Virtumonde.application

[BhavyaDaiya]

Hi,

1) I have 2 computers (1 pc, 1 laptop)
2) I recently downloaded something through a torrent.
3) Downloaded torrent was on the laptop, which contains MS Vista Home Premium.
4) After downloading I moved it to the Pc, which contains XP.
__________________________________________________________________

After a while I get a NOD32 Threat Window, says:

File: C:\Win32\system32\yaywtqpN.dll
Threat: Win32/Adware.Virtumonde.application

I was given an option to Delete it, NOD32 says, that is will be deleted upon restart. So I restarted my computer, but the problem was back again. The Threat window keeps popping up every 15 seconds.

I dont know how to delete it and plus Im scared if this will wipe all my files on the comp. I am suspicious about the torrent.

Please help.

[BhavyaDaiya]

no replies. =0

[evilfantasy]

Stop using torrents to download commercial software

Download Malwarebytes' Anti-Malware (MBAM)

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  
  
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy and Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

----------

Download TrendMicro HijackThis.exe (HJT) to the Desktop.

• Double-click on HJTInstall.
• Click on the Install button.
• It will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe.
• Upon install, HijackThis should open for you.
• Click on the Do a system scan and save a log file button
• HijackThis will scan and then a log will open in notepad.
• Copy and then paste the entire contents of the log in your post.
• Do not have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

[BhavyaDaiya]

FROM HIJACK THIS.

All files entered in Detective

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:50 PM, on 9/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\MyStartButton\explorers\1\explorer.exe
C:\WINXP\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\4t Tray Minimizer\4t-min.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\system32\PnkBstrA.exe
C:\WINXP\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINXP\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\4t Tray Minimizer\4t-min.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-NZ/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207446070375
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O20 - AppInit_DLLs: wbsys.dll ayvcmm.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINXP\system32\PnkBstrA.exe

--
End of file - 4414 bytes


MBAM LOG FILE....

Malwarebytes' Anti-Malware 1.28
Database version: 1172
Windows 5.1.2600 Service Pack 2

9/19/2008 4:30:24 PM
mbam-log-2008-09-19 (16-30-24).txt

Scan type: Quick Scan
Objects scanned: 53911
Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 21
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 36

Memory Processes Infected:
C:\RECYCLER\iexplorer.exe (Heuristics.Malware) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINXP\system32\khfFvtTj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINXP\system32\pigsqqoo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINXP\system32\quxiascu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINXP\system32\ayvcmm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINXP\system32\yaywtqpN.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{309311f1-8f50-452e-a98d-69afd7a34aa8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yaywtqpn (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{309311f1-8f50-452e-a98d-69afd7a34aa8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7bfd81e7-da65-41be-abc5-fc275ddd2611} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7bfd81e7-da65-41be-abc5-fc275ddd2611} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fad6aa15-edc4-4e67-ab4b-aaea9fbe2eb5} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{fad6aa15-edc4-4e67-ab4b-aaea9fbe2eb5} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b08b07b8 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmb3b83424 (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{309311f1-8f50-452e-a98d-69afd7a34aa8} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system34 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\microsoft help (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\winxp\system32\khffvttj -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\winxp\system32\khffvttj -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINXP\system32\yaywtqpN.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINXP\system32\ayvcmm.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINXP\system32\khfFvtTj.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINXP\system32\jTtvFfhk.ini (Trojan.Vundo.H) -> Delete on reboot.
C:\WINXP\system32\jTtvFfhk.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\pigsqqoo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINXP\system32\ooqqsgip.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\quxiascu.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\WINXP\system32\efcBqrsq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\fccddcDv.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\geBrsPjj.Vdll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\ljJDSJbb.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\ljJyaWPI.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\jkkJdBtU.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\mlJCSiGW.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\rqRHYSMG.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\ssqRLBqR.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\vtUkjJCT.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\tuvspPJA.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\wvUmnKec.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\yaywtqpN.V00dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\yaywtqpN.V01dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\yaywtqpN.V02dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\yaywtqpN.V03dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\yaywtqpN.Vdll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINXP\system32\frjjqyeq.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\user.USER-9U1R65BT6V\Local Settings\Temporary Internet Files\Content.IE5\W1M3WXQB\kb678031[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\user.USER-9U1R65BT6V\Local Settings\Temporary Internet Files\Content.IE5\W9IZ8P27\nd82m0[1] (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\user.USER-9U1R65BT6V\Local Settings\Temporary Internet Files\Content.IE5\W9QJW96R\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINXP\SoftwareProtection\systemvital.exe (Trojan.Agent) -> Delete on reboot.
C:\RECYCLER\iexplorer.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINXP\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINXP\BMb3b83424.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINXP\BMb3b83424.txt (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\RBMD5550.dll (Trojan.Agent) -> Quarantined and deleted successfully.

[evilfantasy]

Download Disable/Remove Windows Messenger to the Desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the Desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the Desktop.

----------

Download ComboFix by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

----------

How is the computer now?

[BhavyaDaiya]

I had another question,

When you said

"Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.", MBAM did say that It couldnt do sometihing. It had propmted me to restart.

I happily resarted.

when the computer finished starting up, a Dialog Box came up saying:

Title:RUNDLL

Error loading C:\WinXP\system32\quxiascu.dll
The specified module could not be found.
_________________________________________________________________________
has this got anything to do with MBAM?

[evilfantasy]

Error loading C:\WinXP\system32\quxiascu.dll

That's part of the malware that wasn't completely removed. We should be able to get it with ComboFix.

[BhavyaDaiya]

first mistake... forgot to diable antivirus.

ComboFix Log.

ComboFix 08-09-16.05 - user 2008-09-19 16:53:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1537 [GMT 12:00]
Running from: C:\Documents and Settings\user.USER-9U1R65BT6V\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINXP\system32\BReWErS.dll

.
((((((((((((((((((((((((( Files Created from 2008-08-19 to 2008-09-19 )))))))))))))))))))))))))))))))
.

2008-09-19 16:34 . 2008-09-19 16:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-19 16:18 . 2008-09-19 16:18 <DIR> d-------- C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\Malwarebytes
2008-09-19 16:17 . 2008-09-19 16:20 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-19 16:17 . 2008-09-19 16:17 <DIR> d-------- C:\Documents and Settings\All Users.WINXP\Application Data\Malwarebytes
2008-09-19 16:17 . 2008-09-10 00:04 38,528 --a------ C:\WINXP\system32\drivers\mbamswissarmy.sys
2008-09-19 16:17 . 2008-09-10 00:03 17,200 --a------ C:\WINXP\system32\drivers\mbam.sys
2008-09-19 15:06 . 2008-09-19 15:06 <DIR> d-------- C:\VundoFix Backups
2008-08-28 09:03 . 2008-08-28 09:03 42,320 --a------ C:\WINXP\system32\xfcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 01:57 139,128 -c--a-w C:\WINXP\system32\drivers\PnkBstrK.sys
2008-09-19 01:57 111,928 ----a-w C:\WINXP\system32\PnkBstrB.exe
2008-09-18 22:55 --------- d-----w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\Xfire
2008-09-18 21:56 --------- d-----w C:\Program Files\Xfire
2008-09-17 05:12 --------- d---a-w C:\Documents and Settings\All Users.WINXP\Application Data\TEMP
2008-09-16 07:07 --------- d-----w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\BitTorrent
2008-09-15 11:04 --------- d-----w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\DNA
2008-09-15 06:40 --------- d-----w C:\Program Files\DNA
2008-08-14 07:49 66,872 ----a-w C:\WINXP\system32\PnkBstrA.exe
2008-08-14 04:56 22,328 -c--a-w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\PnkBstrK.sys
2008-08-13 07:05 --------- d-----w C:\Documents and Settings\All Users.WINXP\Application Data\Office Genuine Advantage
2008-08-07 06:09 --------- d-----w C:\Program Files\Windows Journal Viewer
2008-08-05 07:18 --------- d-----w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\Axialis
2008-08-04 20:41 --------- d-----w C:\Documents and Settings\All Users.WINXP\Application Data\Microsoft Help
2008-08-04 20:39 --------- d-----w C:\Program Files\Microsoft.NET
2008-07-28 19:42 --------- d-----w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\Juce VST Host
2008-07-27 03:12 --------- d-----w C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\Caphyon
2008-07-27 01:49 --------- d-----w C:\Program Files\Microsoft Synchronization Services
2008-07-27 01:49 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-07-27 01:46 --------- d-----w C:\Program Files\Microsoft SDKs
2008-07-27 01:44 --------- d-----w C:\Program Files\Reference Assemblies
2008-07-27 01:44 --------- d-----w C:\Program Files\MSBuild
2008-07-27 01:39 --------- d-----w C:\Program Files\MSXML 6.0
2008-07-21 03:41 --------- d-----w C:\Program Files\Outsim
2008-06-30 06:47 3,532 ----a-w C:\drmHeader.bin
2008-06-25 06:18 47,264 ----a-w C:\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="C:\WINXP\System32\IME\PINTLGNT\ImScInst.exe" [2002-08-29 59392]
"PHIME2002ASync"="C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"PHIME2002A"="C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-08-29 455168]
"NvCplDaemon"="C:\WINXP\System32\NvCpl.dll" [2006-10-31 7634944]
"NvMediaCenter"="C:\WINXP\System32\NvMcTray.dll" [2006-10-31 86016]
"NeroFilterCheck"="C:\WINXP\system32\NeroCheck.exe" [2001-07-09 155648]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-06 917504]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"nwiz"="nwiz.exe" [2006-10-31 C:\WINXP\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 C:\WINXP\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 C:\WINXP\RTHDCPL.exe]

