Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hello, must resolve!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hello, must resolve!

Unread postby Pyramid » January 14th, 2009, 3:32 am

Hello I am being irritated by anti virus 2009 pop ups, sometimes when I type the window will be deselected. Many other annoying things have happened as well, a few times rapid succession opening of IE windows would open until I was forced to restart. Anyway, here is hijack log, haven't touched it.


Logfile of HijackThis v1.99.1
Scan saved at 11:22:18 PM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Steam\Steam.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Ventrilo\Ventrilo.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\iTunes\iTunes.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: (no name) - {236225cb-059e-41d7-83d4-4f351e0c988c} - D:\WINDOWS\system32\bajibuli.dll
O2 - BHO: {857ff1c7-ac23-d0f8-a244-a536698d5c83} - {38c5d896-635a-442a-8f0d-32ca7c1ff758} - D:\WINDOWS\system32\axfraf.dll
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - D:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [liwoloviko] Rundll32.exe "D:\WINDOWS\system32\jorujedi.dll",s
O4 - HKLM\..\Run: [940d0e4f] rundll32.exe "D:\WINDOWS\system32\sonusoya.dll",b
O4 - HKLM\..\Run: [CPMd310e6d2] Rundll32.exe "d:\windows\system32\dayevino.dll",a
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1916737390
O20 - AppInit_DLLs: D:\WINDOWS\system32\serevudo.dll axfraf.dll d:\windows\system32\dayevino.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - d:\windows\system32\dayevino.dll
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

Any help would be extremely gratifying!
Pyramid
Active Member
 
Posts: 7
Joined: January 14th, 2009, 3:28 am
Advertisement
Register to Remove

Re: Hello, must resolve!

Unread postby Bob4 » January 18th, 2009, 9:49 pm

_________________________________
Welcome to the Forums.

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.
The process is not instant.
Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear.
So lets do this to the end!



  • Save and quit any work your doing before beginning the fix.
  • All hijackthis logs I ask for should be done in normal mode ( not safe mode)
  • These logs should be done last after you have followed my instructions in the previous post.
  • DO NOT be installing new programs while you run Hijackthis.
  • If I do not hear from you in 5 days from my last post this topic will be closed.


Please if you decide to seek help at another forum let us know. There is a shortage of helpers and tying 2 of us up is a waste of time.
If you have any questions about any advice given here please STOP and ask!







____________________________
Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hello, must resolve!

Unread postby Pyramid » January 18th, 2009, 10:19 pm

Thank you for the response, followed steps, here is log. I don't recall the prompt to install a recovery console, and ought to resolve that first, otherwise it seemed to function properly.

ComboFix 09-01-18.01 - Jeff 2009-01-18 18:13:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1511 [GMT -8:00]
Running from: d:\documents and settings\Jeff\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
d:\windows\system32\abokazuw.ini
d:\windows\system32\abomayuw.ini
d:\windows\system32\adoredey.ini
d:\windows\system32\afeworit.ini
d:\windows\system32\afezovor.ini
d:\windows\system32\amesujaj.ini
d:\windows\system32\anurovar.ini
d:\windows\system32\avetunuk.ini
d:\windows\system32\awesusoz.ini
d:\windows\system32\axfraf.dll
d:\windows\system32\ayosunos.ini
d:\windows\system32\bamezafu.dll
d:\windows\system32\bbwltf.dll
d:\windows\system32\besehevi.dll
d:\windows\system32\bihonede.dll
d:\windows\system32\biypqt.dll
d:\windows\system32\botapepe.dll
d:\windows\system32\darususi.dll
d:\windows\system32\dayevino.dll
d:\windows\system32\delehele.dll
d:\windows\system32\difoyuro.dll
d:\windows\system32\dorizala.dll
d:\windows\system32\ebalupez.ini
d:\windows\system32\eleheled.ini
d:\windows\system32\emularip.ini
d:\windows\system32\fetotava.dll
d:\windows\system32\fofufenu.dll
d:\windows\system32\fujegifu.dll
d:\windows\system32\fuyisajo.dll
d:\windows\system32\gakemojo.dll
d:\windows\system32\giviminu.dll
d:\windows\system32\gomopiwe.dll
d:\windows\system32\hamehalu.dll
d:\windows\system32\hidumule.dll
d:\windows\system32\hpowiax4.dll
d:\windows\system32\hvktwo.dll
d:\windows\system32\idufatap.ini
d:\windows\system32\igagipak.ini
d:\windows\system32\igewewez.ini
d:\windows\system32\ipufovih.ini
d:\windows\system32\isusurad.ini
d:\windows\system32\iveheseb.ini
d:\windows\system32\jajusema.dll
d:\windows\system32\jegugose.dll
d:\windows\system32\jezewisa.dll
d:\windows\system32\jisagade.dll
d:\windows\system32\jrvdwf.dll
d:\windows\system32\kagohaku.dll
d:\windows\system32\kajoveka.dll
d:\windows\system32\kapigagi.dll
d:\windows\system32\kipiheba.dll
d:\windows\system32\kisijegu.dll
d:\windows\system32\kqelmw.dll
d:\windows\system32\kunuteva.dll
d:\windows\system32\ligasuta.dll
d:\windows\system32\limowuyu.dll
d:\windows\system32\lomuduje.dll
d:\windows\system32\lovojefu.dll
d:\windows\system32\lupujuye.dll
d:\windows\system32\mivawubi.dll
d:\windows\system32\mjnvel.dll
d:\windows\system32\mosoveva.dll
d:\windows\system32\mulipiza.dll
d:\windows\system32\nanemefu.dll
d:\windows\system32\naruhoku.dll
d:\windows\system32\nodekoto.dll
d:\windows\system32\nomifeyi.dll
d:\windows\system32\oganerew.ini
d:\windows\system32\ogileyuw.ini
d:\windows\system32\ojasiyuf.ini
d:\windows\system32\onekokup.ini
d:\windows\system32\oruyofid.ini
d:\windows\system32\otabesol.ini
d:\windows\system32\panesehi.dll
d:\windows\system32\patafudi.dll
d:\windows\system32\ponovisi.dll
d:\windows\system32\pufikere.dll
d:\windows\system32\pwykwn.dll
d:\windows\system32\rovozefa.dll
d:\windows\system32\rqrmjy.dll
d:\windows\system32\rujamika.dll
d:\windows\system32\sajuyaya.dll
d:\windows\system32\serinoho.dll
d:\windows\system32\seyomaju.dll
d:\windows\system32\sonusoya.dll
d:\windows\system32\tiledovo.dll
d:\windows\system32\ufigejuf.ini
d:\windows\system32\ukehisut.ini
d:\windows\system32\unefufof.ini
d:\windows\system32\urulejom.ini
d:\windows\system32\uvujiyir.ini
d:\windows\system32\uwubohiv.ini
d:\windows\system32\valavuja.dll
d:\windows\system32\vetidika.dll
d:\windows\system32\vihobuwu.dll
d:\windows\system32\wepejapu.dll
d:\windows\system32\werenago.dll
d:\windows\system32\wogipute.dll
d:\windows\system32\wumoyuvo.dll
d:\windows\system32\wuyamoba.dll
d:\windows\system32\wuyeligo.dll
d:\windows\system32\wuzakoba.dll
d:\windows\system32\yayutoto.dll
d:\windows\system32\yilefaju.dll
d:\windows\system32\yprnxe.dll
d:\windows\system32\yutununu.dll
d:\windows\system32\zarebeba.dll
d:\windows\system32\zawetuba.dll
d:\windows\system32\zelayira.dll
d:\windows\system32\zepulabe.dll
d:\windows\system32\zitovovi.dll
d:\windows\system32\zosusewa.dll
d:\windows\system32\zuziberi.dll
d:\windows\system32\zxdhft.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-14 11:33 . 2009-01-14 11:33 <DIR> d-------- d:\program files\MSXML 4.0
2009-01-14 11:32 . 2008-10-15 08:34 337,408 --a------ d:\windows\system32\SET28.tmp
2009-01-14 01:59 . 2009-01-14 01:59 22,328 --a------ d:\documents and settings\Jeff\Application Data\PnkBstrK.sys
2009-01-13 23:38 . 2009-01-13 23:39 <DIR> d-------- d:\documents and settings\Jeff\Application Data\Bioshock
2009-01-13 23:38 . 2007-05-16 16:45 3,497,832 --a------ d:\windows\system32\d3dx9_34.dll
2009-01-13 23:38 . 2007-05-16 16:45 1,124,720 --a------ d:\windows\system32\D3DCompiler_34.dll
2009-01-13 23:38 . 2007-05-16 16:45 443,752 --a------ d:\windows\system32\d3dx10_34.dll
2009-01-13 23:38 . 2007-06-20 20:46 266,088 --a------ d:\windows\system32\xactengine2_8.dll
2009-01-13 23:38 . 2007-10-22 03:37 17,928 --a------ d:\windows\system32\X3DAudio1_2.dll
2009-01-13 23:07 . 2009-01-14 11:36 1,374 --a------ d:\windows\imsins.BAK
2009-01-13 23:06 . 2009-01-14 11:36 <DIR> d--h----- d:\windows\$hf_mig$
2009-01-13 23:06 . 2005-02-24 19:35 22,752 --a------ d:\windows\system32\spupdsvc.exe
2009-01-13 23:05 . 2009-01-13 23:05 <DIR> d---s---- d:\documents and settings\Jeff\UserData
2009-01-13 23:03 . 2008-09-04 09:15 1,106,944 --a------ d:\windows\system32\SET23.tmp
2009-01-13 17:55 . 2009-01-13 17:55 <DIR> d-------- d:\program files\CCleaner
2009-01-13 12:41 . 2009-01-13 12:41 <DIR> d-------- d:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-12 22:13 . 2009-01-12 22:15 94,208 --a------ d:\windows\ScUnin.exe
2009-01-12 22:13 . 2009-01-12 22:15 35,190 --a------ d:\windows\scunin.dat
2009-01-12 22:13 . 2009-01-12 22:15 967 --a------ d:\windows\ScUnin.pif
2009-01-12 22:02 . 2009-01-13 18:40 <DIR> d-------- d:\program files\Starcraft
2009-01-12 09:29 . 2009-01-12 09:29 <DIR> d-------- d:\documents and settings\Jeff\Application Data\HP
2009-01-12 00:51 . 2009-01-12 00:51 <DIR> d-------- d:\documents and settings\All Users\Application Data\WEBREG
2009-01-11 21:41 . 2009-01-11 21:41 <DIR> d-------- d:\documents and settings\LocalService\Application Data\HP
2009-01-11 21:39 . 2009-01-11 21:41 <DIR> d-------- d:\program files\Common Files\HP
2009-01-11 21:39 . 2009-01-11 21:39 <DIR> d-------- d:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-01-11 21:39 . 2009-01-11 21:39 <DIR> d-------- d:\documents and settings\All Users\Application Data\HP
2009-01-11 21:38 . 2009-01-11 21:38 <DIR> d-------- d:\program files\Hewlett-Packard
2009-01-11 21:38 . 2009-01-11 21:38 <DIR> d-------- d:\program files\Common Files\Hewlett-Packard
2009-01-11 21:37 . 2009-01-11 21:41 <DIR> d-------- d:\program files\HP
2009-01-11 21:37 . 2006-12-05 21:50 892,928 -ra------ d:\windows\system32\hpotiop4.dll
2009-01-11 21:37 . 2006-12-05 21:50 294,912 -ra------ d:\windows\system32\hpovst11.dll
2009-01-11 21:26 . 2006-12-05 22:02 49,920 -ra------ d:\windows\system32\drivers\HPZid412.sys
2009-01-11 21:26 . 2006-12-05 22:02 16,496 -ra------ d:\windows\system32\drivers\HPZipr12.sys
2009-01-11 21:25 . 2009-01-11 21:25 <DIR> d-------- d:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-11 21:25 . 2006-12-05 22:02 364,544 -ra------ d:\windows\system32\hppldcoi.dll
2009-01-11 21:25 . 2006-12-05 22:02 309,760 -ra------ d:\windows\system32\difxapi.dll
2009-01-11 21:25 . 2006-12-15 08:36 258,048 -ra------ d:\windows\system32\hpzids01.dll
2009-01-11 21:25 . 2009-01-11 21:51 130,362 --a------ d:\windows\hpoins13.dat
2009-01-11 21:25 . 2006-12-29 09:57 117,760 --a------ d:\windows\system32\hpz3l4v2.dll
2009-01-11 21:25 . 2006-12-05 22:02 21,568 -ra------ d:\windows\system32\drivers\HPZius12.sys
2009-01-11 21:25 . 2007-01-22 08:05 811 --------- d:\windows\hpomdl13.dat
2009-01-11 21:23 . 2008-04-14 00:17 25,856 --a------ d:\windows\system32\drivers\usbprint.sys
2009-01-11 21:23 . 2008-04-14 00:17 25,856 --a--c--- d:\windows\system32\dllcache\usbprint.sys
2009-01-11 14:38 . 2009-01-13 18:20 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2008-12-27 15:49 . 2008-12-27 15:49 <DIR> d-------- d:\documents and settings\Jeff\Application Data\DivX
2008-12-27 15:45 . 2008-04-14 05:42 159,232 --a------ d:\windows\system32\ptpusd.dll
2008-12-27 15:45 . 2008-04-14 00:15 15,104 --a------ d:\windows\system32\drivers\usbscan.sys
2008-12-27 15:45 . 2008-04-14 00:15 15,104 --a--c--- d:\windows\system32\dllcache\usbscan.sys
2008-12-27 15:45 . 2001-08-17 22:36 5,632 --a------ d:\windows\system32\ptpusb.dll
2008-12-22 21:14 . 2008-12-22 21:14 <DIR> d-------- d:\documents and settings\Jeff\Application Data\vlc
2008-12-22 20:41 . 2008-12-22 20:41 <DIR> d-------- d:\program files\VideoLAN
2008-12-22 11:32 . 2009-01-09 01:01 <DIR> d-------- d:\documents and settings\Jeff\Application Data\Azureus
2008-12-22 11:32 . 2008-12-22 11:32 <DIR> d-------- d:\documents and settings\All Users\Application Data\Azureus
2008-12-22 11:22 . 2008-12-22 11:23 <DIR> d-------- d:\program files\Vuze
2008-12-22 11:22 . 2008-12-22 11:22 <DIR> d-------- d:\program files\Common Files\i4j_jres
2008-12-20 21:45 . 2008-12-20 21:49 139,264 --a------ d:\windows\War3Unin.exe
2008-12-20 21:45 . 2008-12-20 22:03 77,385 --a------ d:\windows\War3Unin.dat
2008-12-20 21:45 . 2008-12-20 21:49 2,829 --a------ d:\windows\War3Unin.pif
2008-12-20 21:44 . 2009-01-18 12:09 <DIR> d-------- d:\program files\Warcraft III

