rish Posted November 24, 2007 ID:10300 Share Posted November 24, 2007 My computer has been infected for some time now, and ive been living with pop ups and so on however i recently downloaded NOD32 and it has helped considerably though there are some things it cant seem to fix. This comes up alot Adware.Virtumonde application This i see in the nod32 logs alot Adware.Ezula applicationand this came up in the startup scanner and was unable to be deleted Obfucated.A1 virusSo could anyone please help me get to get rid of these final viruses so my computer can be clean once again, thanksThanks Link to post Share on other sites More sharing options...
JeanInMontana Posted November 24, 2007 ID:10317 Share Posted November 24, 2007 Hi there Rishi, and welcome to Malwarebytes. Please delete the version of HiJack This you have now and use the one posted below in my instruction.If you haven't already, please get these programs, update and run a complete scan removing all items found.Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this.AVG AntiSpyware Be sure to "take action"Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This! You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures. Link to post Share on other sites More sharing options...
rish Posted November 25, 2007 Author ID:10349 Share Posted November 25, 2007 Ok thanks for the help im willing to do anything to get it completely fixed, here are the three logs Firstly AVG Scan---------------------------------------------------------AVG Anti-Spyware - Scan Report--------------------------------------------------------- + Created at: 7:42:48 PM 11/25/2007 + Scan result: HKU\S-1-5-21-1960408961-789336058-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Ignored.[1332] C:\WINDOWS\system32\mljji.dll -> Adware.Virtumonde : Ignored.[1376] C:\WINDOWS\system32\mljji.dll -> Adware.Virtumonde : Ignored.:mozilla.111:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.247realmedia : Ignored.:mozilla.30:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.2o7 : Ignored.:mozilla.32:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.2o7 : Ignored.:mozilla.86:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.2o7 : Ignored.C:\Documents and Settings\rishi\Cookies\rishi@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored.C:\Documents and Settings\rishi\Cookies\rishi@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored.:mozilla.36:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Adtech : Ignored.:mozilla.6:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Atdmt : Ignored.C:\Documents and Settings\rishi\Cookies\rishi@atdmt[2].txt -> TrackingCookie.Atdmt : Ignored.:mozilla.42:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Connextra : Ignored.:mozilla.43:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Connextra : Ignored.:mozilla.41:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Doubleclick : Ignored.C:\Documents and Settings\rishi\Cookies\rishi@doubleclick[1].txt -> TrackingCookie.Doubleclick : Ignored.:mozilla.50:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Hitbox : Ignored.:mozilla.51:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Hitbox : Ignored.:mozilla.52:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Hitbox : Ignored.C:\Documents and Settings\rishi\Cookies\rishi@hitbox[1].txt -> TrackingCookie.Hitbox : Ignored.:mozilla.33:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Imrworldwide : Ignored.:mozilla.35:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Imrworldwide : Ignored.:mozilla.120:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Intelli-direct : Ignored.:mozilla.125:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Mediaplex : Ignored.C:\Documents and Settings\rishi\Cookies\rishi@mediaplex[1].txt -> TrackingCookie.Mediaplex : Ignored.:mozilla.81:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Netflame : Ignored.:mozilla.141:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.:mozilla.142:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.:mozilla.143:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.:mozilla.144:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.:mozilla.145:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.:mozilla.146:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.:mozilla.147:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.:mozilla.148:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.:mozilla.149:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.:mozilla.113:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Revsci : Ignored.:mozilla.114:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Revsci : Ignored.:mozilla.116:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Revsci : Ignored.:mozilla.117:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Revsci : Ignored.:mozilla.67:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.:mozilla.68:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.:mozilla.69:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.:mozilla.70:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.:mozilla.71:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.:mozilla.72:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.:mozilla.73:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.C:\Documents and Settings\rishi\Cookies\rishi@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Ignored.C:\Documents and Settings\rishi\Cookies\rishi@serving-sys[1].txt -> TrackingCookie.Serving-sys : Ignored.:mozilla.17:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Statcounter : Ignored.:mozilla.12:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.:mozilla.13:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.:mozilla.14:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.:mozilla.15:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.:mozilla.16:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.:mozilla.7:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.:mozilla.9:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.C:\WINDOWS\system32\wnscpsv.exe -> Trojan.Small : Ignored.