Jump to content

Need Help Please


rish
 Share

Recommended Posts

My computer has been infected for some time now, and ive been living with pop ups and so on however i recently downloaded NOD32 and it has helped considerably though there are some things it cant seem to fix.

This comes up alot

Adware.Virtumonde application

This i see in the nod32 logs alot

Adware.Ezula application

and this came up in the startup scanner and was unable to be deleted

Obfucated.A1 virus

So could anyone please help me get to get rid of these final viruses so my computer can be clean once again, thanks

Thanks

Link to post
Share on other sites

Hi there Rishi, and welcome to Malwarebytes. Please delete the version of HiJack This you have now and use the one posted below in my instruction.

If you haven't already, please get these programs, update and run a complete scan removing all items found.

Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this.

AVG AntiSpyware Be sure to "take action"

Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.

Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This!

You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.

I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

Link to post
Share on other sites

Ok thanks for the help im willing to do anything to get it completely fixed, here are the three logs

Firstly AVG Scan

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

+ Created at: 7:42:48 PM 11/25/2007

+ Scan result:

HKU\S-1-5-21-1960408961-789336058-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Ignored.

[1332] C:\WINDOWS\system32\mljji.dll -> Adware.Virtumonde : Ignored.

[1376] C:\WINDOWS\system32\mljji.dll -> Adware.Virtumonde : Ignored.

:mozilla.111:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.247realmedia : Ignored.

:mozilla.30:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.2o7 : Ignored.

:mozilla.32:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.2o7 : Ignored.

:mozilla.86:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.2o7 : Ignored.

C:\Documents and Settings\rishi\Cookies\rishi@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored.

C:\Documents and Settings\rishi\Cookies\rishi@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Ignored.

:mozilla.36:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Adtech : Ignored.

:mozilla.6:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Atdmt : Ignored.

C:\Documents and Settings\rishi\Cookies\rishi@atdmt[2].txt -> TrackingCookie.Atdmt : Ignored.

:mozilla.42:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Connextra : Ignored.

:mozilla.43:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Connextra : Ignored.

:mozilla.41:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Doubleclick : Ignored.

C:\Documents and Settings\rishi\Cookies\rishi@doubleclick[1].txt -> TrackingCookie.Doubleclick : Ignored.

:mozilla.50:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Hitbox : Ignored.

:mozilla.51:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Hitbox : Ignored.

:mozilla.52:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Hitbox : Ignored.

C:\Documents and Settings\rishi\Cookies\rishi@hitbox[1].txt -> TrackingCookie.Hitbox : Ignored.

:mozilla.33:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Imrworldwide : Ignored.

:mozilla.35:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Imrworldwide : Ignored.

:mozilla.120:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Intelli-direct : Ignored.

:mozilla.125:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Mediaplex : Ignored.

C:\Documents and Settings\rishi\Cookies\rishi@mediaplex[1].txt -> TrackingCookie.Mediaplex : Ignored.

:mozilla.81:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Netflame : Ignored.

:mozilla.141:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.

:mozilla.142:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.

:mozilla.143:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.

:mozilla.144:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.

:mozilla.145:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.

:mozilla.146:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.

:mozilla.147:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.

:mozilla.148:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.

:mozilla.149:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Pointroll : Ignored.

:mozilla.113:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Revsci : Ignored.

:mozilla.114:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Revsci : Ignored.

:mozilla.116:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Revsci : Ignored.

:mozilla.117:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Revsci : Ignored.

:mozilla.67:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.

:mozilla.68:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.

:mozilla.69:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.

:mozilla.70:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.

:mozilla.71:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.

:mozilla.72:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.

:mozilla.73:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Serving-sys : Ignored.

C:\Documents and Settings\rishi\Cookies\rishi@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : Ignored.

C:\Documents and Settings\rishi\Cookies\rishi@serving-sys[1].txt -> TrackingCookie.Serving-sys : Ignored.

:mozilla.17:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Statcounter : Ignored.

:mozilla.12:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.

:mozilla.13:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.

:mozilla.14:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.

:mozilla.15:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.

:mozilla.16:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.

:mozilla.7:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.

