 10:22 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-01-20 20:28 3096576 C:\Program Files\Yahoo!\Messenger\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"UleadBurningHelper"=2 (0x2)
"navapsvc"=3 (0x3)
"LiveUpdate"=3 (0x3)
"gusvc"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{95fae826-9427-11dc-b495-0040ca2274d0}]
\Shell\AutoRun\command - J:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b090ad61-6b37-11d9-9c11-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 19:51:24 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-15 13:51:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2008-02-15 13:58:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-15 19:58:31
ComboFix2.txt 2008-02-13 21:23:47
ComboFix3.txt 2008-02-12 21:35:41
ComboFix4.txt 2008-02-10 12:17:08
ComboFix5.txt 2008-02-01 15:07:49
.
2008-02-15 09:07:56 --- E O F ---
phxmark123
Regular Member
 
Posts: 36
Joined: January 24th, 2008, 10:38 am

Re: I got it and need some help. Trojan.Virtumonde

Unread postby Scotty » February 15th, 2008, 6:21 am

Hi

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
RenV::
C:\Program Files\McAfee.com\Agent\MCUPDA~1 .EXE
 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop.

Reboot into SAFE MODE
    By pressing the F8 key right when Windows starts, usually right after you hear your computer
    beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
    you will be brought to a menu where you can choose to boot into safe mode.

    If it does not work on the first try, reboot and try again, as you have to be quick when you press it.

    I have found that during boot up, right after the computer displays the equipment , memory, etc
    installed on your computer, if you start lightly tapping the F8 key, the system will usually display the menu.


Image


Refering to the picture above, drag CFScript into ComboFix.exe

In your next reply post:
ComboFix.txt
New HJT log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware