Results 1 to 10 of 10
  1. #1
    Member
    Join Date
    Sep 2008
    Location
    Auckland, NZ
    Posts
    13
    Points
    0

    Default Virtumonde.application

    Hi,

    1) I have 2 computers (1 pc, 1 laptop)
    2) I recently downloaded something through a torrent.
    3) Downloaded torrent was on the laptop, which contains MS Vista Home Premium.
    4) After downloading I moved it to the Pc, which contains XP.
    __________________________________________________________________

    After a while I get a NOD32 Threat Window, says:

    File: C:\Win32\system32\yaywtqpN.dll
    Threat: Win32/Adware.Virtumonde.application

    I was given an option to Delete it, NOD32 says, that is will be deleted upon restart. So I restarted my computer, but the problem was back again. The Threat window keeps popping up every 15 seconds.

    I dont know how to delete it and plus Im scared if this will wipe all my files on the comp. I am suspicious about the torrent.

    Please help.
    Attached Images

  2. #2
    Member
    Join Date
    Sep 2008
    Location
    Auckland, NZ
    Posts
    13
    Points
    0

    Default

    no replies. =0
    The dreams I'm dying in are the best I've ever had.

  3. #3
    Moderator Forum Moderator evilfantasy's Avatar
    Join Date
    Jan 2008
    Location
    Tulsa, OK
    Posts
    4,670
    Points
    673

    Default

    Stop using torrents to download commercial software

    Download Malwarebytes' Anti-Malware (MBAM)


    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to the following:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware

    • Then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy and Paste the entire report in your next reply.



    Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

    ----------

    Download TrendMicro HijackThis.exe (HJT) to the Desktop.


    • Double-click on HJTInstall.
    • Click on the Install button.
    • It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
    • Upon install, HijackThis should open for you.
    • Click on the Do a system scan and save a log file button
    • HijackThis will scan and then a log will open in notepad.
    • Copy and then paste the entire contents of the log in your post.
    • Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
    .


    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you, Please Donate to the Forum

  4. #4
    Member
    Join Date
    Sep 2008
    Location
    Auckland, NZ
    Posts
    13
    Points
    0

    Default The logs....

    FROM HIJACK THIS.

    All files entered in Detective

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:34:50 PM, on 9/19/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\system32\spoolsv.exe
    C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\MyStartButton\explorers\1\explorer.exe
    C:\WINXP\RTHDCPL.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\4t Tray Minimizer\4t-min.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINXP\System32\nvsvc32.exe
    C:\WINXP\system32\PnkBstrA.exe
    C:\WINXP\System32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINXP\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\4t Tray Minimizer\4t-min.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-NZ/.../GAME_UNO1.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207446070375
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O20 - AppInit_DLLs: wbsys.dll ayvcmm.dll
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINXP\system32\PnkBstrA.exe

    --
    End of file - 4414 bytes


    MBAM LOG FILE....

    Malwarebytes' Anti-Malware 1.28
    Database version: 1172
    Windows 5.1.2600 Service Pack 2

    9/19/2008 4:30:24 PM
    mbam-log-2008-09-19 (16-30-24).txt

    Scan type: Quick Scan
    Objects scanned: 53911
    Time elapsed: 6 minute(s), 20 second(s)

    Memory Processes Infected: 1
    Memory Modules Infected: 5
    Registry Keys Infected: 21
    Registry Values Infected: 6
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 36

    Memory Processes Infected:
    C:\RECYCLER\iexplorer.exe (Heuristics.Malware) -> Unloaded process successfully.

    Memory Modules Infected:
    C:\WINXP\system32\khfFvtTj.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINXP\system32\pigsqqoo.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINXP\system32\quxiascu.dll (Trojan.Vundo) -> Delete on reboot.
    C:\WINXP\system32\ayvcmm.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINXP\system32\yaywtqpN.dll (Trojan.Vundo.H) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{309311f1-8f50-452e-a98d-69afd7a34aa8} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yaywtqpn (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{309311f1-8f50-452e-a98d-69afd7a34aa8} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7bfd81e7-da65-41be-abc5-fc275ddd2611} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{7bfd81e7-da65-41be-abc5-fc275ddd2611} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fad6aa15-edc4-4e67-ab4b-aaea9fbe2eb5} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\CLSID\{fad6aa15-edc4-4e67-ab4b-aaea9fbe2eb5} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b08b07b8 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmb3b83424 (Trojan.Vundo) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{309311f1-8f50-452e-a98d-69afd7a34aa8} (Trojan.Vundo.H) -> Delete on reboot.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system34 (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft help (Backdoor.Bot) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\winxp\system32\khffvttj -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\winxp\system32\khffvttj -> Delete on reboot.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINXP\system32\yaywtqpN.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINXP\system32\ayvcmm.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINXP\system32\khfFvtTj.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINXP\system32\jTtvFfhk.ini (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINXP\system32\jTtvFfhk.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\pigsqqoo.dll (Trojan.Vundo.H) -> Delete on reboot.
    C:\WINXP\system32\ooqqsgip.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\quxiascu.dll (Trojan.Vundo) -> Delete on reboot.
    C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
    C:\WINXP\system32\efcBqrsq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\fccddcDv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\geBrsPjj.Vdll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\ljJDSJbb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\ljJyaWPI.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\jkkJdBtU.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\mlJCSiGW.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\rqRHYSMG.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\ssqRLBqR.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\vtUkjJCT.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\tuvspPJA.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\wvUmnKec.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\yaywtqpN.V00dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\yaywtqpN.V01dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\yaywtqpN.V02dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\yaywtqpN.V03dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\yaywtqpN.Vdll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINXP\system32\frjjqyeq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user.USER-9U1R65BT6V\Local Settings\Temporary Internet Files\Content.IE5\W1M3WXQB\kb678031[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user.USER-9U1R65BT6V\Local Settings\Temporary Internet Files\Content.IE5\W9IZ8P27\nd82m0[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user.USER-9U1R65BT6V\Local Settings\Temporary Internet Files\Content.IE5\W9QJW96R\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINXP\SoftwareProtection\systemvital.exe (Trojan.Agent) -> Delete on reboot.
    C:\RECYCLER\iexplorer.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
    C:\WINXP\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINXP\BMb3b83424.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINXP\BMb3b83424.txt (Trojan.Vundo) -> Delete on reboot.
    C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\RBMD5550.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    Last edited by evilfantasy; 09-19-2008 at 12:50 AM.
    The dreams I'm dying in are the best I've ever had.

  5. #5
    Moderator Forum Moderator evilfantasy's Avatar
    Join Date
    Jan 2008
    Location
    Tulsa, OK
    Posts
    4,670
    Points
    673

    Default

    Download Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger.

    Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

    Exit out of MessengerDisable then delete the two files that were put on the Desktop.

    ----------

    Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

    Link #1
    Link #2

    **Note: It is important that it is saved directly to your Desktop

    Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

    Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

    Double click combofix.exe & follow the prompts.
    When finished ComboFix will produce a log for you.
    Post the ComboFix log and a new HijackThis log in your next reply.

    Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

    Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

    ----------

    How is the computer now?
    .


    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you, Please Donate to the Forum

  6. #6
    Member
    Join Date
    Sep 2008
    Location
    Auckland, NZ
    Posts
    13
    Points
    0

    Default

    I had another question,

    When you said

    "Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.", MBAM did say that It couldnt do sometihing. It had propmted me to restart.

    I happily resarted.

    when the computer finished starting up, a Dialog Box came up saying:

    Title:RUNDLL

    Error loading C:\WinXP\system32\quxiascu.dll
    The specified module could not be found.
    _________________________________________________________________________
    has this got anything to do with MBAM?
    The dreams I'm dying in are the best I've ever had.

  7. #7
    Moderator Forum Moderator evilfantasy's Avatar
    Join Date
    Jan 2008
    Location
    Tulsa, OK
    Posts
    4,670
    Points
    673

    Default

    Error loading C:\WinXP\system32\quxiascu.dll
    That's part of the malware that wasn't completely removed. We should be able to get it with ComboFix.
    .


    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you, Please Donate to the Forum

  8. #8
    Member
    Join Date
    Sep 2008
    Location
    Auckland, NZ
    Posts
    13
    Points
    0

    Default

    first mistake... forgot to diable antivirus.

    ComboFix Log.

    ComboFix 08-09-16.05 - user 2008-09-19 16:53:07.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1537 [GMT 12:00]
    Running from: C:\Documents and Settings\user.USER-9U1R65BT6V\Desktop\ComboFix.exe
    * Created a new restore point
    * Resident AV is active


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINXP\system32\BReWErS.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))
    .