:mozilla.9:C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt -> TrackingCookie.Yieldmanager : Ignored.

C:\WINDOWS\system32\wnscpsv.exe -> Trojan.Small : Ignored.

(i deleted them all after)

::Report end

Panda Activescan

Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\nnnopom.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\mljji.dll

Adware:adware/ist.istbar Not disinfected Windows Registry

Adware:adware/yazzle Not disinfected Windows Registry

Adware:adware/seekmo Not disinfected Windows Registry

Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.adtech.de/]

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.doubleclick.net/]

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.go.com/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.atdmt.com/]

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[ad.yieldmanager.com/]

Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.247realmedia.com/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.serving-sys.com/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.bs.serving-sys.com/]

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.serving-sys.com/]

Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.anm.co.uk/]

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.mediaplex.com/]

Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\rishi\Application Data\Mozilla\Firefox\Profiles\m48wcaui.default\cookies.txt[.ads.pointroll.com/]

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\rishi\Cookies\rishi@atdmt[2].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\rishi\Cookies\rishi@bs.serving-sys[2].txt

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\rishi\Cookies\rishi@doubleclick[1].txt

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\rishi\Cookies\rishi@mediaplex[1].txt

Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\rishi\Cookies\rishi@serving-sys[1].txt

Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\aabsrcdf.dll

Virus:Trj/Downloader.OZB Disinfected C:\Documents and Settings\rishi\Local Settings\Temp\apypbrvj.exe

Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\cedpbsdh.dll

Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\ebpbuctp.dll

Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\godmdkfs.dll

Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\lyrnbnwx.dll

Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\qlwxgubs.dll

Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\sckonhgl.dll

Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\vdeaedkg.dll

Adware:Adware/WinAntivirus2006 Not disinfected C:\Documents and Settings\rishi\Local Settings\Temp\yxslmqgn.dll

Potentially unwanted tool:Application/MotherboardMonitor.A Not disinfected C:\Program Files\mIRC\script\dlls\moo.dll

Potentially unwanted tool:Application/VSToolbar Not disinfected C:\Program Files\VSAdd-in\VSAdd-in.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\aodoxblu.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\aoiqyloq.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ardpqpjf.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\beguchqe.exe

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\bvwpbcig.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\citsxlyr.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\cjwdqdha.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\dfuvqjqr.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\dlwifdsq.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ebmtpunu.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\etrnagjr.exe

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fipotskv.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fkfvreni.exe

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ftjtovlq.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ftnyljfe.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gbdubodg.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\ghqpuuhb.exe

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gibtppaq.exe

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\gifgdfhy.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\glqfbmfo.dll

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\hhsygnmk.dll

The new version of Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:02:35 PM, on 11/25/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Steam\steam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {132D477C-8AE0-AA33-98A8-F08AAFA0FB9E} - (no file)

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\mukauxgp.dll",setvm

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [tool 01 warn info] C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [skip drive] C:\DOCUME~1\rishi\APPLIC~1\ACTIVE~1\16 COMP BOWS.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Policies\Explorer\Run: [{F8F29F58-07D9-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-07D9-1033-0623-050614200001}\Update.exe mc-110-12-0001411

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{F8F29F58-0898-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-0898-1033-0623-050614200001}\Update.exe mc-110-12-0001411 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F8F29F58-0898-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-0898-1033-0623-050614200001}\Update.exe mc-110-12-0001411 (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E8B0C65E-2A48-4377-B274-055879A7829E}: NameServer = 192.231.203.132,192.231.203.3

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\nveockqf.exe (file missing)

O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--

End of file - 6364 bytes

Thanks

Link to post
Share on other sites

Hi there. You didn't take action with AVG. Please scan again and make sure you remove what it finds. Post that log.

Then follow these directions:

Please download VundoFix.exe

to your desktop. http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.

* Click the Scan for Vundo button.

* Once it's done scanning, click the Remove Vundo button.

* You will receive a prompt asking if you want to remove the files, click YES

* Once you click yes, your desktop will go blank as it starts removing Vundo.

* When completed, it will prompt that it will reboot your computer, click OK.

* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.

In this case, VundoFix will run on reboot, simply follow the above

instructions starting from "Click the Scan for Vundo button." when

VundoFix appears at reboot.