(i deleted them all after)::Report endPanda ActivescanIncident Status Location Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nnnopom.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mljji.dll Adware:adware/ist.istbar Not disinfected Windows Registry Adware:adware/yazzle Not disinfected Windows Registry Adware:adware/seekmo Not disinfected Windows Registry Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.adtech.de/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Go Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.go.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.atdmt.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.247realmedia.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.bs.serving-sys.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.anm.co.uk/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\rishi\Cookies\rishi@atdmt[2].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\rishi\Cookies\rishi@bs.serving-sys[2].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\rishi\Cookies\rishi@doubleclick[1].txt Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\rishi\Cookies\rishi@mediaplex[1].txt Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\rishi\Cookies\rishi@serving-sys[1].txt Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\aabsrcdf.dll Virus:Trj/Downloader.OZB Disinfected C:\Documents and Settings\rishi\Local Settings\Temp\apypbrvj.exe Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\cedpbsdh.dll Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\ebpbuctp.dll Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\godmdkfs.dll Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\lyrnbnwx.dll Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\qlwxgubs.dll Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\sckonhgl.dll Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\vdeaedkg.dll Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\yxslmqgn.dll Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\Program Files\mIRC\script\dlls\moo.dll Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\VSAdd-in\VSAdd-in.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\aodoxblu.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\aoiqyloq.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ardpqpjf.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\beguchqe.exe Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\bvwpbcig.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\citsxlyr.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\cjwdqdha.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\dfuvqjqr.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\dlwifdsq.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ebmtpunu.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\etrnagjr.exe Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fipotskv.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fkfvreni.exe Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ftjtovlq.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ftnyljfe.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gbdubodg.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ghqpuuhb.exe Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gibtppaq.exe Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gifgdfhy.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\glqfbmfo.dll Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hhsygnmk.dll The new version of Hijackthis LogLogfile of Trend Micro HijackThis v2.0.2Scan saved at 9:02:35 PM, on 11/25/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\MSN Messenger\usnsvc.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\Steam\steam.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR3 - URLSearchHook: (no name) - {132D477C-8AE0-AA33-98A8-F08AAFA0FB9E} - (no file)O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clearO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptionsO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\mukauxgp.dll",setvmO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [tool 01 warn info] C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exeO4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [skip drive] C:\DOCUME~1\rishi\APPLIC~1\ACTIVE~1\16 COMP BOWS.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Policies\Explorer\Run: [{F8F29F58-07D9-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-07D9-1033-0623-050614200001}\Update.exe mc-110-12-0001411O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{F8F29F58-0898-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-0898-1033-0623-050614200001}\Update.exe mc-110-12-0001411 (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F8F29F58-0898-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-0898-1033-0623-050614200001}\Update.exe mc-110-12-0001411 (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cabO16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{E8B0C65E-2A48-4377-B274-055879A7829E}: NameServer = 192.231.203.132,192.231.203.3O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\nveockqf.exe (file missing)O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)--End of file - 6364 bytesThanks Link to post Share on other sites More sharing options...
JeanInMontana Posted November 26, 2007 ID:10403 Share Posted November 26, 2007 Hi there. You didn't take action with AVG. Please scan again and make sure you remove what it finds. Post that log.Then follow these directions:Please download VundoFix.exeto your desktop. http://www.atribune.org/ccount/click.php?id=4 * Double-click VundoFix.exe to run it. * Click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. * Please post the contents of C:\vundofix.txt and a new HiJackThis log.Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the aboveinstructions starting from "Click the Scan for Vundo button." whenVundoFix appears at reboot.Post this log and run another scan with HJT and post that log. Link to post Share on other sites More sharing options...
