Need Help ... Adware.Virtumonde application

smokenfog · November 28, 2007

Hey!

I've this virus( Win32/Adware.Virtumonde application ) and its alwalys poping up even i press delete in NOD32 it come out again.

I visited some threads and downloaded "Combo Fix" here is its log report ... i really need urgent help, i ll really appreciate ur time.

Thanks in Advance

ComboFix 07-11-29.2 - shahzad 2007-11-29 3:18:28.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.600 [GMT 5:00]

Running from: C:\Documents and Settings\shahzad\Desktop\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\drsmartload.exe

C:\WINDOWS\system32\hgjlm.bak1

C:\WINDOWS\system32\hgjlm.bak2

C:\WINDOWS\system32\hgjlm.ini

C:\WINDOWS\system32\hgjlm.ini2

C:\WINDOWS\system32\hgjlm.tmp

C:\WINDOWS\system32\mljgh.dll

C:\WINDOWS\system32\winsys.exe

.

((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))

.

2007-11-29 03:11 . 2007-11-29 03:11 <DIR> d-------- C:\VundoFix Backups

2007-11-28 01:46 . 2007-11-28 01:46 <DIR> d-------- C:\Program Files\MegauploadToolbar

2007-11-28 01:46 . 2007-11-28 01:56 <DIR> d-------- C:\Documents and Settings\shahzad\Application Data\MegauploadToolbar

2007-11-28 01:11 . 2007-11-28 01:11 <DIR> d--h----- C:\WINDOWS\PIF

2007-11-27 07:38 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll

2007-11-27 07:38 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll

2007-11-27 07:38 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll

2007-11-27 07:32 . 2007-11-28 15:10 <DIR> d-------- C:\Program Files\DAEMON Tools SearchBar

2007-11-27 07:31 . 2007-11-27 07:31 <DIR> d-------- C:\Program Files\DAEMON Tools

2007-11-27 07:27 . 2007-11-27 07:27 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys

2007-11-27 06:47 . 2007-11-27 06:47 <DIR> d-------- C:\Program Files\Symantec

2007-11-27 05:26 . 2007-11-27 05:26 <DIR> d--hs---- C:\FOUND.019

2007-11-27 03:24 . 2007-11-27 03:24 38,400 --a------ C:\WINDOWS\system32\opnljge.dll

2007-11-26 22:37 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll

2007-11-26 22:37 . 2007-11-26 22:37 669,184 --a------ C:\WINDOWS\system32\pbsvc.exe

2007-11-26 22:37 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll

2007-11-26 22:37 . 2007-11-26 22:37 22,328 --a------ C:\Documents and Settings\shahzad\Application Data\PnkBstrK.sys

2007-11-26 22:36 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll

2007-11-26 22:36 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll

2007-11-26 22:36 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll

2007-11-26 22:36 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll

2007-11-24 03:53 . 2007-11-24 03:53 <DIR> d-------- C:\Documents and Settings\shahzad\Incomplete

2007-11-24 03:53 . 2007-11-24 03:53 <DIR> d-------- C:\Documents and Settings\shahzad\Application Data\LimeWire

2007-11-24 03:52 . 2007-11-24 03:52 <DIR> d-------- C:\Documents and Settings\shahzad\Application Data\MSNInstaller

2007-11-20 04:20 . 2007-11-20 04:20 <DIR> d--hs---- C:\FOUND.018

2007-11-15 04:06 . 2007-11-15 04:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hagel Technologies

2007-11-14 16:32 . 2007-11-14 16:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP

2007-11-14 03:29 . 2007-11-14 03:29 <DIR> d--hs---- C:\FOUND.017

2007-11-13 18:50 . 2007-11-28 17:56 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys

2007-11-13 18:49 . 2007-11-28 17:56 103,736 --a------ C:\WINDOWS\system32\PnkBstrB.exe

2007-11-13 18:49 . 2007-11-27 07:58 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe

2007-11-12 23:46 . 2007-11-12 23:46 <DIR> d-------- C:\Documents and Settings\shahzad\Application Data\IGN_DLM

2007-11-10 20:15 . 2007-11-10 20:15 <DIR> d-------- C:\Documents and Settings\shahzad\Application Data\Palo Alto Software

2007-11-10 20:14 . 2007-11-10 20:14 <DIR> d-------- C:\Program Files\Common Files\Palo Alto Software

2007-11-10 20:14 . 2007-11-10 20:14 <DIR> d-------- C:\Program Files\Common Files\Intuit

2007-11-10 20:13 . 2007-11-10 20:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Palo Alto Software

2007-11-10 00:03 . 2007-11-10 00:03 <DIR> d-------- C:\Documents and Settings\shahzad\Application Data\AdobeUM

2007-11-10 00:01 . 2007-11-10 00:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems

2007-11-09 23:59 . 2007-11-09 23:59 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared

2007-11-09 21:35 . 2007-11-09 21:35 <DIR> d--hs---- C:\FOUND.016

2007-11-09 06:04 . 2007-11-09 06:04 <DIR> d-------- C:\Program Files\Common Files\Palo Alto Software Inc

2007-11-09 06:04 . 2007-11-09 06:04 <DIR> d-------- C:\Documents and Settings\shahzad\Application Data\Palo Alto Software Inc

2007-11-09 06:04 . 2007-11-09 06:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Palo Alto Software Inc

2007-11-08 19:48 . 2007-11-08 19:48 <DIR> d-------- C:\Program Files\Hamachi

2007-11-05 18:19 . 2007-11-05 18:19 <DIR> d-------- C:\Program Files\Java

2007-11-05 18:19 . 2007-11-05 18:19 <DIR> d-------- C:\Program Files\Common Files\Java

2007-11-05 18:19 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl

2007-11-04 19:54 . 2007-11-04 19:54 <DIR> d-------- C:\Program Files\Reallusion

2007-11-04 19:54 . 2007-11-04 19:54 <DIR> d-------- C:\Documents and Settings\shahzad\Application Data\Reallusion

2007-11-04 19:54 . 2007-11-04 19:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield

2007-11-04 19:54 . 2007-05-23 18:28 5,627,904 --a------ C:\WINDOWS\system32\RLVirDev.ocx

2007-11-04 19:54 . 2006-05-16 11:58 73,728 --a------ C:\WINDOWS\system32\ISUSPM.cpl

2007-11-04 19:53 . 2007-11-04 19:53 <DIR> d-------- C:\Documents and Settings\shahzad\Application Data\InstallShield

2007-11-03 05:44 . 2007-11-03 05:44 <DIR> d--hs---- C:\FOUND.015

2007-11-02 23:46 . 2007-11-02 23:46 <DIR> d--hs---- C:\FOUND.014

2007-11-01 13:17 . 2007-11-01 13:17 <DIR> d-------- C:\Documents and Settings\shahzad\Application Data\Camfrog

2007-11-01 13:16 . 2007-11-01 13:16 <DIR> d-------- C:\Program Files\Camfrog

2007-10-29 17:54 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-26 22:24 32,764 ----a-w C:\WINDOWS\17PHolmes1061.exe

2007-11-12 00:31 5,755 ----a-w C:\Program Files\install.log

2007-11-08 14:48 26,056 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys

2007-10-26 00:45 --------- d-----w C:\Program Files\IE7Pro

2007-10-26 00:45 --------- d-----w C:\Documents and Settings\shahzad\Application Data\IE7Pro

2007-10-26 00:40 --------- d-----w C:\Documents and Settings\shahzad\Application Data\Skype

2007-10-26 00:39 --------- d-----w C:\Program Files\Skype

2007-10-26 00:39 --------- d-----w C:\Program Files\Common Files\Skype

2007-10-26 00:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype

2007-10-25 15:12 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll

2007-10-25 15:12 --------- d--h--r C:\Documents and Settings\shahzad\Application Data\SecuROM

2007-10-24 11:44 --------- d-----w C:\Documents and Settings\shahzad\Application Data\Move Networks

2007-10-22 12:08 --------- d-----w C:\Documents and Settings\shahzad\Application Data\Hamachi

2007-10-21 20:26 --------- d-----w C:\Documents and Settings\shahzad\Application Data\Paltalk

2007-10-21 19:51 --------- d-----w C:\Documents and Settings\shahzad\Application Data\Media Player Classic

2007-10-19 10:03 --------- d-----w C:\Program Files\D-Link

2007-10-15 23:54 --------- d-----w C:\Documents and Settings\shahzad\Application Data\ImTOO Software Studio

2007-10-15 23:51 --------- d-----w C:\Program Files\ImTOO

2007-10-02 02:54 --------- d-----w C:\Program Files\Google

2007-10-02 02:53 --------- d-----w C:\Program Files\DivX

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17B88DF7-95AB-44DA-8ECD-5FF0B6CAEC67}]

2007-11-27 03:24 38400 --a------ C:\WINDOWS\system32\opnljge.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2007-11-15 04:08]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]

"nwiz"="nwiz.exe" [2006-06-01 01:22 C:\WINDOWS\system32\nwiz.exe]

"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-05-17 17:15]

"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-05-16 18:37]

"NvMediaCenter"="RunDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]

"PCSuiteTrayApplication"="D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10]

"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2002-08-22 11:51]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-08-28 01:01]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-28 01:15]

"CorelDRAW Graphics Suite 11b"="E:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe" [2003-11-25 13:39]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