Post this log and run another scan with HJT and post that log.

Link to post
Share on other sites

Hey with the AVG i accidentally clicked ignore at first, though deleted them all right after.

Here is the Vundo Log

undoFix V6.6.2

Checking Java version...

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8

Old versions of java are exploitable and should be removed.

Scan started at 1:41:13 PM 11/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\atseobpa.dll

C:\WINDOWS\system32\ifmihcph.dll

C:\WINDOWS\system32\ijjlm.bak1

C:\WINDOWS\system32\ijjlm.bak2

C:\WINDOWS\system32\ijjlm.ini

C:\WINDOWS\system32\ijjlm.ini2

C:\WINDOWS\system32\ijjlm.tmp

C:\WINDOWS\system32\jmlnibwm.dll

C:\WINDOWS\system32\jvnyyulv.dll

C:\WINDOWS\system32\lhbdokja.dll

C:\WINDOWS\system32\mljji.dll

C:\WINDOWS\system32\mukauxgp.dll

C:\WINDOWS\system32\nnnopom.dll

C:\WINDOWS\system32\okjqflkd.dll

C:\WINDOWS\system32\oulgexio.dll

C:\WINDOWS\system32\pfioojqk.dll

C:\WINDOWS\system32\pscerkwi.dll

C:\WINDOWS\system32\ycpohiaw.dll

C:\WINDOWS\system32\ytsobkhr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ijjlm.bak1

C:\WINDOWS\system32\ijjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijjlm.bak2

C:\WINDOWS\system32\ijjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijjlm.ini

C:\WINDOWS\system32\ijjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijjlm.ini2

C:\WINDOWS\system32\ijjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijjlm.tmp

C:\WINDOWS\system32\ijjlm.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\mljji.dll

C:\WINDOWS\system32\mljji.dll Has been deleted!

Performing Repairs to the registry.

Done!

(my eset came up saying it had trouble deleting one, but nothing came up on the reboot)

Here is the new HJT log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:57:49 PM, on 11/27/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {132D477C-8AE0-AA33-98A8-F08AAFA0FB9E} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)

O2 - BHO: (no name) - {5BDD2F7C-BBB7-CD39-C9CC-96FC58FFBBCD} - (no file)

O2 - BHO: (no name) - {5FA68688-BE83-4914-BBDF-4DE55790F9D2} - (no file)

O2 - BHO: (no name) - {70F7F936-ADDA-4515-9C34-0C86BAB34951} - C:\WINDOWS\system32\mljji.dll (file missing)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [tool 01 warn info] C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [skip drive] C:\DOCUME~1\rishi\APPLIC~1\ACTIVE~1\16 COMP BOWS.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Policies\Explorer\Run: [{F8F29F58-07D9-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-07D9-1033-0623-050614200001}\Update.exe mc-110-12-0001411

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{F8F29F58-0898-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-0898-1033-0623-050614200001}\Update.exe mc-110-12-0001411 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F8F29F58-0898-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-0898-1033-0623-050614200001}\Update.exe mc-110-12-0001411 (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E8B0C65E-2A48-4377-B274-055879A7829E}: NameServer = 192.231.203.132,192.231.203.3

O20 - Winlogon Notify: nnnopom - C:\WINDOWS\

O20 - Winlogon Notify: vtutqnn - C:\WINDOWS\

O20 - Winlogon Notify: winvdb32 - winvdb32.dll (file missing)

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\nveockqf.exe (file missing)

O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

--

End of file - 7197 bytes

Thanks for the help, i really appreciate it

Link to post
Share on other sites

We made some progress, still more work to do. I need to see all logs after any action requested has been done. That is how I see what was removed and what is left to do.

Please scan this file C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exe at Virustotal.com and post the results of that scan.

Run HJT again and put a check next to everything below and click fix.