rish Posted November 27, 2007 Author ID:10413 Share Posted November 27, 2007 Hey with the AVG i accidentally clicked ignore at first, though deleted them all right after.Here is the Vundo LogundoFix V6.6.2Checking Java version...Java version is 1.5.0.6Old versions of java are exploitable and should be removed.Java version is 1.5.0.8Old versions of java are exploitable and should be removed.Scan started at 1:41:13 PM 11/27/2007Listing files found while scanning....C:\WINDOWS\system32\atseobpa.dllC:\WINDOWS\system32\ifmihcph.dllC:\WINDOWS\system32\ijjlm.bak1C:\WINDOWS\system32\ijjlm.bak2C:\WINDOWS\system32\ijjlm.iniC:\WINDOWS\system32\ijjlm.ini2C:\WINDOWS\system32\ijjlm.tmpC:\WINDOWS\system32\jmlnibwm.dllC:\WINDOWS\system32\jvnyyulv.dllC:\WINDOWS\system32\lhbdokja.dllC:\WINDOWS\system32\mljji.dllC:\WINDOWS\system32\mukauxgp.dllC:\WINDOWS\system32\nnnopom.dllC:\WINDOWS\system32\okjqflkd.dllC:\WINDOWS\system32\oulgexio.dllC:\WINDOWS\system32\pfioojqk.dllC:\WINDOWS\system32\pscerkwi.dllC:\WINDOWS\system32\ycpohiaw.dllC:\WINDOWS\system32\ytsobkhr.dllBeginning removal... Attempting to delete C:\WINDOWS\system32\ijjlm.bak1C:\WINDOWS\system32\ijjlm.bak1 Has been deleted! Attempting to delete C:\WINDOWS\system32\ijjlm.bak2C:\WINDOWS\system32\ijjlm.bak2 Has been deleted! Attempting to delete C:\WINDOWS\system32\ijjlm.iniC:\WINDOWS\system32\ijjlm.ini Has been deleted! Attempting to delete C:\WINDOWS\system32\ijjlm.ini2C:\WINDOWS\system32\ijjlm.ini2 Has been deleted! Attempting to delete C:\WINDOWS\system32\ijjlm.tmpC:\WINDOWS\system32\ijjlm.tmp Has been deleted! Attempting to delete C:\WINDOWS\system32\mljji.dllC:\WINDOWS\system32\mljji.dll Has been deleted!Performing Repairs to the registry.Done!(my eset came up saying it had trouble deleting one, but nothing came up on the reboot)Here is the new HJT logLogfile of Trend Micro HijackThis v2.0.2Scan saved at 1:57:49 PM, on 11/27/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre1.6.0_02\bin\jusched.exeC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Common Files\Teleca Shared\CapabilityManager.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\MSN Messenger\usnsvc.exeC:\PROGRA~1\MOZILL~1\FIREFOX.EXEC:\WINDOWS\system32\NOTEPAD.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR3 - URLSearchHook: (no name) - {132D477C-8AE0-AA33-98A8-F08AAFA0FB9E} - (no file)O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)O2 - BHO: (no name) - {5BDD2F7C-BBB7-CD39-C9CC-96FC58FFBBCD} - (no file)O2 - BHO: (no name) - {5FA68688-BE83-4914-BBDF-4DE55790F9D2} - (no file)O2 - BHO: (no name) - {70F7F936-ADDA-4515-9C34-0C86BAB34951} - C:\WINDOWS\system32\mljji.dll (file missing)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clearO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptionsO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [tool 01 warn info] C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exeO4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimizedO4 - HKCU\..\Run: [skip drive] C:\DOCUME~1\rishi\APPLIC~1\ACTIVE~1\16 COMP BOWS.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Policies\Explorer\Run: [{F8F29F58-07D9-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-07D9-1033-0623-050614200001}\Update.exe mc-110-12-0001411O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{F8F29F58-0898-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-0898-1033-0623-050614200001}\Update.exe mc-110-12-0001411 (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F8F29F58-0898-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-0898-1033-0623-050614200001}\Update.exe mc-110-12-0001411 (User 'Default user')O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cabO16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{E8B0C65E-2A48-4377-B274-055879A7829E}: NameServer = 192.231.203.132,192.231.203.3O20 - Winlogon Notify: nnnopom - C:\WINDOWS\O20 - Winlogon Notify: vtutqnn - C:\WINDOWS\O20 - Winlogon Notify: winvdb32 - winvdb32.dll (file missing)O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\nveockqf.exe (file missing)O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exeO23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)--End of file - 7197 bytesThanks for the help, i really appreciate it Link to post Share on other sites More sharing options...