"iTunesHelper"="E:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 16:55]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

"Acrobat Assistant 7.0"="D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]

"AAWTray"="D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shell executehooks]

"{17B88DF7-95AB-44DA-8ECD-5FF0B6CAEC67}"= C:\WINDOWS\system32\opnljge.dll [2007-11-27 03:24 38400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnljge]

opnljge.dll 2007-11-27 03:24 38400 C:\WINDOWS\system32\opnljge.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljgh.dll

R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService

S3 SetupNTGLM7X;SetupNTGLM7X;\??\G:\NTGLM7X.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{f9d737cd-00b6-11d6-9242-cd0025804551}]

\Shell\AutoRun\command - RavMon.exe

\Shell\explore\Command - RavMon.exe -e

\Shell\open\Command - RavMon.exe

.

**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-11-29 03:26:33

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\DUMeterSvc]

"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\CrystalSysInfo]

"ImagePath"="\??\C:\WINDOWS\system32\SysInfo.sys"

.

Completion time: 2007-11-29 3:29:25 - machine was rebooted

.

--- E O F ---

i need instructions abt what to do next, coz problem is still there. Am waiting for ur kind replies.

JeanInMontana · November 29, 2007

Hi there smokenfog, and welcome to Malwarebytes.

Never follow advice given to someone else. The fixes you read are for that machine only. It may not be what is your problem. Please delete all special fixes you have and their files. I see you had vundo fix backups with in a month. Did you run this fix recently?

If you haven't already, please get these programs, update and run a complete scan removing all items found.

Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Use the tutorial feature in the help tab to see how to go about this.

AVG AntiSpyware Be sure to "take action"

Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum.

Post the logs from the Panda and AVG scans please, along with a log from this program HiJack This!

You will post three logs. 1. AVG scan. 2. Panda Active Scan. 3. HiJack This scan. You will finish the AVG first so go ahead and post that log, then move on to Panda and so forth.

I will analyze the logs and give you further instructions. Be patient and persistent. These things can take time and many procedures.

smokenfog · November 29, 2007

AVG Anti-Spyware - Scan Report---------------------------------------------------------

+ Created at: 7:59:23 AM 11/29/2007

+ Scan result:

C:\Documents and Settings\shahzad\Cookies\shahzad@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.

C:\Documents and Settings\shahzad\Cookies\shahzad@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.

::Report end {Took action and deleted both as u said n program suggested}

PandaActive Scan

Incident Status Location

Potentially unwanted tool:Application/ErrorSafe Not disinfected D:\Program Files\DAP\DAP.EXE

Adware:adware/fastlook Not disinfected Windows Registry

Adware:adware/whenusearch Not disinfected Windows Registry

Adware:adware/sbsoft Not disinfected Windows Registry

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\shahzad\Desktop\ComboFix.exe[nircmd.exe]

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\shahzad\Desktop\ComboFix.exe[nircmd.cfexe]

Potentially unwanted tool:Application/ErrorSafe Not disinfected C:\Documents and Settings\shahzad\My Documents\Download_Accelerator_Plus_v8.5.5.5_Premium___Crack\Download_Accelerator_Plus_v8.5.5.5_Premium___Crack\CRACK\DAP.exe

Adware:Adware/WhenUSearch Not disinfected C:\Program Files\DAEMON Tools SearchBar\search.dll

Virus:Trj/Downloader.RHX Disinfected C:\WINDOWS\17PHolmes1061.exe

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

Virus:Trj/Multidropper.RGN Not disinfected D:\Softwares\mpp-800-full.exe[darkenginex.dll]

Hacktool:HackTool/Zapgon.A Not disinfected D:\Softwares\mpp-800-full.exe[stdio.dll]

Virus:Trj/Multidropper.RGN Disinfected D:\MPP\SYSTEM\darkengine\darkenginex.dll

Hacktool:HackTool/Zapgon.A Not disinfected D:\MPP\SYSTEM\VOICE\STDIO.DLL

HiJack This scan

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:50:46 AM, on 11/29/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\DU Meter\DUMeterSvc.exe

C:\WINDOWS\system32\RunDLL32.exe

C:\WINDOWS\VM_STI.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Eset\nod32krn.exe

E:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\DU Meter\DUMeter.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

D:\Program Files\DAP\DAP.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sW20] C:\WINDOWS\system32\sw20.exe

O4 - HKLM\..\Run: [sW24] C:\WINDOWS\system32\sw24.exe

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [PCSuiteTrayApplication] D:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [bigDogPath] C:\WINDOWS\VM_STI.EXE KOCOM KMC-90 Web Camera

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] E:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=121307 serial=dr12wef-5646037-wec lang=EN

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

O4 - HKLM\..\Run: [AAWTray] D:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe

O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] D:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')

O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?