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 02:15 --------- d-----w d:\program files\Steam
2009-01-18 01:43 202,000 ----a-w d:\windows\system32\PnkBstrB.exe
2009-01-18 01:43 139,280 ----a-w d:\windows\system32\drivers\PnkBstrK.sys
2009-01-15 22:20 127,873 ----a-w d:\windows\system32\dafanole.dll
2009-01-14 09:59 682,280 ----a-w d:\windows\system32\pbsvc.exe
2009-01-14 09:59 66,872 ----a-w d:\windows\system32\PnkBstrA.exe
2008-12-27 00:52 --------- d-----w d:\program files\Common Files\Blizzard Entertainment
2008-12-06 20:25 --------- d-----w d:\program files\iTunes
2008-12-06 20:25 --------- d-----w d:\program files\iPod
2008-12-06 20:25 --------- d-----w d:\program files\Common Files\Apple
2008-12-06 20:25 --------- d-----w d:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 09:49 --------- d-----w d:\program files\Common Files\eSellerate
2008-12-06 09:40 --------- d-----w d:\program files\QuickTime
2008-12-06 09:40 --------- d-----w d:\program files\Apple Software Update
2008-12-06 09:40 --------- d-----w d:\documents and settings\Jeff\Application Data\Apple Computer
2008-12-06 09:40 --------- d-----w d:\documents and settings\All Users\Application Data\Apple Computer
2008-12-06 09:39 --------- d-----w d:\documents and settings\All Users\Application Data\Apple
2008-12-06 04:18 --------- d-----w d:\documents and settings\All Users\Application Data\Blizzard
2008-12-06 02:01 --------- d-----w d:\documents and settings\Jeff\Application Data\Ventrilo
2008-12-06 01:16 --------- d-----w d:\program files\Ventrilo
2008-12-06 01:16 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-12-06 00:53 --------- d-----w d:\program files\Google
2008-12-06 00:27 4,841,984 ----a-w d:\windows\system32\prebak.reg
2008-12-06 00:21 --------- d-----w d:\program files\DivX
2008-12-06 00:17 --------- d--h--w d:\program files\InstallShield Installation Information
2008-12-06 00:17 --------- d-----w d:\program files\Realtek
2008-12-06 00:15 --------- d-----w d:\program files\Common Files\InstallShield
2008-12-05 23:50 --------- d-----w d:\program files\microsoft frontpage
2008-11-08 00:45 2,174,976 ----a-w d:\windows\system32\SET30.tmp
2008-10-23 12:36 286,720 ----a-w d:\windows\system32\SET1D.tmp
1601-01-01 00:12 73,728 --sha-w d:\windows\system32\rituvuza.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Steam"="d:\program files\Steam\Steam.exe" [2008-12-05 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-18 d:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 d:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-04-12 d:\windows\system32\nwiz.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\Program Files\\Vuze\\Azureus.exe"=
"d:\\WINDOWS\\system32\\spoolsv.exe"=
"d:\\Program Files\\Starcraft\\StarCraft.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\call of duty world at war\\CoDWaW.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\call of duty world at war\\CoDWaWmp.exe"=
"d:\\WINDOWS\\system32\\cscript.exe"=
"d:\\WINDOWS\\RTHDCPL.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Si3531;SiI-3531 SATA Controller;d:\windows\system32\drivers\Si3531.sys [2008-12-05 210224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{236225cb-059e-41d7-83d4-4f351e0c988c} - d:\windows\system32\mosoveva.dll
BHO-{d8cf12be-abf1-4428-bdf0-6f3e4dbdf426} - d:\windows\system32\rqrmjy.dll


.
------- Supplementary Scan -------
.
TCP: {7BF2B6E3-4733-469E-B9B6-74F54A336B8A} = 192.168.2.1
FF - ProfilePath - d:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\zar3tta2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-18 18:15:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\windows\system32\rundll32.exe
d:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
d:\windows\system32\nvsvc32.exe
d:\windows\system32\PnkBstrA.exe
d:\program files\iPod\bin\iPodService.exe
d:\windows\system32\wscntfy.exe
d:\program files\HP\Digital Imaging\bin\hpqste08.exe
.
**************************************************************************
.
Completion time: 2009-01-18 18:16:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-19 02:16:01

Pre-Run: 249,605,324,800 bytes free
Post-Run: 249,523,056,640 bytes free

313 --- E O F --- 2009-01-14 19:36:27
Pyramid
Active Member
 
Posts: 7
Joined: January 14th, 2009, 3:28 am

Re: Hello, must resolve!

Unread postby Bob4 » January 19th, 2009, 8:42 am

It important we get this part done in case something goes wrong we have a better chance of recovering your computer. Removing malware can be tricky.

____________________________


Go back to the tutorial page and read from here to manually install the recovery console.
http://www.bleepingcomputer.com/combofi ... e-combofix

scroll down to this part.

Manually installing the Windows Recovery Console

and begin to read from here.

1. Click on the following link to go to Microsoft's Web site:







NEXT
___________________________________________________
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

Azureus
Vuze


We have noticed that most people seeking help from us are coming with infections contracted from the use of P2P programs.

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).





With both of those done please post back with a new HJT log and the new Combofix log.
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hello, must resolve!

Unread postby Pyramid » January 19th, 2009, 3:55 pm

Recovery console installed, and azereus/vuze removed. Here are updated logs. And as you reported, no symptoms doesn't mean its fixed, but I haven't experienced anything for two days, if that is any help!

Logfile of HijackThis v1.99.1
Scan saved at 11:45:39 AM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\RTHDCPL.EXE
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Steam\Steam.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - D:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1916737390
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe



Combo log:

