Congratulations to AcaCandy on her 100,000th post!
There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
acer black screen blue screen boot bsod computer connection crash css dell driver drivers email error ethernet excel firefox firefox 3 freeze game hard drive internet internet explorer itunes laptop linux malware monitor network networking nvidia outlook outlook 2003 outlook 2007 outlook express partition password problem router slow software sound trojan usb video virus vista windows windows xp wireless
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Win32/Adware.Virtumonde Virus


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

Closed Thread
 
Thread Tools
ChoboNoob's Avatar
Junior Member with 2 posts.
  
Join Date: Jun 2008
Experience: Intermediate
30-Jun-2008, 08:38 PM #1
Win32/Adware.Virtumonde Virus
Hi Guys. Thanks for your time and I hope you can help. A few weeks ago my anti virus (Nod32) picked up on a few viruses infecting my computer they are called Win32/Adware.Virtumonde. I tried to delete them through nod32 but they seem to not go away and i get nod32 poping up saying that they are there agian. My internet plays up alot ever since this has happend but online games seem fine. From reading other posts i have gathered i need to run HJT so i have done so and here is the log. I tried to use this and i checked a few items and fixed them but 2 still want be removed, so i decided that i dont know what i am doing and to ask for help. Thanks again


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:25 AM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8710FC9F-0816-49D7-AE14-4BA5269E838C} - C:\WINDOWS\system32\opnlJcDu.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {FEE0CB53-058D-4C18-BA40-9B4A61AEA463} - C:\WINDOWS\system32\xxyxXNhF.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [e8400cfc] rundll32.exe "C:\WINDOWS\system32\ruchyklm.dll",b
O4 - HKLM\..\Run: [BMeb733f60] Rundll32.exe "C:\WINDOWS\system32\hnexcrxg.dll",s
O4 - HKCU\..\Run: [Startup Manager] C:\Program Files\Advanced System Optimizer\startUp manager.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolba...lerControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1195444555093
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195444542968
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: opnlJcDu - C:\WINDOWS\SYSTEM32\opnlJcDu.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 6611 bytes
cybertech's Avatar
Computer Specs
Moderator with 59,463 posts.
  
Join Date: Apr 2002
Location: Washington State
03-Jul-2008, 01:49 PM #2
Hi Welcome to TSG!!


Please visit this webpage for instructions for downloading and running ComboFix.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
ChoboNoob's Avatar
Junior Member with 2 posts.
  
