PDA

View Full Version : Cant get rid of Virtumonde virus



Kryptos
22-05-2008, 08:10 PM
I've tried using Spyware Doctor, that shows the virus is linked to a heap of start-up files and files that are in use. When I try and delete it, computer crashes and restarts (presumably because its trying to delete important files?).

Also tried Spybot, that says it has deleted them, then checks again on a restart and finds it again and deletes again. Same old cycle.

Anyone know how to knock this on the head?

zqwerty
22-05-2008, 08:38 PM
Look at this thread:

http://pressf1.pcworld.co.nz/showthread.php?t=90056

jwil1
22-05-2008, 08:38 PM
Remove appropriate startup files using msconfig? Then run spybot/Spyware Doc.

wainuitech
22-05-2008, 08:44 PM
please can you download HijackThis (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) run it select save a scan and copy /paste back the complete results here so we can see whats loading.

Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Kryptos
22-05-2008, 09:19 PM
please can you download HijackThis (http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis) run it select save a scan and copy /paste back the complete results here so we can see whats loading.

Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:10 PM, on 5/22/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\svchost.exe
C:\Users\Jarin\Downloads\ewido_micro.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F0C5640-30FD-496C-927E-63E22A4C7745} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8560F2CE-CD11-4F72-8759-64611E9C0543} - C:\Windows\system32\qoMCvtro.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FF1FF360-A3A7-454B-AC9E-9502A5BE5998} - (no file)
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} (Symantec Configuration Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O20 - AppInit_DLLs: C:\Windows\system32\__c00A1EAC.dat
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative ALchemy AL1 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 11222 bytes

Kryptos
22-05-2008, 09:21 PM
Look at this thread:

http://pressf1.pcworld.co.nz/showthread.php?t=90056

thanks but i dont think thats my problem

Safari
22-05-2008, 09:21 PM
Hijack This will not remove Virtumonde virus completely, it is a very difficult one to remove.

Do a Google search for Virtumonde virus removal and you will see numerous suggested methods to remove this nasty.

Kryptos
22-05-2008, 09:31 PM
tried that but they are all for specific people that have asked for help and have to do a lot of manual removal. Tried using VundoFix but that didnt even find anything.

Speedy Gonzales
22-05-2008, 11:54 PM
Run HJT again tick these then tick fix checked

O2 - BHO: (no name) - {1F0C5640-30FD-496C-927E-63E22A4C7745} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {FF1FF360-A3A7-454B-AC9E-9502A5BE5998} - (no file)

If you dont use Nero Home tick this

O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

O13 - Gopher Prefix:

O20 - AppInit_DLLs: C:\Windows\system32\__c00A1EAC.dat

What have u got thats Symantec?? If its an AV program uninstall it

Get trojan remover in my sig, install it update then click on scan. Then select all options under utilities.

wainuitech
23-05-2008, 10:03 AM
Try this

Go to This site here (http://forums.majorgeeks.com/showthread.php?p=869653), download SDfix, follow the instruction on running it.

Then from my Signature below, download malewarebytes, I see you already have,Spyware doctor & Spybot, but update and run again. Instructions for running Malewarebytes, are in the first part of This PDF (http://dl4u.savefile.com/0a7715a1033d69116be562be1168b91d/Antispyware_instructions.pdf)That I created and give to my customers so they can run the programs and not forget how - Sometimes ;)

Also download & run Superantispyware (http://www.superantispyware.com/) -

While downloading, get a better AV, download Nod32 (http://www.eset.com/download/index.php) - also download This PDF on how to set it up (http://dl4u.savefile.com/b9a02073db6eb3ac0f721d4df8375996/Installing_Nod32_Antivirus.pdf) Once setup , click on Computer scan and select standard scan.

tweak'e
23-05-2008, 10:48 AM
the other thing is to run the antispyware and antivirus while in safe mode.

Kryptos
25-05-2008, 08:46 PM
Cheers for the help but the thing that seemed to do the trick was Malwarebyte's Anti-Malware. Had to do two scans, then it came up clean on three different programs. Hopefully its gone!

Pancake
26-05-2008, 12:03 PM
Lets make sure it has gone...


Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.
Please visit this webpage for download links, and instructions for running ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new 'HijackThis' log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

Kryptos
26-05-2008, 02:06 PM
ComboFix 08-05-25.3 - Jarin 2008-05-26 12:59:36.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1146 [GMT 12:00]
Running from: C:\Users\Jarin\Downloads\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\evwdndlv.exe
C:\Windows\system32\gbwsxrwn.dll
C:\Windows\system32\sxbdawoa.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-25 12:20 . 2008-05-25 12:20 <DIR> d-------- C:\ProgramData\Nokia
2008-05-24 12:24 . 2008-05-24 16:20 <DIR> d-------- C:\Users\Jarin\AppData\Roaming\Smart Recorder
2008-05-23 23:53 . 2008-05-23 23:53 <DIR> d-------- C:\Users\Jarin\AppData\Roaming\Ubisoft
2008-05-23 23:53 . 2008-05-23 23:53 <DIR> d-------- C:\ProgramData\Ubisoft
2008-05-23 23:00 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-05-23 22:47 . 2008-05-23 23:00 <DIR> d--h----- C:\Windows\msdownld.tmp
2008-05-22 23:03 . 2008-05-22 23:03 <DIR> d-------- C:\ProgramData\Steam
2008-05-22 23:03 . 2008-05-22 23:24 <DIR> d-------- C:\ProgramData\PopCap Games
2008-05-22 22:06 . 2008-05-22 22:06 <DIR> d-------- C:\Users\Jarin\AppData\Roaming\Malwarebytes
2008-05-22 22:06 . 2008-05-22 22:06 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-05-22 22:06 . 2008-05-22 22:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 22:06 . 2008-05-05 20:46 27,048 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-05-22 22:06 . 2008-05-05 20:46 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-05-22 20:29 . 2008-05-22 20:29 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 14:29 . 2004-03-09 01:00 1,081,616 --a------ C:\Windows\System32\MSCOMCTL.OCX
2008-05-22 14:29 . 2004-08-04 08:00 506,368 --a------ C:\Windows\System32\msxml.dll
2008-05-22 12:07 . 2008-05-22 13:32 <DIR> d-------- C:\ProgramData\Lavasoft
2008-05-22 10:21 . 2008-05-22 18:52 199 --a------ C:\Windows\wininit.ini
2008-05-22 09:49 . 2008-05-22 10:18 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-05-22 09:49 . 2008-05-22 09:50 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-22 09:20 . 2008-05-22 09:20 51,200 --a------ C:\Windows\System32\krhtyasl.dll
2008-05-21 08:10 . 2008-05-21 08:10 51,200 --a------ C:\Windows\System32\pwquoavp.dll
2008-05-20 21:27 . 2008-05-24 00:04 <DIR> d-------- C:\Program Files\Assassins Creed
2008-05-18 16:16 . 2008-05-18 16:16 <DIR> d-------- C:\Users\Jarin\AppData\Roaming\Nero
2008-05-18 16:14 . 2008-05-18 16:14 <DIR> d-------- C:\ProgramData\Ahead
2008-05-18 10:48 . 2008-05-18 11:01 <DIR> d-------- C:\Windows\nvidia icons
2008-05-18 10:47 . 2008-05-02 22:46 768,544 --a------ C:\Windows\System32\nvcplui.exe
2008-05-18 10:47 . 2008-05-02 22:46 420,384 --a------ C:\Windows\System32\nvcpl.cpl
2008-05-18 10:47 . 2008-05-02 22:46 313,888 --a------ C:\Windows\System32\nvexpbar.dll
2008-05-18 10:46 . 2008-04-30 17:27 442,368 --a------ C:\Windows\System32\NVUNINST.EXE
2008-05-16 01:12 . 2008-05-16 01:12 1,080 --a------ C:\Windows\System32\settingsbkup.sfm
2008-05-16 01:12 . 2008-05-16 01:12 1,080 --a------ C:\Windows\System32\settings.sfm
2008-05-15 18:21 . 2003-06-12 23:25 7,062 --a------ C:\Windows\System32\audiopid.vxd
2008-05-13 21:16 . 2008-05-21 20:25 <DIR> d--h----- C:\Users\Jarin\AppData\Roaming\GTek
2008-05-13 21:16 . 2008-05-21 20:25 <DIR> d-ah----- C:\ProgramData\Gtek
2008-05-10 17:17 . 2008-05-10 17:17 <DIR> d-------- C:\Windows\Sun
2008-05-10 17:17 . 2008-05-10 17:17 <DIR> d-------- C:\Users\Jarin\AppData\Roaming\SystemRequirementsL ab
2008-05-09 09:24 . 2008-05-09 09:24 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdMtpDr_01_ 00_00.Wdf
2008-05-03 15:36 . 2008-05-03 15:36 <DIR> d-------- C:\Users\Jarin\AppData\Roaming\Nokia Multimedia Player
2008-05-02 20:02 . 2008-05-02 20:02 <DIR> d-------- C:\Users\Jarin\AppData\Roaming\InstallShield Installation Information
2008-05-02 19:43 . 2008-05-02 19:43 <DIR> d-------- C:\Program Files\Unreal Tournament 3
2008-05-02 19:43 . 2007-07-19 18:14 3,727,720 --a------ C:\Windows\System32\d3dx9_35.dll
2008-05-02 19:42 . 2008-05-02 19:42 <DIR> d-------- C:\Windows\System32\AGEIA
2008-05-02 19:42 . 2008-05-22 13:32 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-02 19:42 . 2008-05-02 19:42 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-05-02 05:59 . 2008-05-02 05:59 122,368 --a------ C:\Windows\System32\drivers\Rtlh86.sys
2008-04-28 00:14 . 2008-04-28 00:14 0 --ah----- C:\Windows\System32\drivers\Msft_User_PCCSWpdDrive r_01_05_00.Wdf
2008-04-28 00:13 . 2008-04-28 00:13 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_ccdcmb_010 05.Wdf
2008-04-28 00:12 . 2008-04-28 00:14 <DIR> d-------- C:\Users\Jarin\AppData\Roaming\PC Suite
2008-04-28 00:12 . 2008-04-29 22:32 <DIR> d-------- C:\Users\Jarin\AppData\Roaming\Nokia
2008-04-28 00:12 . 2008-04-28 00:13 <DIR> d-------- C:\ProgramData\PC Suite
2008-04-28 00:10 . 2008-04-28 00:10 <DIR> d-------- C:\Program Files\DIFX
2008-04-28 00:10 . 2008-04-28 00:10 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-04-28 00:10 . 2008-05-25 12:19 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-04-28 00:10 . 2007-09-17 15:53 21,632 --a------ C:\Windows\System32\drivers\pccsmcfd.sys
2008-04-28 00:09 . 2008-04-28 00:09 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-04-28 00:06 . 2008-02-01 15:17 90,624 --a------ C:\Windows\System32\nmwcdcls.dll
2008-04-28 00:05 . 2008-05-25 12:18 <DIR> d-------- C:\ProgramData\Installations
2008-04-28 00:05 . 2008-05-25 12:20 <DIR> d-------- C:\Program Files\Nokia
2008-04-27 18:02 . 2008-04-27 18:02 <DIR> d-------- C:\Users\Jarin\AppData\Roaming\Media Player Classic
2008-04-27 15:12 . 2008-04-27 15:12 <DIR> d--hs---- C:\Diskeeper
2008-04-27 14:52 . 2008-04-27 14:52 <DIR> d-------- C:\ProgramData\Diskeeper Corporation
2008-04-27 14:39 . 2008-04-27 14:39 <DIR> d-------- C:\Program Files\Google
2008-04-27 13:50 . 2008-05-24 11:40 <DIR> d-------- C:\Users\Jarin\AppData\Roaming\mIRC
2008-04-27 13:50 . 2008-05-24 10:46 <DIR> d-------- C:\Program Files\mIRC
2008-04-27 10:47 . 2008-04-30 19:54 <DIR> d-------- C:\ProgramData\DVD Shrink
2008-04-27 10:47 . 2008-04-27 10:47 <DIR> d-------- C:\Program Files\DVD Shrink
2008-04-26 20:00 . 2008-04-26 20:00 <DIR> dr-h----- C:\MSOCache
2008-04-26 16:03 . 2008-04-26 16:03 <DIR> d-------- C:\Program Files\CCleaner
2008-04-26 15:32 . 2008-04-26 15:32 <DIR> d-------- C:\Program Files\Diskeeper Corporation
2008-04-26 09:30 . 2008-04-26 09:30 <DIR> d-------- C:\Program Files\Real Alternative