    2008-09-19 16:34 . 2008-09-19 16:34 <DIR> d-------- C:\Program Files\Trend Micro
    2008-09-19 16:18 . 2008-09-19 16:18 <DIR> d-------- C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\Malwarebytes
    2008-09-19 16:17 . 2008-09-19 16:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-19 16:17 . 2008-09-19 16:17 <DIR> d-------- C:\Documents and Settings\All Users.WINXP\Application Data\Malwarebytes
    2008-09-19 16:17 . 2008-09-10 00:04 38,528 --a------ C:\WINXP\system32\drivers\mbamswissarmy.sys
    2008-09-19 16:17 . 2008-09-10 00:03 17,200 --a------ C:\WINXP\system32\drivers\mbam.sys
    2008-09-19 15:06 . 2008-09-19 15:06 <DIR> d-------- C:\VundoFix Backups
    2008-08-28 09:03 . 2008-08-28 09:03 42,320 --a------ C:\WINXP\system32\xfcodec.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-19 01:57 139,128 -c--a-w C:\WINXP\system32\drivers\PnkBstrK.sys
    2008-09-19 01:57 111,928 ----a-w C:\WINXP\system32\PnkBstrB.exe
    2008-09-18 22:55 --------- d-----w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\Xfire
    2008-09-18 21:56 --------- d-----w C:\Program Files\Xfire
    2008-09-17 05:12 --------- d---a-w C:\Documents and Settings\All Users.WINXP\Application Data\TEMP
    2008-09-16 07:07 --------- d-----w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\BitTorrent
    2008-09-15 11:04 --------- d-----w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\DNA
    2008-09-15 06:40 --------- d-----w C:\Program Files\DNA
    2008-08-14 07:49 66,872 ----a-w C:\WINXP\system32\PnkBstrA.exe
    2008-08-14 04:56 22,328 -c--a-w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\PnkBstrK.sys
    2008-08-13 07:05 --------- d-----w C:\Documents and Settings\All Users.WINXP\Application Data\Office Genuine Advantage
    2008-08-07 06:09 --------- d-----w C:\Program Files\Windows Journal Viewer
    2008-08-05 07:18 --------- d-----w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\Axialis
    2008-08-04 20:41 --------- d-----w C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft Help
    2008-08-04 20:39 --------- d-----w C:\Program Files\Microsoft.NET
    2008-07-28 19:42 --------- d-----w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\Juce VST Host
    2008-07-27 03:12 --------- d-----w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\Caphyon
    2008-07-27 01:49 --------- d-----w C:\Program Files\Microsoft Synchronization Services
    2008-07-27 01:49 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
    2008-07-27 01:46 --------- d-----w C:\Program Files\Microsoft SDKs
    2008-07-27 01:44 --------- d-----w C:\Program Files\Reference Assemblies
    2008-07-27 01:44 --------- d-----w C:\Program Files\MSBuild
    2008-07-27 01:39 --------- d-----w C:\Program Files\MSXML 6.0
    2008-07-21 03:41 --------- d-----w C:\Program Files\Outsim
    2008-06-30 06:47 3,532 ----a-w C:\drmHeader.bin
    2008-06-25 06:18 47,264 ----a-w C:\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IMJPMIG8.1"="C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
    "MSPY2002"="C:\WINXP\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
    "PHIME2002ASync"="C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
    "PHIME2002A"="C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
    "NvCplDaemon"="C:\WINXP\System32\NvCpl.dll" [2006-10-31 7634944]
    "NvMediaCenter"="C:\WINXP\System32\NvMcTray.dll" [2006-10-31 86016]
    "NeroFilterCheck"="C:\WINXP\system32\NeroCheck.exe" [2001-07-09 155648]
    "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-06 917504]
    "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "nwiz"="nwiz.exe" [2006-10-31 C:\WINXP\system32\nwiz.exe]
    "SkyTel"="SkyTel.EXE" [2006-05-16 C:\WINXP\SkyTel.exe]
    "RTHDCPL"="RTHDCPL.EXE" [2007-02-26 C:\WINXP\RTHDCPL.exe]

    C:\Documents and Settings\user.USER-9U1R65BT6V\Start Menu\Programs\Startup\
    4t Tray Minimizer.lnk - C:\Program Files\4t Tray Minimizer\4t-min.exe [2008-04-09 1091584]

    C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 65588]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=wbsys.dll ayvcmm.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.XFR1"= xfcodec.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Xfire\\xfire.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "C:\\WINXP\\system32\\PnkBstrA.exe"=
    "C:\\WINXP\\system32\\PnkBstrB.exe"=
    "D:\\Bhavya's wanted Stuff\\COD4 Aimbot\\Cod4bot.exe"=
    "D:\\Bhavya's wanted Stuff\\cod4hack\\cod4hack.exe"=
    "C:\\WINXP\\system32\\rtcshare.exe"=
    "C:\\Program Files\\NetMeeting\\conf.exe"=
    "C:\\Program Files\\DNA\\btdna.exe"=
    "D:\\BitTorrent\\bittorrent.exe"=
    "D:\\COD4\\iw3mp.exe"=
    "C:\\WINXP\\system32\\ftp.exe"=
    "D:\\Adobe Dreamweaver CS3\\Portable Adobe Dreamweaver CS3=abu137=\\Dreamweaver.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "2302:UDP"= 2302:UDP:Halo Server