C:\Documents and Settings\user.USER-9U1R65BT6V\Start Menu\Programs\Startup\
4t Tray Minimizer.lnk - C:\Program Files\4t Tray Minimizer\4t-min.exe [2008-04-09 1091584]

C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll ayvcmm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINXP\\system32\\PnkBstrA.exe"=
"C:\\WINXP\\system32\\PnkBstrB.exe"=
"D:\\Bhavya's wanted Stuff\\COD4 Aimbot\\Cod4bot.exe"=
"D:\\Bhavya's wanted Stuff\\cod4hack\\cod4hack.exe"=
"C:\\WINXP\\system32\\rtcshare.exe"=
"C:\\Program Files\\NetMeeting\\conf.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"D:\\BitTorrent\\bittorrent.exe"=
"D:\\COD4\\iw3mp.exe"=
"C:\\WINXP\\system32\\ftp.exe"=
"D:\\Adobe Dreamweaver CS3\\Portable Adobe Dreamweaver CS3=abu137=\\Dreamweaver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2302:UDP"= 2302:UDP:Halo Server


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4dc5110a-10f1-11dd-bf2f-001bfcec946f}]
\Shell\Auto\command - autoregistry.exe
\Shell\AutoRun\command - C:\WINXP\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL autoregistry.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fed165c3-50aa-11dd-bfed-001bfcec946f}]
\Shell\AutoRun\command - System\Security\DriveGuard.exe -run
\Shell\Explore\Command - System\Security\DriveGuard.exe -run
\Shell\Open\Command - System\Security\DriveGuard.exe -run

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

Notify-WB - C:\Program Files\AlienGUIse\fastload.dll
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\user.USER-9U1R65BT6V\Application Data\Mozilla\Firefox\Profiles\2syttykm.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - about:blank
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-19 16:55:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-09-19 16:58:14
ComboFix-quarantined-files.txt 2008-09-19 04:57:12

Pre-Run: 1,807,200,256 bytes free
Post-Run: 1,846,378,496 bytes free

132 --- E O F --- 2008-04-06 04:44:51


HIJACKTHIS LOG


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:57 PM, on 9/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\RTHDCPL.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\4t Tray Minimizer\4t-min.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINXP\System32\nvsvc32.exe
C:\WINXP\system32\PnkBstrA.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINXP\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINXP\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINXP\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINXP\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINXP\system32\NeroCheck.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - Startup: 4t Tray Minimizer.lnk = C:\Program Files\4t Tray Minimizer\4t-min.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-NZ/.../GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1207446070375
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
O20 - AppInit_DLLs: wbsys.dll ayvcmm.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINXP\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINXP\system32\PnkBstrA.exe

--
End of file - 4316 bytes

[BhavyaDaiya]

but anyways...

my computer and NOD32 Antivirus show no problems. So does that mean its fixed?

If it is.. THANKS A LOT!!

WILLNEvER FORGEt thIS day and ALWAYS VISIT THIS FORUM!

[evilfantasy]

Looks good now. Time to cleanup.

Download ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
• Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

Don't use ATF-Cleaner on a regular basis, it is too powerful and will slow down your computer. Use CCleaner for a daily drive cleaner. CCLeaner (download software / view tutorial)

Important: Restart the computer before continuing.

----------

• Click START then RUN
• Now type Combofix /u in the runbox
• Make sure there's a space between Combofix and /u
• Then hit Enter.

.

.
The above procedure will:

• Delete:
  
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
  
  
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.

----------

Next: Set a New Restore Point to prevent possible reinfection from an old one.

Please go to: Start -> All Programs -> Accessories -> System Tools -> System Restore -> System Restore Settings
Click to add a check mark beside Turn off System Restore and click Apply
When you are warned that all existing Restore Points will be deleted, click Yes to continue and wait a few moments to let System Restore clear.
Uncheck "Turn off System Restore"
Click "Apply," and then click "OK".

----------

Use the Secunia Software Inspector to check for out of date software.
Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

----------

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I would suggest using SiteAdvisor. SiteAdvisor rates sites on business practices and Spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.

Learn more about how to protect yourself while on the Internet from the following link. So how did I get infected in the first place? by Tony Klien.