R3 - URLSearchHook: (no name) - {132D477C-8AE0-AA33-98A8-F08AAFA0FB9E} - (no file)

O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)

O2 - BHO: (no name) - {5BDD2F7C-BBB7-CD39-C9CC-96FC58FFBBCD} - (no file)

O2 - BHO: (no name) - {5FA68688-BE83-4914-BBDF-4DE55790F9D2} - (no file)

O2 - BHO: (no name) - {70F7F936-ADDA-4515-9C34-0C86BAB34951} - C:\WINDOWS\system32\mljji.dll (file missing)

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Policies\Explorer\Run: [{F8F29F58-07D9-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-07D9-1033-0623-050614200001}\Update.exe mc-110-12-0001411

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{F8F29F58-0898-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-0898-1033-0623-050614200001}\Update.exe mc-110-12-0001411 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{F8F29F58-0898-1033-0623-050614200001}] C:\Program Files\Common Files\{F8F29F58-0898-1033-0623-050614200001}\Update.exe mc-110-12-0001411 (User 'Default user')

O20 - Winlogon Notify: nnnopom - C:\WINDOWS\

O20 - Winlogon Notify: vtutqnn - C:\WINDOWS\

O20 - Winlogon Notify: winvdb32 - winvdb32.dll (file missing)

Then get this and follow directions carefully

Print or Copy these instructions to notepad and save to your Desktoop as you will be offline with all browsers closed for this fix.

Download:

Use this URL to download the latest version (the file contains both English and French versions):

http://siri.urz.free.fr/Fix/SmitfraudFix.exe

* Double-click SmitfraudFix.exe

* Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Clean:

* Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)

* Double-click SmitfraudFix.exe

* Select 2 and hit Enter to delete infect files.

* You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.

* The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.

* A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

* Optional:

o To restore Trusted and Restricted site zone, select 3 and hit Enter.

o You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.

Note:

process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

Post this log and a new HJT too.

Link to post
Share on other sites

Hey i couldn't find any files within that folder, and yeah ive got detect hidden files.

I checked and fixed those in the HJT log

and did the smitfraud fix, here is the log after cleaning infected files in safe mode

SmitFraudFix v2.256

Scan done at 2:52:23.03, Wed 11/28/2007

Run from C:\Documents and Settings\rishi\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in safe mode

Link to post
Share on other sites

OK still work to do. Run HJT and put a check next to these and fix.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [skip drive] C:\DOCUME~1\rishi\APPLIC~1\ACTIVE~1\16 COMP BOWS.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\nveockqf.exe (file missing)

O23 - Service: MSSQL$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe (file missing)

O23 - Service: SQLAgent$SONY_MEDIAMGR - Unknown owner - C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE (file missing)

Get rid of anything you know that is associated with the Yazzle ActiveX install you did. I suggest you get rid of FlashGet also. Your Adobe Reader and Java are both outdated and a security risk...please update both. You need to uninstallJava via Add/Remove programs and delete the program file also. Then go here http://www.java.com/en/download/manual.jsp and install the correct version for your system. Choose the offline installation. Adobe is via the program I think or a Google search, the current version is 8.

I'm still suspicious so lets run this.

1. Download this file :

http://www.techsupportforum.com/sectools/combofix.exe

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

Note:

Do not mouseclick combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

Ok i updated java and adobe, but i actually use flashget alot.

Anyways here are the logs

New HJT

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:04:57 PM, on 11/28/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Microsoft Hardware\Mouse\point32.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll

O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear

O4 - HKLM\..\Run: [POINTER] point32.exe

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [tool 01 warn info] C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exe

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{E8B0C65E-2A48-4377-B274-055879A7829E}: NameServer = 192.231.203.132,192.231.203.3

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--

End of file - 5095 bytes

And the Cumbofix log

ComboFix 07-11-19.4 - rishi 2007-11-28 12:55:45.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.604 [GMT 10.5:30]

Running from: C:\Documents and Settings\rishi\Desktop\ComboFix(2).exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\Program Files\Common Files\{38F29~1

C:\Program Files\Common Files\{38F29~2

C:\Program Files\Common Files\{F8F29~1

C:\Program Files\Common Files\{F8F29~2

C:\Program Files\Common Files\icroso~1

C:\Program Files\Common Files\sstem~1

C:\Program Files\crosof~1

C:\Program Files\download plugin

C:\Program Files\download plugin\DlPlugin-Moz\buddy.dat

C:\Program Files\download plugin\DlPlugin-Moz\vendor.txt

C:\Program Files\outlook

C:\Program Files\vsadd-in

C:\WINDOWS\cookies.ini

C:\WINDOWS\dobe~1

C:\WINDOWS\system32\_000005_.tmp.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\LEGACY_DOMAINSERVICE

-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))

.