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4dc5110a-10f1-11dd-bf2f-001bfcec946f}]
    \Shell\Auto\command - autoregistry.exe
    \Shell\AutoRun\command - C:\WINXP\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autoregistry.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fed165c3-50aa-11dd-bfed-001bfcec946f}]
    \Shell\AutoRun\command - System\Security\DriveGuard.exe -run
    \Shell\Explore\Command - System\Security\DriveGuard.exe -run
    \Shell\Open\Command - System\Security\DriveGuard.exe -run

    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-WB - C:\Program Files\AlienGUIse\fastload.dll
    Notify-WgaLogon - (no file)


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\Mozilla\Firefox\Profiles\2syttykm.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-19 16:55:09
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    **************************************************************************
    .
    Completion time: 2008-09-19 16:58:14
    ComboFix-quarantined-files.txt 2008-09-19 04:57:12

    Pre-Run: 1,807,200,256 bytes free
    Post-Run: 1,846,378,496 bytes free

    132 --- E O F --- 2008-04-06 04:44:51


    HIJACKTHIS LOG


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:00:57 PM, on 9/19/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\system32\spoolsv.exe
    C:\WINXP\RTHDCPL.EXE
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\4t Tray Minimizer\4t-min.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINXP\System32\nvsvc32.exe
    C:\WINXP\system32\PnkBstrA.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINXP\System32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\4t Tray Minimizer\4t-min.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-NZ/.../GAME_UNO1.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207446070375
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O20 - AppInit_DLLs: wbsys.dll ayvcmm.dll
    O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINXP\system32\PnkBstrA.exe

    --
    End of file - 4316 bytes
    The dreams I'm dying in are the best I've ever had.

  9. #9
    Member
    Join Date
    Sep 2008
    Location
    Auckland, NZ
    Posts
    13
    Points
    0

    Default

    but anyways...

    my computer and NOD32 Antivirus show no problems. So does that mean its fixed?

    If it is.. THANKS A LOT!!

    WILLNEvER FORGEt thIS day and ALWAYS VISIT THIS FORUM!
    The dreams I'm dying in are the best I've ever had.

  10. #10
    Moderator Forum Moderator evilfantasy's Avatar
    Join Date
    Jan 2008
    Location
    Tulsa, OK
    Posts
    4,670
    Points
    673

    Default

    Looks good now. Time to cleanup.

    Download ATF Cleaner by Atribune to your Desktop.

    Alternate download link

    Note: Vista users must use Run As Administrator

    • Under Main: Select Files to Delete choose: Select All.
    • Click the Empty Selected button.
    • If you use Firefox browser click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords click No at the prompt.
    • If you use Opera browser click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      If you would like to keep your saved passwords click No at the prompt.
    • Click Exit on the Main menu to close the program.



    Note that your system will run slower for a reboot or two after having used this tool so don't panic.

    Don't use ATF-Cleaner on a regular basis, it is too powerful and will slow down your computer. Use CCleaner for a daily drive cleaner. CCLeaner (download software / view tutorial)

    Important: Restart the computer before continuing.

    ----------


    • Click START then RUN
    • Now type Combofix /u in the runbox
    • Make sure there's a space between Combofix and /u
    • Then hit Enter.

    .
    .
    The above procedure will:
    • Delete:
      • ComboFix and its associated files and folders.
      • VundoFix backups, if present
      • The C:\Deckard folder, if present
      • The C:_OtMoveIt folder, if present

    • Reset the clock settings.
    • Hide file extensions, if required.
    • Hide System/Hidden files, if required.
    • Set a new, clean Restore Point.

    ----------

    Next: Set a New Restore Point to prevent possible reinfection from an old one.

    Please go to: Start -> All Programs -> Accessories -> System Tools -> System Restore -> System Restore Settings
    Click to add a check mark beside Turn off System Restore and click Apply
    When you are warned that all existing Restore Points will be deleted, click Yes to continue and wait a few moments to let System Restore clear.
    Uncheck "Turn off System Restore"
    Click "Apply," and then click "OK".

    ----------

    Use the Secunia Software Inspector to check for out of date software.
    Click Start Now
    Check the box next to Enable thorough system inspection.
    Click Start
    Allow the scan to finish and scroll down to see if any updates are needed.
    Update anything listed.

    ----------

    SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
    * Using SpywareBlaster to protect your computer from Spyware and Malware

    To prevent unknown applications from being installed on your computer install WinPatrol 2008
    * Using Winpatrol to protect your computer from malicious software

    I would suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and Spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

    Learn more about how to protect yourself while on the Internet from the following link. So how did I get infected in the first place? by Tony Klien.
    .


    Our help here is always free but it does cost money to keep the site running. If you feel we've helped you, Please Donate to the Forum