O8 - Extra context menu item: &Clean Traces - D:\Program Files\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - D:\Program Files\DAP\dapextie.htm

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Download &all with DAP - D:\Program Files\DAP\dapextie2.htm

O8 - Extra context menu item: Download with ImTOO Download YouTube Video - C:\Program Files\ImTOO\Download YouTube Video\upod_link.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll

O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IE7Pro\IE7Pro.dll

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - d:\Program Files\Paltalk Messenger\Paltalk.exe (file missing)

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{46DDB60D-705F-46FD-88CF-9BCB2A2231EE}: NameServer = 203.135.0.70,203.135.1.117

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--

End of file - 10842 bytes

i posted all three reports ... waiting for your further instructions ...

smokenfog · November 29, 2007

The problem why i am here is that when my PC starts, my antivirus NOD32 detects a threat and suggests me to delete the file ... threat is c:\windows\system32\opnljge.dll .... i deleted it many times but it came back again n again n i got this error after every 2 sec if NOD32 is running.

You asked me to provide 3 reports ... i provided all, am thankful that u r helpin me and waitin for further instructions.

smokenfog · November 29, 2007

somebody please help ...B)

JeanInMontana · November 29, 2007

Delete the Combo Fix program please. Uninstall these programs

D:\MPP\SYSTEM\VOICE\STDIO.DLL

Documents\Download_Accelerator_Plus_v8.5.5.5_Premium___Crack\Download_Accelerator_Plus_v8.5.5.5_Premium___Crack\CRACK\DAP.exe It is against the law to obtain software you do not pay for that is not provided free. Cracks are illegal and probably why your infected.

Run HJT and put a check next to these:

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - D:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL <====== This one is debatable. Not classified as malware, but not good either.

Get this and clean everything it finds. http://www.ccleaner.com/download Then run another Panda scan please and post that log with a new HJT log after it.

smokenfog · December 1, 2007

Hey!

Panda Active Scan Result

Incident Status Location

Adware:Adware/WinAntiVirus2007 Not disinfected C:\WINDOWS\system32\vtutu.dll

Adware:adware/whenusearch Not disinfected Windows Registry

Adware:adware/sbsoft Not disinfected Windows Registry

Spyware:Cookie/Go Not disinfected C:\Documents and Settings\shahzad\Cookies\shahzad@go[1].txt

Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\shahzad\Cookies\shahzad@statcounter[1].txt

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\shahzad\Desktop\spynomore[1].v2.36.full\ComboFix.exe[nircmd.exe]

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\shahzad\Desktop\spynomore[1].v2.36.full\ComboFix.exe[nircmd.cfexe]

Virus:Generic Malware Not disinfected C:\Documents and Settings\shahzad\Desktop\spynomore[1].v2.36.full\spynomore.v2.36.full\spynomore.exe[snmIeGuard.dll]

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\shahzad\Desktop\spynomore[1].v2.36.full\VirtumundoBeGone.exe

Virus:Generic Malware Disinfected C:\Documents and Settings\shahzad\My Documents\201e32c1360d7583a32bcd97e796c97001d\SpyHunter_v2.9_Patch_by_AT4RE\SpyHunter.2.9\Patch After Upgarding\spyhunter.2.9_Patch2.exe

Virus:Generic Malware Disinfected C:\Documents and Settings\shahzad\My Documents\201e32c1360d7583a32bcd97e796c97001d\SpyHunter_v2.9_Patch_by_AT4RE\SpyHunter.2.9\SpyHunter.2.9_Patch1.exe

Virus:Generic Malware Not disinfected C:\Documents and Settings\shahzad\My Documents\Vundo_Trojan_Removal_Tools_and_Removal_Procedures\Vundo Trojan Removal Tools and Removal Procedures\spynomore[1].v2.36.full.rar[spynomore.v2.36.full\spynomore.exe][snmIeGuard.dll]

Adware:Adware/WhenUSearch Not disinfected C:\Program Files\DAEMON Tools SearchBar\search.dll

Virus:Generic Malware Disinfected C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.2.9_Patch1.exe

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\S-1-5-21-1085031214-823518204-725345543-1003\Dc31.exe[nircmd.exe]

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\RECYCLER\S-1-5-21-1085031214-823518204-725345543-1003\Dc31.exe[nircmd.cfexe]

Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\NirCmd.exe

Potentially unwanted tool:Application/ErrorSafe Not disinfected D:\Program Files\DAP\DAP.EXE

Virus:Trj/Multidropper.RGN Not disinfected D:\Softwares\mpp-800-full.exe[darkenginex.dll]

Hacktool:HackTool/Zapgon.A Not disinfected D:\Softwares\mpp-800-full.exe[stdio.dll]

Latest Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:01:57 AM, on 12/1/2007