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-25 21:43 --------- d-----w C:\Program Files\Steam
2008-05-25 21:40 --------- d-----w C:\Program Files\Common Files\Steam
2008-05-25 19:58 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-25 06:08 --------- d---a-w C:\ProgramData\TEMP
2008-05-25 05:16 --------- d-----w C:\Program Files\Spyware Doctor
2008-05-19 20:01 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-18 04:14 --------- d-----w C:\Users\Jarin\AppData\Roaming\Ahead
2008-05-17 23:02 --------- d-----w C:\ProgramData\NVIDIA
2008-05-15 06:20 --------- d-----w C:\Program Files\Creative
2008-05-15 06:19 --------- d-----w C:\Users\Jarin\AppData\Roaming\Creative
2008-05-15 06:19 --------- d-----w C:\ProgramData\Creative
2008-05-14 12:26 --------- d-----w C:\Program Files\Windows Mail
2008-05-02 11:47 --------- d-----w C:\Program Files\MagicISO
2008-05-02 10:46 7,460,320 ----a-w C:\Windows\system32\drivers\nvlddmkm.sys
2008-04-25 22:16 --------- d-----w C:\Program Files\Windows Live
2008-04-25 22:13 --------- d-----w C:\ProgramData\WLInstaller
2008-04-25 21:28 --------- d-----w C:\ProgramData\CopyTransControlCenter
2008-04-25 10:38 --------- d-----w C:\Users\Jarin\AppData\Roaming\CopyTrans
2008-04-25 10:30 --------- d-----w C:\Users\Jarin\AppData\Roaming\CopyTransControlCen ter
2008-04-25 10:24 --------- d-----w C:\Users\Jarin\AppData\Roaming\SyncGuardian
2008-04-25 10:23 --------- d-----w C:\Users\Jarin\AppData\Roaming\iLibs
2008-04-25 06:21 --------- d-----w C:\Program Files\Java
2008-04-25 06:16 --------- d-----w C:\Program Files\Common Files\Java
2008-04-25 04:51 --------- d-----w C:\Program Files\WindSolutions
2008-04-25 00:58 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-24 07:07 --------- d-----w C:\Program Files\BitComet
2008-04-24 05:28 --------- d-----w C:\Program Files\Microsoft IntelliType Pro
2008-04-23 19:32 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-23 07:33 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-23 07:32 --------- d-----w C:\Users\Jarin\AppData\Roaming\vlc
2008-04-23 07:30 --------- d-----w C:\ProgramData\Nero
2008-04-23 07:30 --------- d-----w C:\Program Files\Nero
2008-04-23 07:19 --------- d-----w C:\Program Files\VideoLAN
2008-04-23 06:16 --------- d-----w C:\Users\Jarin\AppData\Roaming\Symantec
2008-04-23 05:23 --------- d-----w C:\ProgramData\Symantec
2008-04-23 05:20 --------- d-----w C:\Program Files\Symantec
2008-04-23 05:20 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-22 11:57 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_ 00.Wdf
2008-04-22 11:22 --------- d-----w C:\Program Files\Apple Software Update
2008-04-22 11:08 --------- d-----w C:\Users\Jarin\AppData\Roaming\Apple Computer
2008-04-22 11:07 --------- d-----w C:\ProgramData\Apple Computer
2008-04-22 11:07 --------- d-----w C:\Program Files\iTunes
2008-04-22 11:07 --------- d-----w C:\Program Files\iPod
2008-04-22 11:06 --------- d-----w C:\Program Files\QuickTime
2008-04-22 11:06 --------- d-----w C:\Program Files\Bonjour
2008-04-22 11:04 --------- d-----w C:\ProgramData\Apple
2008-04-22 11:04 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-22 09:55 --------- d-----w C:\Program Files\ID Software
2008-04-22 08:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 08:14 --------- d-----w C:\Program Files\Common Files\Creative Labs Shared
2008-04-22 06:31 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2008-04-21 19:53 --------- d-----w C:\Users\Jarin\AppData\Roaming\PC Tools
2008-04-21 19:23 --------- d-----w C:\Users\Jarin\AppData\Roaming\BitDefender
2008-04-21 19:23 --------- d-----w C:\ProgramData\BitDefender
2008-04-21 19:17 --------- d-----w C:\Program Files\Common Files\BitDefender
2008-04-21 19:17 --------- d-----w C:\Program Files\BitDefender
2008-04-21 11:43 --------- d-----w C:\Program Files\OpenAL
2008-04-21 11:35 174 --sha-w C:\Program Files\desktop.ini
2008-04-21 11:30 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-21 11:30 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-04-21 11:30 --------- d-----w C:\Program Files\Windows Journal