ComboFix 09-01-19.01 - Jeff 2009-01-19 11:49:21.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1558 [GMT -8:00]
Running from: d:\documents and settings\Jeff\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-18 18:23 . 2009-01-18 18:23 6,049,280 --a------ d:\windows\system32\SETF8.tmp
2009-01-18 18:22 . 2009-01-18 18:22 <DIR> d-------- D:\f62073db294c8904eda379ca94beb6
2009-01-18 18:16 . 2008-10-16 14:06 268,648 --a------ d:\windows\system32\mucltui.dll
2009-01-18 18:16 . 2008-10-16 14:06 27,496 --a------ d:\windows\system32\mucltui.dll.mui
2009-01-14 11:33 . 2009-01-14 11:33 <DIR> d-------- d:\program files\MSXML 4.0
2009-01-14 11:32 . 2008-08-14 02:11 2,189,184 -----c--- d:\windows\system32\dllcache\ntoskrnl.exe
2009-01-14 11:32 . 2008-08-14 02:09 2,145,280 -----c--- d:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-14 11:32 . 2008-08-14 01:33 2,066,048 -----c--- d:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-14 11:32 . 2008-08-14 01:33 2,023,936 -----c--- d:\windows\system32\dllcache\ntkrpamp.exe
2009-01-14 11:32 . 2008-10-24 03:21 455,296 -----c--- d:\windows\system32\dllcache\mrxsmb.sys
2009-01-14 11:32 . 2008-10-15 08:34 337,408 --a------ d:\windows\system32\SET28.tmp
2009-01-14 11:32 . 2008-06-13 03:05 272,128 --------- d:\windows\system32\drivers\bthport.sys
2009-01-14 11:32 . 2008-06-13 03:05 272,128 -----c--- d:\windows\system32\dllcache\bthport.sys
2009-01-14 01:59 . 2009-01-14 01:59 22,328 --a------ d:\documents and settings\Jeff\Application Data\PnkBstrK.sys
2009-01-13 23:38 . 2009-01-13 23:39 <DIR> d-------- d:\documents and settings\Jeff\Application Data\Bioshock
2009-01-13 23:38 . 2007-05-16 16:45 3,497,832 --a------ d:\windows\system32\d3dx9_34.dll
2009-01-13 23:38 . 2007-05-16 16:45 1,124,720 --a------ d:\windows\system32\D3DCompiler_34.dll
2009-01-13 23:38 . 2007-05-16 16:45 443,752 --a------ d:\windows\system32\d3dx10_34.dll
2009-01-13 23:38 . 2007-06-20 20:46 266,088 --a------ d:\windows\system32\xactengine2_8.dll
2009-01-13 23:38 . 2007-10-22 03:37 17,928 --a------ d:\windows\system32\X3DAudio1_2.dll
2009-01-13 23:07 . 2009-01-19 11:04 1,374 --a------ d:\windows\imsins.BAK
2009-01-13 23:06 . 2009-01-19 11:04 <DIR> d--h----- d:\windows\$hf_mig$
2009-01-13 23:06 . 2006-09-06 17:43 22,752 --a------ d:\windows\system32\spupdsvc.exe
2009-01-13 23:05 . 2009-01-13 23:05 <DIR> d---s---- d:\documents and settings\Jeff\UserData
2009-01-13 23:03 . 2008-09-04 09:15 1,106,944 --a------ d:\windows\system32\SET23.tmp
2009-01-13 17:55 . 2009-01-13 17:55 <DIR> d-------- d:\program files\CCleaner
2009-01-13 12:41 . 2009-01-13 12:41 <DIR> d-------- d:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-12 22:13 . 2009-01-12 22:15 94,208 --a------ d:\windows\ScUnin.exe
2009-01-12 22:13 . 2009-01-12 22:15 35,190 --a------ d:\windows\scunin.dat
2009-01-12 22:13 . 2009-01-12 22:15 967 --a------ d:\windows\ScUnin.pif
2009-01-12 22:02 . 2009-01-13 18:40 <DIR> d-------- d:\program files\Starcraft
2009-01-12 09:29 . 2009-01-12 09:29 <DIR> d-------- d:\documents and settings\Jeff\Application Data\HP
2009-01-12 00:51 . 2009-01-12 00:51 <DIR> d-------- d:\documents and settings\All Users\Application Data\WEBREG
2009-01-11 21:41 . 2009-01-11 21:41 <DIR> d-------- d:\documents and settings\LocalService\Application Data\HP
2009-01-11 21:39 . 2009-01-11 21:41 <DIR> d-------- d:\program files\Common Files\HP
2009-01-11 21:39 . 2009-01-11 21:39 <DIR> d-------- d:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-01-11 21:39 . 2009-01-11 21:39 <DIR> d-------- d:\documents and settings\All Users\Application Data\HP
2009-01-11 21:38 . 2009-01-11 21:38 <DIR> d-------- d:\program files\Hewlett-Packard
2009-01-11 21:38 . 2009-01-11 21:38 <DIR> d-------- d:\program files\Common Files\Hewlett-Packard
2009-01-11 21:37 . 2009-01-11 21:41 <DIR> d-------- d:\program files\HP
2009-01-11 21:37 . 2006-12-05 21:50 892,928 -ra------ d:\windows\system32\hpotiop4.dll
2009-01-11 21:37 . 2006-12-05 21:50 294,912 -ra------ d:\windows\system32\hpovst11.dll
2009-01-11 21:26 . 2006-12-05 22:02 49,920 -ra------ d:\windows\system32\drivers\HPZid412.sys
2009-01-11 21:26 . 2006-12-05 22:02 16,496 -ra------ d:\windows\system32\drivers\HPZipr12.sys
2009-01-11 21:25 . 2009-01-11 21:25 <DIR> d-------- d:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-11 21:25 . 2006-12-05 22:02 364,544 -ra------ d:\windows\system32\hppldcoi.dll
2009-01-11 21:25 . 2006-12-05 22:02 309,760 -ra------ d:\windows\system32\difxapi.dll
2009-01-11 21:25 . 2006-12-15 08:36 258,048 -ra------ d:\windows\system32\hpzids01.dll
2009-01-11 21:25 . 2009-01-11 21:51 130,362 --a------ d:\windows\hpoins13.dat
2009-01-11 21:25 . 2006-12-29 09:57 117,760 --a------ d:\windows\system32\hpz3l4v2.dll
2009-01-11 21:25 . 2006-12-05 22:02 21,568 -ra------ d:\windows\system32\drivers\HPZius12.sys
2009-01-11 21:25 . 2007-01-22 08:05 811 --------- d:\windows\hpomdl13.dat
2009-01-11 21:23 . 2008-04-14 00:17 25,856 --a------ d:\windows\system32\drivers\usbprint.sys
2009-01-11 21:23 . 2008-04-14 00:17 25,856 --a--c--- d:\windows\system32\dllcache\usbprint.sys
2009-01-11 14:38 . 2009-01-13 18:20 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2008-12-27 15:49 . 2008-12-27 15:49 <DIR> d-------- d:\documents and settings\Jeff\Application Data\DivX
2008-12-27 15:45 . 2008-04-14 05:42 159,232 --a------ d:\windows\system32\ptpusd.dll
2008-12-27 15:45 . 2008-04-14 00:15 15,104 --a------ d:\windows\system32\drivers\usbscan.sys
2008-12-27 15:45 . 2008-04-14 00:15 15,104 --a--c--- d:\windows\system32\dllcache\usbscan.sys
2008-12-27 15:45 . 2001-08-17 22:36 5,632 --a------ d:\windows\system32\ptpusb.dll
2008-12-22 21:14 . 2008-12-22 21:14 <DIR> d-------- d:\documents and settings\Jeff\Application Data\vlc
2008-12-22 20:41 . 2008-12-22 20:41 <DIR> d-------- d:\program files\VideoLAN
2008-12-22 11:32 . 2009-01-09 01:01 <DIR> d-------- d:\documents and settings\Jeff\Application Data\Azureus
2008-12-22 11:32 . 2008-12-22 11:32 <DIR> d-------- d:\documents and settings\All Users\Application Data\Azureus
2008-12-22 11:22 . 2009-01-19 11:45 <DIR> d-------- d:\program files\Vuze
2008-12-22 11:22 . 2008-12-22 11:22 <DIR> d-------- d:\program files\Common Files\i4j_jres
2008-12-20 21:45 . 2008-12-20 21:49 139,264 --a------ d:\windows\War3Unin.exe
2008-12-20 21:45 . 2008-12-20 22:03 77,385 --a------ d:\windows\War3Unin.dat
2008-12-20 21:45 . 2008-12-20 21:49 2,829 --a------ d:\windows\War3Unin.pif
2008-12-20 21:44 . 2009-01-18 21:00 <DIR> d-------- d:\program files\Warcraft III