2007-11-28 12:48 <DIR> d-------- C:\Program Files\Common Files\Java

2007-11-28 12:48 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2007-11-28 02:39 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe

2007-11-28 02:39 53,248 --a------ C:\WINDOWS\system32\Process.exe

2007-11-28 02:39 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe

2007-11-27 13:41 <DIR> d-------- C:\VundoFix Backups

2007-11-25 16:28 <DIR> d-------- C:\Documents and Settings\rishi\Application Data\Grisoft

2007-11-25 13:30 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe

2007-11-25 13:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2007-11-25 13:18 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-11-25 13:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7

2007-11-25 13:06 <DIR> d-------- C:\Program Files\Trend Micro

2007-11-25 12:57 <DIR> d-------- C:\WINDOWS\system32\ActiveScan

2007-11-25 12:57 30,590 --a------ C:\WINDOWS\system32\pavas.ico

2007-11-19 00:01 <DIR> d-------- C:\Documents and Settings\rishi\Application Data\ESET

2007-11-18 23:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

2007-11-18 15:02 <DIR> d-------- C:\Program Files\Ventrilo

2007-11-18 15:02 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-11-08 17:43 <DIR> d-------- C:\Program Files\Activeflagtons

2007-10-28 21:05 <DIR> d-------- C:\Program Files\Common Files\NSV

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-28 02:18 --------- d-----w C:\Program Files\Java

2007-11-27 16:26 --------- d-----w C:\Program Files\Steam

2007-11-27 14:39 --------- d-----w C:\Documents and Settings\rishi\Application Data\Azureus

2007-11-27 13:45 --------- d-----w C:\Program Files\FlashGet

2007-11-27 09:14 --------- d-----w C:\Program Files\mIRC

2007-11-27 03:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-11-26 07:16 --------- d-----w C:\Program Files\HLSW

2007-11-25 04:08 --------- d-----w C:\Program Files\MSN Messenger

2007-11-18 13:28 --------- d-----w C:\Documents and Settings\rishi\Application Data\Activeflagtons

2007-11-18 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\bash army tool 01

2007-11-08 09:45 --------- d-----w C:\Program Files\TVUPlayer

2007-10-24 22:57 53,768 ----a-w C:\WINDOWS\system32\drivers\epfwtdi.sys

2007-10-24 22:57 50,696 ----a-w C:\WINDOWS\system32\drivers\epfw.sys

2007-10-24 22:57 30,728 ----a-w C:\WINDOWS\system32\drivers\epfwndis.sys

2007-10-24 22:55 33,800 ----a-w C:\WINDOWS\system32\drivers\eamon.sys

2007-10-24 22:55 27,144 ----a-w C:\WINDOWS\system32\drivers\easdrv.sys

2007-10-21 09:22 --------- d-----w C:\Program Files\Common Files\AVSMedia

2007-10-21 09:22 --------- d-----w C:\Documents and Settings\rishi\Application Data\AVSMedia

2007-10-21 09:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU

2007-10-21 09:21 --------- d-----w C:\Program Files\AVSMedia

2007-10-21 09:20 --------- d-----w C:\Program Files\Common Files\Download Manager

2007-10-18 10:52 --------- d-----w C:\Program Files\Azureus

2007-10-08 02:50 --------- d-----w C:\Program Files\Mediafour

2006-12-09 11:27 1,568 ----a-w C:\Documents and Settings\rishi\Application Data\mpauth.dat

2006-03-12 06:49 8 ----a-w C:\Documents and Settings\rishi\Application Data\usb.dat.bin