Join Date: Jun 2008
Experience: Intermediate
03-Jul-2008, 07:36 PM #3
logs
ComboFix 08-06-30.2 - Ryan Annells 2008-07-02 16:36:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2125 [GMT 10:00]
Running from: C:\Documents and Settings\Ryan Annells\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMeb733f60.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\AIRsrBeg.ini
C:\WINDOWS\system32\AIRsrBeg.ini2
C:\WINDOWS\system32\ctcoinst.dll
C:\WINDOWS\system32\FhNXxyxx.ini
C:\WINDOWS\system32\FhNXxyxx.ini2
C:\WINDOWS\system32\hnexcrxg.dll
C:\WINDOWS\system32\jhmkbpaq.ini
C:\WINDOWS\system32\lonbsvfn.ini
C:\WINDOWS\system32\mklwkfal.ini
C:\WINDOWS\system32\mlkyhcur.ini
C:\WINDOWS\system32\oxnptynv.ini
C:\WINDOWS\system32\pAIiQXbc.ini
C:\WINDOWS\system32\pAIiQXbc.ini2
C:\WINDOWS\system32\qxfxmmel.ini
C:\WINDOWS\system32\ruchyklm.dll
C:\WINDOWS\system32\xvcmnvxt.ini
C:\WINDOWS\system32\xxyxXNhF.dll
C:\WINDOWS\system32\ybLmmUvw.ini
C:\WINDOWS\system32\ybLmmUvw.ini2
.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.
2008-07-02 16:29 . 2008-07-02 16:29 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-07-02 16:18 . 2008-07-02 16:29 <DIR> d-------- C:\VundoFix Backups
2008-07-02 03:12 . 2008-07-02 03:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-19 09:17 . 2008-06-19 09:17 24,576 --a------ C:\WINDOWS\system32\opnlJcDu.V00dll
2008-06-19 01:39 . 2008-06-19 01:39 <DIR> d-------- C:\Program Files\Microsoft Works
2008-06-19 01:39 . 2008-06-19 01:39 <DIR> d-------- C:\Program Files\Common Files\L&H
2008-06-19 01:38 . 2008-06-19 01:38 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-06-18 14:40 . 2008-06-18 14:40 24,576 --a------ C:\WINDOWS\system32\opnlJcDu.Vdll
2008-06-18 02:57 . 2008-06-18 02:57 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ScummVM
2008-06-18 02:22 . 2007-11-20 11:46 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Creative
2008-06-18 02:22 . 2008-06-18 02:22 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-14 16:11 . 2008-07-02 16:34 110,465 --a------ C:\WINDOWS\BMeb733f60.xml
2008-06-13 05:11 . 2008-06-13 05:11 <DIR> d-------- C:\Program Files\iTunes
2008-06-13 05:11 . 2008-06-13 05:11 <DIR> d-------- C:\Program Files\iPod
2008-06-13 05:10 . 2008-06-13 05:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-13 05:09 . 2008-06-13 05:09 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-12 01:53 . 2008-06-13 23:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-09 17:15 . 2008-06-09 17:15 244 --ah----- C:\sqmnoopt06.sqm
2008-06-09 17:15 . 2008-06-09 17:15 232 --ah----- C:\sqmdata06.sqm
2008-06-04 13:58 . 2008-06-04 13:58 <DIR> d-------- C:\Program Files\UHS
2008-06-04 13:58 . 2008-06-04 13:59 <DIR> d-------- C:\Documents and Settings\Ryan Annells\Application Data\UHS Reader
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-01 04:21 --------- d-----w C:\Program Files\Warcraft III
2008-06-27 02:46 --------- d-----w C:\Program Files\World of Warcraft
2008-06-18 15:37 --------- d-----w C:\Documents and Settings\Ryan Annells\Application Data\uTorrent
2008-06-17 17:00 --------- d-----w C:\Program Files\ScummVM
2008-06-13 18:07 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 19:11 --------- d-----w C:\Program Files\Bonjour
2008-06-12 19:11 --------- d-----w C:\Documents and Settings\Ryan Annells\Application Data\Apple Computer
2008-06-12 19:10 --------- d-----w C:\Program Files\QuickTime
2008-06-11 05:04 --------- d-----w C:\Documents and Settings\Ryan Annells\Application Data\U3
2008-06-09 07:00 --------- d-----w C:\Documents and Settings\Ryan Annells\Application Data\LimeWire
2008-05-25 05:37 --------- d-----w C:\Program Files\prawn
2008-05-13 17:55 --------- d-----w C:\Program Files\Ventrilo
2008-05-13 17:55 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-13 17:49 --------- d-----w C:\Program Files\VentSrv
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-03 00:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-02 23:19 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-05-02 22:47 --------- d-----w C:\Documents and Settings\Ryan Annells\Application Data\ScummVM
2008-05-02 22:39 --------- d-----w C:\Program Files\MagicISO
2008-05-02 22:30 --------- d-----w C:\Documents and Settings\Ryan Annells\Application Data\DivX
2008-05-02 22:22 --------- d-----w C:\Program Files\LucasArts
2008-04-22 22:26 1,735,388 ----a-w C:\DSL-502T_USB_Driver_Setup.exe
2008-04-22 22:09 1,735,217 ----a-w C:\D-Link_DSL_USB_Driver_Windows_Vista.exe
2008-01-15 00:15 22,328 ----a-w C:\Documents and Settings\Ryan Annells\Application Data\PnkBstrK.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 17:56 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-19 05:34 5724184]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-11-19 13:52 949376]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-05 11:14 8491008]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2003-07-13 19:49 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-28 03:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-03 04:13 267048]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2006-08-12 08:42 25600 C:\WINDOWS\MIDIDEF.EXE]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\alucard08\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Flagship Studios\\Hellgate London\\Launcher.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\World of Warcraft\\Launcher.exe"=
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"6112:TCP"= 6112:TCP:Blizzard
"3724:TCP"= 3724:TCP:wow
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-07 06:22]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{7032f67c-2f2c-11dd-966a-0013d4f50344}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)
HKCU-Run-Startup Manager - C:\Program Files\Advanced System Optimizer\startUp manager.exe
HKLM-Run-e8400cfc - C:\WINDOWS\system32\ruchyklm.dll
HKLM-Run-BMeb733f60 - C:\WINDOWS\system32\hnexcrxg.dll

**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-02 16:42:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-02 16:51:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-02 06:51:06
Pre-Run: 128,668,381,184 bytes free
Post-Run: 128,854,605,824 bytes free
157 --- E O F --- 2008-06-22 00:22:11


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:34:07 AM, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://ak.imgag.com/imgag/kiw/toolba...lerControl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1195444555093
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Driver...sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1195444542968
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
--
End of file - 6104 bytes
cybertech's Avatar
Computer Specs
Moderator with 59,463 posts.
  
Join Date: Apr 2002
Location: Washington State
04-Jul-2008, 10:38 AM #4
Open Notepad and copy and paste the text in the quote box below into it:
Quote:
KILLALL::
File::
C:\WINDOWS\BMeb733f60.xml
C:\WINDOWS\system32\ruchyklm.dll
C:\WINDOWS\system32\hnexcrxg.dll

Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.




Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply with a new hijackthis log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u6-windows-i586-p.exe and select "Run as an Administrator.")
__________________
Microsoft MVP/Windows - Consumer Security


If we have helped you, please consider making a donation to TSG!
Closed Thread

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who help people like you solve computer problems. See our Welcome Guide to get started.



Thread Tools


Related Sites: 56k Dial-Up | Tech Gift Ideas | Mobile TechGuy | Advertise on TSG
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 01:40 AM.
Copyright © 1996 - 2008 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2008, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0
Powered by Cermak Technologies, Inc.