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 19:10 --------- d-----w d:\program files\Steam
2009-01-19 05:17 139,280 ----a-w d:\windows\system32\drivers\PnkBstrK.sys
2009-01-19 05:16 202,000 ----a-w d:\windows\system32\PnkBstrB.exe
2009-01-15 22:20 127,873 ----a-w d:\windows\system32\dafanole.dll
2009-01-14 09:59 682,280 ----a-w d:\windows\system32\pbsvc.exe
2009-01-14 09:59 66,872 ----a-w d:\windows\system32\PnkBstrA.exe
2008-12-27 00:52 --------- d-----w d:\program files\Common Files\Blizzard Entertainment
2008-12-11 10:57 333,952 ----a-w d:\windows\system32\drivers\srv.sys
2008-12-06 20:25 --------- d-----w d:\program files\iTunes
2008-12-06 20:25 --------- d-----w d:\program files\iPod
2008-12-06 20:25 --------- d-----w d:\program files\Common Files\Apple
2008-12-06 20:25 --------- d-----w d:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 09:49 --------- d-----w d:\program files\Common Files\eSellerate
2008-12-06 09:40 --------- d-----w d:\program files\QuickTime
2008-12-06 09:40 --------- d-----w d:\program files\Apple Software Update
2008-12-06 09:40 --------- d-----w d:\documents and settings\Jeff\Application Data\Apple Computer
2008-12-06 09:40 --------- d-----w d:\documents and settings\All Users\Application Data\Apple Computer
2008-12-06 09:39 --------- d-----w d:\documents and settings\All Users\Application Data\Apple
2008-12-06 04:18 --------- d-----w d:\documents and settings\All Users\Application Data\Blizzard
2008-12-06 02:01 --------- d-----w d:\documents and settings\Jeff\Application Data\Ventrilo
2008-12-06 01:16 --------- d-----w d:\program files\Ventrilo
2008-12-06 01:16 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-12-06 00:53 --------- d-----w d:\program files\Google
2008-12-06 00:27 4,841,984 ----a-w d:\windows\system32\prebak.reg
2008-12-06 00:21 --------- d-----w d:\program files\DivX
2008-12-06 00:17 --------- d--h--w d:\program files\InstallShield Installation Information
2008-12-06 00:17 --------- d-----w d:\program files\Realtek
2008-12-06 00:15 --------- d-----w d:\program files\Common Files\InstallShield
2008-12-05 23:50 --------- d-----w d:\program files\microsoft frontpage
2008-11-08 00:45 2,174,976 ----a-w d:\windows\system32\SET30.tmp
2008-10-23 12:36 286,720 ----a-w d:\windows\system32\SET1D.tmp
2008-10-23 12:36 286,720 ----a-w d:\windows\system32\gdi32.dll
1601-01-01 00:12 73,728 --sha-w d:\windows\system32\rituvuza.dll
.

((((((((((((((((((((((((((((( snapshot_2009-01-18_18.30.37.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-24 16:53:10 74,240 ----a-w d:\windows\$hf_mig$\KB952954\SP3QFE\mscms.dll
+ 2007-11-30 12:39:22 17,272 ----a-w d:\windows\$hf_mig$\KB952954\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w d:\windows\$hf_mig$\KB952954\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w d:\windows\$hf_mig$\KB952954\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w d:\windows\$hf_mig$\KB952954\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w d:\windows\$hf_mig$\KB952954\update\updspapi.dll
+ 2008-06-13 11:05:51 272,128 ------w d:\windows\Driver Cache\i386\bthport.sys
+ 2001-07-15 01:32:24 69,632 ----a-w d:\windows\setupupd\temp\wsdueng.dll
- 2008-06-20 11:40:08 138,496 -c--a-w d:\windows\system32\dllcache\afd.sys
+ 2008-08-14 10:04:36 138,496 -c--a-w d:\windows\system32\dllcache\afd.sys
- 2008-04-14 12:00:00 73,728 -c--a-w d:\windows\system32\dllcache\mscms.dll
+ 2008-06-24 16:43:16 74,240 -c--a-w d:\windows\system32\dllcache\mscms.dll
- 2008-06-20 11:40:08 138,496 ----a-w d:\windows\system32\drivers\afd.sys
+ 2008-08-14 10:04:36 138,496 ----a-w d:\windows\system32\drivers\afd.sys
- 2008-04-14 12:00:00 73,728 ----a-w d:\windows\system32\mscms.dll
+ 2008-06-24 16:43:16 74,240 ----a-w d:\windows\system32\mscms.dll
- 2007-11-30 12:39:22 17,272 ------w d:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w d:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Steam"="d:\program files\Steam\Steam.exe" [2008-12-05 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-18 d:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 d:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-04-12 d:\windows\system32\nwiz.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\WINDOWS\\system32\\spoolsv.exe"=
"d:\\Program Files\\Starcraft\\StarCraft.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\call of duty world at war\\CoDWaW.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\call of duty world at war\\CoDWaWmp.exe"=
"d:\\WINDOWS\\system32\\cscript.exe"=
"d:\\WINDOWS\\RTHDCPL.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Si3531;SiI-3531 SATA Controller;d:\windows\system32\drivers\Si3531.sys [2008-12-05 210224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - d:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\zar3tta2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 11:50:15
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-19 11:50:47
ComboFix-quarantined-files.txt 2009-01-19 19:50:46
ComboFix2.txt 2009-01-19 02:30:53
ComboFix3.txt 2009-01-19 02:16:05

Pre-Run: 244,343,701,504 bytes free
Post-Run: 244,336,668,672 bytes free

210 --- E O F --- 2009-01-19 19:04:23
Pyramid
Active Member
 
Posts: 7
Joined: January 14th, 2009, 3:28 am

Re: Hello, must resolve!

Unread postby Bob4 » January 19th, 2009, 5:30 pm

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If you need help on disabling your anitvirus visit this link.
http://www.bleepingcomputer.com/forums/topic114351.html

3. Open notepad and copy/paste the text in the quotebox below into it:


File::

d:\windows\system32\SETF8.tmp
d:\windows\system32\SET28.tmp
d:\windows\imsins.BAK
d:\windows\system32\SET23.tmp
d:\windows\system32\dafanole.dll
d:\windows\system32\prebak.reg
d:\windows\system32\SET30.tmp
d:\windows\system32\SET1D.tmp
d:\windows\system32\rituvuza.dll





Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

NOTE: This script was done for this user specifically.
DO NOT ATTEMPT TO USE IT IF YOU ARE NOT THIS USER
YOU WILL HURT THE WORKINGS OF YOUR COMPUTER !!
.


When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.





It's no wonder you got infected.
I see no signs of an anti virus program.
If you had one in place anti virus 2009 would probably never made it to your computer. :roll:

_____________________________
. I suggest you get one in asap.
I will list 2 free anti virus programs just choose 1.

Avast

Avira AntiVir Personal Edition Classic

Download and install one of these and run a full scan.



_________________________
In your next reply I would like to see:
  • A new HJT log
  • The report from Combofix
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hello, must resolve!

Unread postby Pyramid » January 19th, 2009, 6:11 pm

Okay, I have installed Avast, and followed instructions... Here we go!

ComboFix Log:

ComboFix 09-01-19.03 - Jeff 2009-01-19 14:07:58.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1027 [GMT -8:00]
Running from: d:\documents and settings\Jeff\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Jeff\My Documents\CFScript.txt
* Created a new restore point

FILE ::
d:\windows\imsins.BAK
d:\windows\system32\dafanole.dll
d:\windows\system32\prebak.reg
d:\windows\system32\rituvuza.dll
d:\windows\system32\SET1D.tmp
d:\windows\system32\SET23.tmp
d:\windows\system32\SET28.tmp
d:\windows\system32\SET30.tmp
d:\windows\system32\SETF8.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

d:\windows\imsins.BAK
d:\windows\system32\dafanole.dll
d:\windows\system32\prebak.reg
d:\windows\system32\rituvuza.dll
d:\windows\system32\SET1D.tmp
d:\windows\system32\SET23.tmp
d:\windows\system32\SET28.tmp
d:\windows\system32\SET30.tmp
d:\windows\system32\SETF8.tmp

.
((((((((((((((((((((((((( Files Created from 2008-12-19 to 2009-01-19 )))))))))))))))))))))))))))))))
.