2005-05-13 07:42 217,073 --sha-r C:\WINDOWS\meta4.exe

2005-10-24 01:43 66,560 --sha-r C:\WINDOWS\MOTA113.exe

2005-10-13 11:57 422,400 --sha-r C:\WINDOWS\x2.64.exe

2005-10-07 09:44 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll

2005-07-14 03:01 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll

2005-06-26 06:02 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll

2005-06-21 13:07 45,568 --sha-r C:\WINDOWS\system32\cygz.dll

2004-01-24 14:30 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll

2006-04-27 00:54 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll

2005-02-28 03:46 240,128 --sha-r C:\WINDOWS\system32\x.264.exe

2004-01-24 14:30 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-10-07 17:53]

"SoundMan"="SOUNDMAN.EXE" [2005-01-12 10:01 C:\WINDOWS\soundman.exe]

"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" [2004-11-18 07:33]

"POINTER"="point32.exe" []

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]

"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]

"nwiz"="nwiz.exe" [2007-04-19 14:26 C:\WINDOWS\system32\nwiz.exe]

"NvMediaCenter"="RunDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]

"tool 01 warn info"="C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exe" []

"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-10-25 09:26]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"UIHost"="LogonUI.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^rishi^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]

backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup

path=C:\Documents and Settings\rishi\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDDiskProtect.exe]

C:\Program Files\Mediafour\MacDrive\MDDiskProtect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]

C:\Program Files\Common Files\Mediafour\MACVNTFY.EXE /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour XPlay Tray Notification Icon]

C:\Program Files\Mediafour\XPlay\XPTRYICN.EXE

R1 cpuidlep;CpuIdle Pro System Driver;C:\WINDOWS\system32\drivers\cpuidlep.sys

R1 easdrv;easdrv;C:\WINDOWS\system32\DRIVERS\easdrv.sys

R1 epfwtdi;epfwtdi;C:\WINDOWS\system32\DRIVERS\epfwtdi.sys

R1 SysTool;SysTool Overclocking Utility;C:\WINDOWS\system32\DRIVERS\SysTool.sys

R2 eamon;EAMON;C:\WINDOWS\system32\DRIVERS\eamon.sys

R2 ekrn;Eset Service;"C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"

R2 epfw;epfw;C:\WINDOWS\system32\DRIVERS\epfw.sys

R3 Epfwndis;Eset Personal Firewall;C:\WINDOWS\system32\DRIVERS\Epfwndis.sys

S3 EhttpSrv;Eset HTTP Server;"C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe"

S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

\Shell\AutoRun\command - F:\setup\rsrc\autorun.exe

\Shell\dinstall\command - F:\Directx\dxsetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d4033fc2-7069-11d9-9ad7-806d6172696f}]

\Shell\AutoRun\command - D:\SETUP.EXE /UPDATE

.

Contents of the 'Scheduled Tasks' folder

"2007-11-28 02:30:13 C:\WINDOWS\Tasks\AA37107B9184857F.job"

- c:\docume~1\rishi\applic~1\active~1\CityBaitCast.exe

.

**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-28 12:59:47

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2007-11-28 13:01:21 - machine was rebooted

.

--- E O F ---

Thanks

Link to post
Share on other sites

Adobe is still outdated according to your HJT log, and that should be posted last. I need to see that log after what ever other fix is done. You most likely got in them mess from using Flashget or Azerous. Flashget is known to install adware when you install it. I see that one file is still in the HJT but I dont know when you ran that scan. If the times are correct it was after the CF so you still have a bad file

Please do this:

Author: Option^Explicit Download Location

License: Freeware KillBox Download Link http://download.bleepingcomputer.com/spyware/KillBox.exe

Operating System: Windows

File Description:

Pocket KillBox is a program that can be used to get rid of files that stubbornly refuse to allow you to delete them.

Usage Information:

Download this file and run the killbox.exe file. When it loads type the full path to the file you would like to delete in the field and press the Delete File button (looks like a red circle with a white X). It will prompt you to reboot, allow it to do so, and hopefully your file will now be deleted.

Put this file name in C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exe

Also put a check next to these in HJT:

O4 - HKLM\..\Run: [tool 01 warn info] C:\Documents and Settings\All Users\Application Data\bash army tool 01\File bleh.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

Reboot and post a new log.

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.