2008-04-21 11:30 --------- d-----w C:\Program Files\Windows Defender
2008-04-21 11:30 --------- d-----w C:\Program Files\Windows Collaboration
2008-04-21 11:30 --------- d-----w C:\Program Files\Windows Calendar
2008-04-21 11:08 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-04-21 11:06 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-21 10:51 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-21 10:36 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-04-21 10:16 41,984 ----a-w C:\Windows\system32\drivers\monitor.sys
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 19:33 1233920]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46 61440]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-02-16 17:45 360448]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-09-01 07:01 1037736]
"CTHelper"="CTHELPER.EXE" [2008-02-20 20:58 19456 C:\Windows\System32\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-20 20:58 19968 C:\Windows\System32\CTXFIHLP.EXE]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 12:13 988584]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-05-02 22:46 13535776]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-05-02 22:46 92704]
"RegistryMechanic"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3446459511-2626758654-3213401989-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\FirewallRules]
"{1F480269-BA2D-49C7-8749-423F3C7AC2A3}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{036BC3B0-8370-4E5B-824D-0EAC5397ABFF}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{465C604A-4B94-4656-8AFB-26D34B160545}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{28AC3378-CFB7-44E6-B607-61370F5299FF}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{CCBB35B4-0E04-4473-AD7C-4F3EF872ECC5}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{CB89C678-60A9-4281-803B-5E5A68659598}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{00219599-6704-446B-B31D-91BB3607B786}"= UDP:8478:BitComet 8478 TCP
"{98FF9C8B-E5D6-4EEC-9EA7-546E1ACE6E7F}"= TCP:8478:BitComet 8478 UDP
"{360D2D7F-7C65-4B87-BDB4-162494DFF98A}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{8CC763F3-9662-4865-899F-775C4BB1F5AE}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{98F185C4-6C54-45CB-AC95-365A144EB3C4}"= UDP:C:\Program Files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{52C002FC-7A09-4E85-9088-01B864A479CC}"= TCP:C:\Program Files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{21E79152-F8D5-44D6-B525-4D198BE0206D}"= UDP:8478:BitComet 8478 TCP
"{68063835-A5D4-46B3-9250-DD62392E777F}"= TCP:8478:BitComet 8478 UDP
"{50EE5124-B622-40CE-8F44-F5FEB9DA8D7D}"= UDP:26194:BitComet 26194 TCP
"{8AABA813-AE84-4303-8EAA-5125B6A7C336}"= TCP:26194:BitComet 26194 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R2 CTAudSvcService;Creative Audio Service;C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2008-03-07 19:24]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-01-28 11:43]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\Windows\system32\DRIVERS\bdfndisf.sys [2008-01-25 15:40]
R3 ha20x2k;Creative 20X HAL Driver;C:\Windows\system32\drivers\ha20x2k.sys [2008-02-25 09:44]
S3 Creative ALchemy AL1 Licensing Service;Creative ALchemy AL1 Licensing Service;"C:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe" [2008-04-22 20:14]
S3 pccsmcfd;PCCS Mode Change Filter Driver;C:\Windows\system32\DRIVERS\pccsmcfd.sys [2007-09-17 15:53]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-05-25 19:59]
S3 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;C:\Windows\system32\dllhost.exe [2006-11-02 21:45]
S3 upperdev;upperdev;C:\Windows\system32\DRIVERS\usbs er_lowerflt.sys [2007-11-29 10:39]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 13:10:08
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\nvvsvc.exe
C:\Windows\System32\audiodg.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\wbem\WMIADAP.exe
.
************************************************** ************************
.
Completion time: 2008-05-26 13:14:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 01:14:02