2009-01-19 14:06 . 2009-01-19 14:06 <DIR> d-------- d:\program files\Alwil Software
2009-01-18 18:22 . 2009-01-18 18:22 <DIR> d-------- D:\f62073db294c8904eda379ca94beb6
2009-01-18 18:16 . 2008-10-16 14:06 268,648 --a------ d:\windows\system32\mucltui.dll
2009-01-18 18:16 . 2008-10-16 14:06 27,496 --a------ d:\windows\system32\mucltui.dll.mui
2009-01-14 11:33 . 2009-01-14 11:33 <DIR> d-------- d:\program files\MSXML 4.0
2009-01-14 11:32 . 2008-08-14 02:11 2,189,184 -----c--- d:\windows\system32\dllcache\ntoskrnl.exe
2009-01-14 11:32 . 2008-08-14 02:09 2,145,280 -----c--- d:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-14 11:32 . 2008-08-14 01:33 2,066,048 -----c--- d:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-14 11:32 . 2008-08-14 01:33 2,023,936 -----c--- d:\windows\system32\dllcache\ntkrpamp.exe
2009-01-14 11:32 . 2008-10-24 03:21 455,296 -----c--- d:\windows\system32\dllcache\mrxsmb.sys
2009-01-14 11:32 . 2008-06-13 03:05 272,128 --------- d:\windows\system32\drivers\bthport.sys
2009-01-14 11:32 . 2008-06-13 03:05 272,128 -----c--- d:\windows\system32\dllcache\bthport.sys
2009-01-14 01:59 . 2009-01-14 01:59 22,328 --a------ d:\documents and settings\Jeff\Application Data\PnkBstrK.sys
2009-01-13 23:38 . 2009-01-13 23:39 <DIR> d-------- d:\documents and settings\Jeff\Application Data\Bioshock
2009-01-13 23:38 . 2007-05-16 16:45 3,497,832 --a------ d:\windows\system32\d3dx9_34.dll
2009-01-13 23:38 . 2007-05-16 16:45 1,124,720 --a------ d:\windows\system32\D3DCompiler_34.dll
2009-01-13 23:38 . 2007-05-16 16:45 443,752 --a------ d:\windows\system32\d3dx10_34.dll
2009-01-13 23:38 . 2007-06-20 20:46 266,088 --a------ d:\windows\system32\xactengine2_8.dll
2009-01-13 23:38 . 2007-10-22 03:37 17,928 --a------ d:\windows\system32\X3DAudio1_2.dll
2009-01-13 23:06 . 2009-01-19 11:04 <DIR> d--h----- d:\windows\$hf_mig$
2009-01-13 23:06 . 2006-09-06 17:43 22,752 --a------ d:\windows\system32\spupdsvc.exe
2009-01-13 23:05 . 2009-01-13 23:05 <DIR> d---s---- d:\documents and settings\Jeff\UserData
2009-01-13 17:55 . 2009-01-13 17:55 <DIR> d-------- d:\program files\CCleaner
2009-01-13 12:41 . 2009-01-13 12:41 <DIR> d-------- d:\documents and settings\All Users\Application Data\HP Product Assistant
2009-01-12 22:13 . 2009-01-12 22:15 94,208 --a------ d:\windows\ScUnin.exe
2009-01-12 22:13 . 2009-01-12 22:15 35,190 --a------ d:\windows\scunin.dat
2009-01-12 22:13 . 2009-01-12 22:15 967 --a------ d:\windows\ScUnin.pif
2009-01-12 22:02 . 2009-01-13 18:40 <DIR> d-------- d:\program files\Starcraft
2009-01-12 09:29 . 2009-01-12 09:29 <DIR> d-------- d:\documents and settings\Jeff\Application Data\HP
2009-01-12 00:51 . 2009-01-12 00:51 <DIR> d-------- d:\documents and settings\All Users\Application Data\WEBREG
2009-01-11 21:41 . 2009-01-11 21:41 <DIR> d-------- d:\documents and settings\LocalService\Application Data\HP
2009-01-11 21:39 . 2009-01-11 21:41 <DIR> d-------- d:\program files\Common Files\HP
2009-01-11 21:39 . 2009-01-11 21:39 <DIR> d-------- d:\documents and settings\All Users\Application Data\HPSSUPPLY
2009-01-11 21:39 . 2009-01-11 21:39 <DIR> d-------- d:\documents and settings\All Users\Application Data\HP
2009-01-11 21:38 . 2009-01-11 21:38 <DIR> d-------- d:\program files\Hewlett-Packard
2009-01-11 21:38 . 2009-01-11 21:38 <DIR> d-------- d:\program files\Common Files\Hewlett-Packard
2009-01-11 21:37 . 2009-01-11 21:41 <DIR> d-------- d:\program files\HP
2009-01-11 21:37 . 2006-12-05 21:50 892,928 -ra------ d:\windows\system32\hpotiop4.dll
2009-01-11 21:37 . 2006-12-05 21:50 294,912 -ra------ d:\windows\system32\hpovst11.dll
2009-01-11 21:26 . 2006-12-05 22:02 49,920 -ra------ d:\windows\system32\drivers\HPZid412.sys
2009-01-11 21:26 . 2006-12-05 22:02 16,496 -ra------ d:\windows\system32\drivers\HPZipr12.sys
2009-01-11 21:25 . 2009-01-11 21:25 <DIR> d-------- d:\documents and settings\All Users\Application Data\Hewlett-Packard
2009-01-11 21:25 . 2006-12-05 22:02 364,544 -ra------ d:\windows\system32\hppldcoi.dll
2009-01-11 21:25 . 2006-12-05 22:02 309,760 -ra------ d:\windows\system32\difxapi.dll
2009-01-11 21:25 . 2006-12-15 08:36 258,048 -ra------ d:\windows\system32\hpzids01.dll
2009-01-11 21:25 . 2009-01-11 21:51 130,362 --a------ d:\windows\hpoins13.dat
2009-01-11 21:25 . 2006-12-29 09:57 117,760 --a------ d:\windows\system32\hpz3l4v2.dll
2009-01-11 21:25 . 2006-12-05 22:02 21,568 -ra------ d:\windows\system32\drivers\HPZius12.sys
2009-01-11 21:25 . 2007-01-22 08:05 811 --------- d:\windows\hpomdl13.dat
2009-01-11 21:23 . 2008-04-14 00:17 25,856 --a------ d:\windows\system32\drivers\usbprint.sys
2009-01-11 21:23 . 2008-04-14 00:17 25,856 --a--c--- d:\windows\system32\dllcache\usbprint.sys
2009-01-11 14:38 . 2009-01-13 18:20 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2008-12-27 15:49 . 2008-12-27 15:49 <DIR> d-------- d:\documents and settings\Jeff\Application Data\DivX
2008-12-27 15:45 . 2008-04-14 05:42 159,232 --a------ d:\windows\system32\ptpusd.dll
2008-12-27 15:45 . 2008-04-14 00:15 15,104 --a------ d:\windows\system32\drivers\usbscan.sys
2008-12-27 15:45 . 2008-04-14 00:15 15,104 --a--c--- d:\windows\system32\dllcache\usbscan.sys
2008-12-27 15:45 . 2001-08-17 22:36 5,632 --a------ d:\windows\system32\ptpusb.dll
2008-12-22 21:14 . 2008-12-22 21:14 <DIR> d-------- d:\documents and settings\Jeff\Application Data\vlc
2008-12-22 20:41 . 2008-12-22 20:41 <DIR> d-------- d:\program files\VideoLAN
2008-12-22 11:32 . 2009-01-09 01:01 <DIR> d-------- d:\documents and settings\Jeff\Application Data\Azureus
2008-12-22 11:32 . 2008-12-22 11:32 <DIR> d-------- d:\documents and settings\All Users\Application Data\Azureus
2008-12-22 11:22 . 2009-01-19 11:45 <DIR> d-------- d:\program files\Vuze
2008-12-22 11:22 . 2008-12-22 11:22 <DIR> d-------- d:\program files\Common Files\i4j_jres
2008-12-20 21:45 . 2008-12-20 21:49 139,264 --a------ d:\windows\War3Unin.exe
2008-12-20 21:45 . 2008-12-20 22:03 77,385 --a------ d:\windows\War3Unin.dat
2008-12-20 21:45 . 2008-12-20 21:49 2,829 --a------ d:\windows\War3Unin.pif
2008-12-20 21:44 . 2009-01-19 13:19 <DIR> d-------- d:\program files\Warcraft III