JeanInMontana Posted November 27, 2007 ID:10425 Share Posted November 27, 2007 We made some progress, still more work to do. I need to see all logs after any action requested has been done. That is how I see what was removed and what is left to do.Please scan this file C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exe at Virustotal.com and post the results of that scan.Run HJT again and put a check next to everything below and click fix.R3 - URLSearchHook: (no name) - {132D477C-8AE0-AA33-98A8-F08AAFA0FB9E} - (no file)O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)O2 - BHO: (no name) - {5BDD2F7C-BBB7-CD39-C9CC-96FC58FFBBCD} - (no file)O2 - BHO: (no name) - {5FA68688-BE83-4914-BBDF-4DE55790F9D2} - (no file)O2 - BHO: (no name) - {70F7F936-ADDA-4515-9C34-0C86BAB34951} - C:\WINDOWS\system32\mljji.dll (file missing)O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - HKCU\..\Policies\Explorer\Run: [{F8F29F58-07D9-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-07D9-1033-0623-050614200001}\Update.exe mc-110-12-0001411O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{F8F29F58-0898-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-0898-1033-0623-050614200001}\Update.exe mc-110-12-0001411 (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F8F29F58-0898-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-0898-1033-0623-050614200001}\Update.exe mc-110-12-0001411 (User 'Default user')O20 - Winlogon Notify: nnnopom - C:\WINDOWS\O20 - Winlogon Notify: vtutqnn - C:\WINDOWS\O20 - Winlogon Notify: winvdb32 - winvdb32.dll (file missing)Then get this and follow directions carefullyPrint or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix. Download: Use this URL to download the latest version (the file contains both English and French versions): http://siri.urz.free.fr/Fix/SmitfraudFix.exe * Double-click SmitfraudFix.exe * Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt Clean: * Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually) * Double-click SmitfraudFix.exe * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt * Optional: o To restore Trusted and Restricted site zone, select 3 and hit Enter. o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm Post this log and a new HJT too. Link to post Share on other sites More sharing options...
rish Posted November 27, 2007 Author ID:10427 Share Posted November 27, 2007 Hey i couldn't find any files within that folder, and yeah ive got detect hidden files. I checked and fixed those in the HJT logand did the smitfraud fix, here is the log after cleaning infected files in safe mode SmitFraudFix v2.256Scan done at 2:52:23.03, Wed 11/28/2007Run from C:\Documents and Settings\rishi\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in safe mode Link to post Share on other sites More sharing options...
JeanInMontana Posted November 28, 2007 ID:10433 Share Posted November 28, 2007 OK still work to do. Run HJT and put a check next to these and fix.O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKCU\..\Run: [skip drive] C:\DOCUME~1\rishi\APPLIC~1\ACTIVE~1\16 COMP BOWS.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\nveockqf.exe (file missing)O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)Get rid of anything you know that is associated with the Yazzle ActiveX install you did. I suggest you get rid of FlashGet also. Your Adobe Reader and Java are both outdated and a security risk...please update both. You need to uninstallJava via Add/Remove programs and delete the program file also. Then go here http://www.java.com/en/download/manual.jsp and install the correct version for your system. Choose the offline installation. Adobe is via the program I think or a Google search, the current version is 8. I'm still suspicious so lets run this.1. Download this file :http://www.techsupportforum.com/sectools/combofix.exe2. Double click combofix.exe & follow the prompts.3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next replyNote:Do not mouseclick combofix's window while its running. That may cause it to stall Link to post Share on other sites More sharing options...
rish Posted November 28, 2007 Author ID:10442 Share Posted November 28, 2007 Ok i updated java and adobe, but i actually use flashget alot. Anyways here are the logsNew HJTLogfile of Trend Micro HijackThis v2.0.2Scan saved at 1:04:57 PM, on 11/28/2007Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\SOUNDMAN.EXEC:\Program Files\Microsoft Hardware\Mouse\point32.exeC:\Program Files\Common Files\Teleca Shared\CapabilityManager.exeC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\Program Files\Java\jre1.6.0_03\bin\jusched.exeC:\Program Files\MSN Messenger\msnmsgr.exeC:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\MSN Messenger\usnsvc.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dllO4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXEO4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clearO4 - HKLM\..\Run: [POINTER] point32.exeO4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptionsO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInitO4 - HKLM\..\Run: [tool 01 warn info] C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exeO4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitserviceO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htmO8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htmO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cabO16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cabO16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{E8B0C65E-2A48-4377-B274-055879A7829E}: NameServer = 192.231.203.132,192.231.203.3O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exeO23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exeO23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exeO23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe--End of file - 5095 bytesAnd the Cumbofix logComboFix 07-11-19.4 - rishi 2007-11-28 12:55:45.1 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.604 [GMT 10.5:30]Running from: C:\Documents and Settings\rishi\Desktop\ComboFix(2).exe * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\Program Files\Common Files\{38F29~1C:\Program Files\Common Files\{38F29~2C:\Program Files\Common Files\{F8F29~1C:\Program Files\Common Files\{F8F29~2C:\Program Files\Common Files\icroso~1C:\Program Files\Common Files\sstem~1C:\Program Files\crosof~1C:\Program Files\download pluginC:\Program Files\download plugin\DlPlugin-Moz\buddy.datC:\Program Files\download plugin\DlPlugin-Moz\vendor.txtC:\Program Files\outlookC:\Program Files\vsadd-inC:\WINDOWS\cookies.iniC:\WINDOWS\dobe~1C:\WINDOWS\system32\_000005_.tmp.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\LEGACY_DOMAINSERVICE-------\DomainService((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 ))))))))))))))))))))))))))))))).2007-11-28 12:48 <DIR> d-------- C:\Program Files\Common Files\Java2007-11-28 12:48 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl2007-11-28 02:39 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe2007-11-28 02:39 53,248 --a------ C:\WINDOWS\system32\Process.exe2007-11-28 02:39 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe2007-11-27 13:41 <DIR> d-------- C:\VundoFix Backups2007-11-25 16:28 <DIR> d-------- C:\Documents and Settings\rishi\Application Data\Grisoft2007-11-25 13:30 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe2007-11-25 13:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft2007-11-25 13:18 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys2007-11-25 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg72007-11-25 13:06 <DIR> d-------- C:\Program Files\Trend Micro2007-11-25 12:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan2007-11-25 12:57 30,590 --a------ C:\WINDOWS\system32\pavas.ico2007-11-19 00:01 <DIR> d-------- C:\Documents and Settings\rishi\Application Data\ESET2007-11-18 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET2007-11-18 15:02 <DIR> d-------- C:\Program Files\Ventrilo2007-11-18 15:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard2007-11-08 17:43 <DIR> d-------- C:\Program Files\Activeflagtons2007-10-28 21:05 <DIR> d-------- C:\Program Files\Common Files\NSV.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2007-11-28 02:18 --------- d-----w C:\Program Files\Java2007-11-27 16:26 --------- d-----w C:\Program Files\Steam2007-11-27 14:39 --------- d-----w C:\Documents and Settings\rishi\Application Data\Azureus2007-11-27 13:45 --------- d-----w C:\Program Files\FlashGet2007-11-27 09:14 --------- d-----w C:\Program Files\mIRC2007-11-27 03:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy2007-11-26 07:16 --------- d-----w C:\Program Files\HLSW2007-11-25 04:08 --------- d-----w C:\Program Files\MSN Messenger2007-11-18 13:28 --------- d-----w C:\Documents and Settings\rishi\Application Data\Activeflagtons2007-11-18 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\bash army tool 012007-11-08 09:45 --------- d-----w C:\Program Files\TVUPlayer2007-10-24 22:57 53,768 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys2007-10-24 22:57 50,696 ----a-w C:\WINDOWS\system32\drivers\epfw.sys2007-10-24 22:57 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys2007-10-24 22:55 33,800 ----a-w C:\WINDOWS\system32\drivers\eamon.sys2007-10-24 22:55 27,144 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys2007-10-21 09:22 --------- d-----w C:\Program Files\Common Files\AVSMedia2007-10-21 09:22 --------- d-----w C:\Documents and Settings\rishi\Application Data\AVSMedia2007-10-21 09:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU2007-10-21 09:21 --------- d-----w C:\Program Files\AVSMedia2007-10-21 09:20 --------- d-----w C:\Program Files\Common Files\Download Manager2007-10-18 10:52 --------- d-----w C:\Program Files\Azureus2007-10-08 02:50 --------- d-----w C:\Program Files\Mediafour2006-12-09 11:27 1,568 ----a-w C:\Documents and Settings\rishi\Application Data\mpauth.dat2006-03-12 06:49 8 ----a-w C:\Documents and Settings\rishi\Application Data\usb.dat.bin2005-05-13 07:42 217,073 --sha-r C:\WINDOWS\meta4.exe2005-10-24 01:43 66,560 --sha-r C:\WINDOWS\MOTA113.exe2005-10-13 11:57 422,400 --sha-r C:\WINDOWS\x2.64.exe2005-10-07 09:44 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll2005-07-14 03:01 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll2005-06-26 06:02 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll2005-06-21 13:07 45,568 --sha-r C:\WINDOWS\system32\cygz.dll2004-01-24 14:30 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll2006-04-27 00:54 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll2005-02-28 03:46 240,128 --sha-r C:\WINDOWS\system32\x.264.exe2004-01-24 14:30 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-10-07 17:53]"SoundMan"="SOUNDMAN.EXE" [2005-01-12 10:01 C:\WINDOWS\soundman.exe]"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-11-18 07:33]"POINTER"="point32.exe" []"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17]"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]"nwiz"="nwiz.exe" [2007-04-19 14:26 C:\WINDOWS\system32\nwiz.exe]"NvMediaCenter"="RunDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]"tool 01 warn info"="C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exe" []"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-10-25 09:26]"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"UIHost"="LogonUI.EXE"[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^rishi^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartuppath=C:\Documents and Settings\rishi\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDDiskProtect.exe] C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications] C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE /auto[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour XPlay Tray Notification Icon] C:\Program Files\Mediafour\XPlay\XPTRYICN.EXER1 cpuidlep;CpuIdle Pro System Driver;C:\WINDOWS\system32\drivers\cpuidlep.sysR1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sysR1 epfwtdi;epfwtdi;C:\WINDOWS\system32\DRIVERS\epfwtdi.sysR1 SysTool;SysTool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\SysTool.sysR2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sysR2 ekrn;Eset Service;"C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"R2 epfw;epfw;C:\WINDOWS\system32\DRIVERS\epfw.sysR3 Epfwndis;Eset Personal Firewall;C:\WINDOWS\system32\DRIVERS\Epfwndis.sysS3 EhttpSrv;Eset HTTP Server;"C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe"S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]\Shell\AutoRun\command - F:\setup\rsrc\autorun.exe\Shell\dinstall\command - F:\Directx\dxsetup.exe[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4033fc2-7069-11d9-9ad7-806d6172696f}]\Shell\AutoRun\command - D:\SETUP.EXE /UPDATE.Contents of the 'Scheduled Tasks' folder"2007-11-28 02:30:13 C:\WINDOWS\Tasks\AA37107B9184857F.job"- c:\docume~1\rishi\applic~1\active~1\CityBaitCast.exe.**************************************************************************catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2007-11-28 12:59:47Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfully hidden files: 0 **************************************************************************.Completion time: 2007-11-28 13:01:21 - machine was rebooted. --- E O F ---Thanks Link to post Share on other sites More sharing options...
JeanInMontana Posted November 28, 2007 ID:10462 Share Posted November 28, 2007 Adobe is still outdated according to your HJT log, and that should be posted last. I need to see that log after what ever other fix is done. You most likely got in them mess from using Flashget or Azerous. Flashget is known to install adware when you install it. I see that one file is still in the HJT but I dont know when you ran that scan. If the times are correct it was after the CF so you still have a bad filePlease do this:Author: Option^Explicit Download LocationLicense: Freeware KillBox Download Link http://download.bleepingcomputer.com/spyware/KillBox.exeOperating System: WindowsFile Description:Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.Usage Information:Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted. Put this file name in C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exeAlso put a check next to these in HJT:O4 - HKLM\..\Run: [tool 01 warn info] C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exeO4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /backgroundReboot and post a new log. Link to post Share on other sites More sharing options...
JeanInMontana Posted December 13, 2007 ID:10887 Share Posted December 13, 2007 Due to lack of response I will close this topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic. Link to post Share on other sites More sharing options...
Recommended Posts