Pre-Run: 96,564,068,352 bytes free
Post-Run: 96,421,875,712 bytes free

255 --- E O F --- 2008-05-24 22:20:13







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:22 PM, on 5/26/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} (Symantec Configuration Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative ALchemy AL1 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8500 bytes

Pancake
26-05-2008, 02:25 PM
Ok.Just these last two to remove and your clean..


Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:




Killall::

File::
C:\Windows\System32\krhtyasl.dll
C:\Windows\System32\pwquoavp.dll




Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.


http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*

Kryptos
26-05-2008, 03:51 PM
Couldnt do it, gave me a blue screen saying it was preventing damage to my computer or something and system restarted.

Pancake
26-05-2008, 04:37 PM
Never had that happen before....Ok.Lets do it this way...



Download The Avenger by Swandog46 from here (http://swandog46.geekstogo.com/avenger2/download.php). Unzip/extract it to a folder on your desktop. Double click on avenger.exe to run The Avenger. Click OK. Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it. Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C.




Files to delete:
C:\Windows\System32\krhtyasl.dll
C:\Windows\System32\pwquoavp.dll



In the avenger window, click the Paste Script from Clipboard, http://img220.imageshack.us/img220/8923/pastets4.png button. Click the Execute button. You will be asked Are you sure you want to execute the current script?. Click Yes. You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?. Click Yes. Your PC will now be rebooted. Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation. If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour. After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt). Please post this log, along with a new HijackThis log in your next reply.

Kryptos
26-05-2008, 04:47 PM
Ok here we go:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Windows\System32\krhtyasl.dll" deleted successfully.
File "C:\Windows\System32\pwquoavp.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:57, on 2008-05-26
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\CTHELPER.EXE
C:\Windows\System32\CTXFIHLP.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\CTXFISPI.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/ocx/15031/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} (Symantec Configuration Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/ocx/15034/CTPID.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative ALchemy AL1 Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\AL1Licensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 8491 bytes

Pancake
26-05-2008, 05:10 PM
Ok.Your good to go......


This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below and click OK.




ComboFix /u

Kryptos
26-05-2008, 07:45 PM
Wicked thanks for your help guys

Pancake
26-05-2008, 08:18 PM
Ok.No problem.Just pay at the desk on your way out. :D

rpm5099
31-05-2008, 08:52 AM
I'm having a very similar problem, i just posted in the main F1 forum. My symptons are explorer.exe crashing repeatedly even in safe mode. Please help me out, thanks.