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-19 19:10 --------- d-----w d:\program files\Steam
2009-01-19 05:17 139,280 ----a-w d:\windows\system32\drivers\PnkBstrK.sys
2009-01-19 05:16 202,000 ----a-w d:\windows\system32\PnkBstrB.exe
2009-01-14 09:59 682,280 ----a-w d:\windows\system32\pbsvc.exe
2009-01-14 09:59 66,872 ----a-w d:\windows\system32\PnkBstrA.exe
2008-12-27 00:52 --------- d-----w d:\program files\Common Files\Blizzard Entertainment
2008-12-11 10:57 333,952 ----a-w d:\windows\system32\drivers\srv.sys
2008-12-06 20:25 --------- d-----w d:\program files\iTunes
2008-12-06 20:25 --------- d-----w d:\program files\iPod
2008-12-06 20:25 --------- d-----w d:\program files\Common Files\Apple
2008-12-06 20:25 --------- d-----w d:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-06 09:49 --------- d-----w d:\program files\Common Files\eSellerate
2008-12-06 09:40 --------- d-----w d:\program files\QuickTime
2008-12-06 09:40 --------- d-----w d:\program files\Apple Software Update
2008-12-06 09:40 --------- d-----w d:\documents and settings\Jeff\Application Data\Apple Computer
2008-12-06 09:40 --------- d-----w d:\documents and settings\All Users\Application Data\Apple Computer
2008-12-06 09:39 --------- d-----w d:\documents and settings\All Users\Application Data\Apple
2008-12-06 04:18 --------- d-----w d:\documents and settings\All Users\Application Data\Blizzard
2008-12-06 02:01 --------- d-----w d:\documents and settings\Jeff\Application Data\Ventrilo
2008-12-06 01:16 --------- d-----w d:\program files\Ventrilo
2008-12-06 01:16 --------- d-----w d:\program files\Common Files\Wise Installation Wizard
2008-12-06 00:53 --------- d-----w d:\program files\Google
2008-12-06 00:21 --------- d-----w d:\program files\DivX
2008-12-06 00:17 --------- d--h--w d:\program files\InstallShield Installation Information
2008-12-06 00:17 --------- d-----w d:\program files\Realtek
2008-12-06 00:15 --------- d-----w d:\program files\Common Files\InstallShield
2008-12-05 23:50 --------- d-----w d:\program files\microsoft frontpage
2008-10-23 12:36 286,720 ----a-w d:\windows\system32\gdi32.dll
.

((((((((((((((((((((((((((((( snapshot_2009-01-18_18.30.37.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-24 16:53:10 74,240 ----a-w d:\windows\$hf_mig$\KB952954\SP3QFE\mscms.dll
+ 2007-11-30 12:39:22 17,272 ----a-w d:\windows\$hf_mig$\KB952954\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w d:\windows\$hf_mig$\KB952954\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w d:\windows\$hf_mig$\KB952954\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w d:\windows\$hf_mig$\KB952954\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w d:\windows\$hf_mig$\KB952954\update\updspapi.dll
+ 2008-06-13 11:05:51 272,128 ------w d:\windows\Driver Cache\i386\bthport.sys
+ 2001-07-15 01:32:24 69,632 ----a-w d:\windows\setupupd\temp\wsdueng.dll
+ 2008-11-26 17:21:30 1,236,208 ----a-w d:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w d:\windows\system32\AvastSS.scr
- 2008-06-20 11:40:08 138,496 -c--a-w d:\windows\system32\dllcache\afd.sys
+ 2008-08-14 10:04:36 138,496 -c--a-w d:\windows\system32\dllcache\afd.sys
- 2008-04-14 12:00:00 73,728 -c--a-w d:\windows\system32\dllcache\mscms.dll
+ 2008-06-24 16:43:16 74,240 -c--a-w d:\windows\system32\dllcache\mscms.dll
+ 2008-11-26 17:15:35 26,944 ----a-w d:\windows\system32\drivers\aavmker4.sys
- 2008-06-20 11:40:08 138,496 ----a-w d:\windows\system32\drivers\afd.sys
+ 2008-08-14 10:04:36 138,496 ----a-w d:\windows\system32\drivers\afd.sys
+ 2008-11-26 17:17:25 20,560 ----a-w d:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:25 93,296 ----a-w d:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w d:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:29 23,152 ----a-w d:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w d:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w d:\windows\system32\drivers\aswTdi.sys
- 2008-04-14 12:00:00 73,728 ----a-w d:\windows\system32\mscms.dll
+ 2008-06-24 16:43:16 74,240 ----a-w d:\windows\system32\mscms.dll
- 2007-11-30 12:39:22 17,272 ------w d:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w d:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="d:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Steam"="d:\program files\Steam\Steam.exe" [2008-12-05 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="d:\windows\system32\NvCpl.dll" [2007-04-12 8429568]
"NvMediaCenter"="d:\windows\system32\NvMcTray.dll" [2007-04-12 81920]
"QuickTime Task"="d:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="d:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"HP Software Update"="d:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"avast!"="d:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"RTHDCPL"="RTHDCPL.EXE" [2006-12-18 d:\windows\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 d:\windows\SkyTel.exe]
"nwiz"="nwiz.exe" [2007-04-12 d:\windows\system32\nwiz.exe]

d:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - d:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\Messenger\\msmsgs.exe"=
"d:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"d:\\World of Warcraft\\WoW-2.3.0-enUS-downloader.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"d:\\WINDOWS\\system32\\spoolsv.exe"=
"d:\\Program Files\\Starcraft\\StarCraft.exe"=
"d:\\WINDOWS\\system32\\PnkBstrA.exe"=
"d:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\call of duty world at war\\CoDWaW.exe"=
"d:\\Program Files\\Steam\\steamapps\\common\\call of duty world at war\\CoDWaWmp.exe"=
"d:\\WINDOWS\\system32\\cscript.exe"=
"d:\\WINDOWS\\RTHDCPL.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Si3531;SiI-3531 SATA Controller;d:\windows\system32\drivers\Si3531.sys [2008-12-05 210224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 d:\windows\Tasks\AppleSoftwareUpdate.job
- d:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - d:\documents and settings\Jeff\Application Data\Mozilla\Firefox\Profiles\zar3tta2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en.wikipedia.org/wiki/Main_Page

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-19 14:08:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-19 14:08:57
ComboFix-quarantined-files.txt 2009-01-19 22:08:55
ComboFix2.txt 2009-01-19 19:50:48
ComboFix3.txt 2009-01-19 02:30:53
ComboFix4.txt 2009-01-19 02:16:05

Pre-Run: 244,233,408,512 bytes free
Post-Run: 244,217,032,704 bytes free

236 --- E O F --- 2009-01-19 19:04:23

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:11:12 PM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Steam\Steam.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\iTunes\iTunes.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\system32\notepad.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - D:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1916737390
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe

Thank you for your continued support!
Pyramid
Active Member
 
Posts: 7
Joined: January 14th, 2009, 3:28 am

Re: Hello, must resolve!

Unread postby Bob4 » January 19th, 2009, 6:23 pm

Good job. Image
Almost done.


Make sure you register Avast with them or it will quit working after a few weeks. Once registered they give it to you free for a year.




________________________
Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the contents of that log.

    If you accidentally close it you may find it here.
    Start -> All Programs -> Malwarebytes' Anti-Malware -> Logs


In your next reply I would like to see:
  • A new HJT log
  • The report from Malwarebytes
  • How are things running ?
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hello, must resolve!

Unread postby Pyramid » January 19th, 2009, 7:08 pm

Things are sailing as smoothly as ever :flower: Guess I cant tell you what a flower has to do with that, but things have been very good.


Malwarebytes' Anti-Malware 1.33
Database version: 1668
Windows 5.1.2600 Service Pack 3

1/19/2009 3:06:09 PM
mbam-log-2009-01-19 (15-06-09).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 80449
Time elapsed: 19 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 95

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\y9tdi2.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\axfraf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\bbwltf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\besehevi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\dayevino.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\difoyuro.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\fetotava.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\fofufenu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\fujegifu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\fuyisajo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\gakemojo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\gomopiwe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\hidumule.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\hvktwo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\jisagade.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\jrvdwf.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\kajoveka.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\ligasuta.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\lupujuye.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\mivawubi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\mjnvel.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\mulipiza.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\nanemefu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\nomifeyi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\patafudi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\ponovisi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\rovozefa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\rujamika.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\sajuyaya.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\seyomaju.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\sonusoya.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\vetidika.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\werenago.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\wogipute.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\wumoyuvo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\wuyamoba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\wuyeligo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\wuzakoba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\yprnxe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\zawetuba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\zelayira.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\zepulabe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\zitovovi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\zosusewa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\zuziberi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000015.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000018.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000024.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000025.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000030.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000031.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000032.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000033.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000034.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000036.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000038.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000040.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000050.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000051.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000053.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000059.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000063.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000064.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000065.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000067.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000068.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000071.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000079.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000080.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000083.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000085.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000086.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000088.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000089.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000098.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000101.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000102.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000103.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000104.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000105.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000106.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000019.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000109.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000112.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000113.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000114.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000115.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000116.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{EC17F7E5-C2EF-4990-9818-D65E3D8C9047}\RP2\A0000117.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\dewukobe.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\vahuwodi.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\baborefe.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\bulilufu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\yijokuwu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\zizatewa.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 3:08:16 PM, on 1/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\RTHDCPL.EXE
D:\Program Files\iTunes\iTunesHelper.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\Steam\Steam.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\PnkBstrA.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wscntfy.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\iTunes\iTunes.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Ventrilo\Ventrilo.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: HP Smart Web Printing 1.0 - {AE84A6AA-A333-4B92-B276-C11E2212E4FE} - D:\Program Files\HP\Smart Web Printing\SmartWebPrinting.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "D:\Program Files\Steam\Steam.exe" -silent
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1916737390
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - D:\WINDOWS\system32\PnkBstrA.exe
Pyramid
Active Member
 
Posts: 7
Joined: January 14th, 2009, 3:28 am

Re: Hello, must resolve!

Unread postby Bob4 » January 19th, 2009, 7:41 pm

The flower is a nice touch. :lol:


Great news ! Image

Your log now appears to be clean.

Lets do a few things to tidy up.
Please do these in the order I suggest!






___________________________________
The following will implement some cleanup procedures for the tool we used as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u






_______________________________________
A few things to help with possible threats

These are optional . But will help protect you further.
and
Some of these you may already have.





________________________________________
Windows Updates
Be certain automatic updates is turned on for XP. - For Vista Or if you like to do it manually be sure to visit http://update.microsoft.com/ regularly. This requires internet explorer to do so.

This will ensure your computer has always the latest security updates available installed on your computer.
If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
___________________________________

SpywareBlaster

Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites to your Browser settings that will protect you from accidentally running or downloading known malicious programs.
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.


______________________________
SiteHound

http://www.firetrust.com/firetrustsitehound.html

This tool bar will help protect you from.

Over 4,000 fake bank and credit sites.
Tens of thousands of pornographic
and adult sites.
The never ending fake phishing sites.
Malicious sites, which can infect you
with spyware and adware if you visit
them.
Sites to download software which
may infect your computer with
spyware, a virus or adware


___________________________________
Download and Install a HOSTS File

Download HostsXpert and unzip it to your computer, somewhere where you can find it.
  • Run HostsXpert
  • If Hosts file is Read Only, click on Make Writeable, otherwise move on to next stage.
  • Click Download button.
  • Click MVPs Hosts
  • Click Merge File
  • Press OK to download latest MVPs update and merge it with your Hosts.
  • When finished click File Handling
  • Click Make Read Only to secure your Hosts file.
  • Exit HostsXpert.


___________________________________
Make your Internet Explorer more secure
1. From within Internet Explorer click on the Tools menu and then click on Options.
2. Click on the Security tab
3. Click the Internet icon so it becomes highlighted.
4. Click on Default Level and click Ok
5. Click on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

6. Next press the Apply button and then the OK to exit the Internet Properties page.



_______________________________________
So many people are point and click crazy either because there naive or their in a rush.

Always watch closely to any software your installing.
If they want to install something more than their program stop right there and investigate what it is they want to place on your computer.
If they give you the option not to install it choose that until you investigate it completely.
The more you install that you don't want or need the more you'll wish you didn't.





Here's a site with great advise on how to AVOID malware. Much easier to do than removing it.


___________________________________
If your anything like me you should be mad these people have done this to you.
Please take the time to tell us what you would like to be done to these idiots!
We can only get something done about this if the people that we help, like you, are prepared to complain.
We have a dedicated forum for collecting these complaints Malware Complaints, you do not have to be registered to post.. just find your country room and register your complaint.

The infections you had was Vundo


Safe and Happy Surfing. :)
User avatar
Bob4
MRU Master
MRU Master
 
Posts: 6070
Joined: November 12th, 2005, 11:26 am
Location: Florida

Re: Hello, must resolve!

Unread postby Pyramid » January 19th, 2009, 9:56 pm

Thanks so much, it was a pleasure ridding my machine of malware!
:cheers: :cheers: :cheers:
Pyramid
Active Member
 
Posts: 7
Joined: January 14th, 2009, 3:28 am

Re: Hello, must resolve!

Unread postby Gary R » January 20th, 2009, 5:02 pm

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21872
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 68 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware