There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
 
Tag Cloud
black screen blue screen blue screen of death boot computer connection crash css dell display driver drivers error excel firefox firefox 3 game hard drive internet internet explorer itunes laptop lcd linux malware monitor network networking nvidia outlook outlook 2003 outlook express partition password printer problem ram router slow software sound sprtcmd.exe trojan usb video virus vista windows windows xp wireless
Malware Removal & HijackThis Logs
Search
Search in:
 
Advanced Search
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Trojan/Virtumonde spyware


HELLO AND WELCOME! Before you can post your question, you'll have to register -- it's completely free! Click here to join today! We highly recommend that you print a copy of our Guide for New Members. Enjoy!

Closed Thread
 
Thread Tools
ArmyofGhosts's Avatar
Junior Member with 8 posts.
  
Join Date: Jul 2008
Experience: Advanced
16-Jul-2008, 07:55 PM #1
Trojan/Virtumonde spyware
Oh dear, it seems I have been infected with the Trojan/Virtumonde spyware which seems to be doing the rounds at the moment.

I’m running Windows SP2, have installed SuperAntiSpyware, Adaware, Spybot Search & Destroy and recently installed Kaspersky (free trial version). I have a router which I use for my firewall.

Spybot S&D is able to pick up virtumonde and remove this although post reboot it returns. I have taken a look at msconfig to see if anything untoward is starting up and it doesn’t appear there is (of course there probably is!). I have also taken a look at Hijack This log and wasn’t really able to pick up anything. Kasperskey has detected various executables such as browser hijacks attempting to run and has prevented these from running.

Is someone kindly able to help me with removing this? Thank you!
sjpritch25's Avatar
Computer Specs
Distinguished Member with 6,966 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
19-Jul-2008, 12:03 AM #2
Welcome to TSG

Download Combofix from this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
My Blog
Microsoft Valuable Professional Consumer--Security 2007-2009
If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
Concerned about Browser Security!!! Consider Mozilla Firefox 3.0 and NoScript
Operating System Ubuntu Hardy Heron 8.04
ArmyofGhosts's Avatar
Junior Member with 8 posts.
  
Join Date: Jul 2008
Experience: Advanced
19-Jul-2008, 07:25 PM #3
Combofix Log
Hi sjpritch25

Thanks for that, I have run Combofix and have posted my log from Combofix and Hijack this:

ComboFix 08-07-19.1 - FooFoo 2008-07-20 10:33:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1473 [GMT 12:00]
Running from: C:\Documents and Settings\FooFoo\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\FooFoo\Application Data\inst.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\bovstqse.ini
C:\WINDOWS\system32\esqtsvob.dll
C:\WINDOWS\system32\gjQAcfii.ini
C:\WINDOWS\system32\gjQAcfii.ini2
C:\WINDOWS\system32\glcdtyks.dll
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-16 08:15 . 2008-07-16 08:15 0 --a------ C:\WINDOWS\system32\TwCBHyDE.exe.a_a
2008-07-13 21:33 . 2008-07-13 21:33 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-13 10:19 . 2008-07-13 10:19 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-13 10:19 . 2008-07-20 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-13 10:19 . 2008-07-20 10:46 15,780,384 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-13 10:19 . 2008-07-20 10:45 241,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-13 10:19 . 2008-07-13 10:36 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-13 10:19 . 2008-07-13 10:36 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-13 10:19 . 2008-07-20 10:47 57,376 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-13 10:19 . 2008-07-20 10:45 15,776 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-13 10:18 . 2008-07-13 10:18 <DIR> d-------- C:\kav
2008-07-13 09:10 . 2008-07-13 22:00 <DIR> d-------- C:\fixwareout
2008-07-12 11:57 . 2008-07-12 11:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 11:57 . 2008-07-12 11:57 <DIR> d-------- C:\Documents and Settings\FooFoo\Application Data\SUPERAntiSpyware.com
2008-07-12 11:57 . 2008-07-12 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-12 11:26 . 2008-07-12 11:26 0 --a------ C:\WINDOWS\system32\tuGNwD11.exe.a_a
2008-07-08 19:34 . 2008-07-08 19:35 <DIR> d-------- C:\Program Files\Aspell
2008-07-08 19:33 . 2008-07-08 19:35 <DIR> d-------- C:\Program Files\Pidgin
2008-07-07 22:25 . 2008-07-20 10:20 4,958,588 --a------ C:\WINDOWS\{00000004-00000000-00000007-00001102-00000004-20021102}.BAK
2008-07-07 15:22 . 2008-07-07 15:22 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-02 15:23 . 2008-07-02 15:23 <DIR> d-------- C:\VundoFix Backups
2008-07-02 15:15 . 2008-07-02 17:01 211 --a------ C:\WINDOWS\wininit.ini
2008-07-02 14:30 . 2008-07-02 14:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 18:39 . 2008-06-30 18:39 <DIR> d-------- C:\Program Files\ViewSonic
2008-06-30 18:39 . 2008-06-30 18:40 102 --a------ C:\WINDOWS\VSWizard.ini
2008-06-30 17:30 . 2008-06-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-30 17:24 . 2008-06-30 17:24 <DIR> d-------- C:\WINDOWS\nview
2008-06-30 17:24 . 2007-06-29 00:43 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-30 17:24 . 2008-07-17 16:49 127,254 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-30 17:24 . 2007-06-29 00:43 17,463 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-30 17:23 . 2008-06-30 17:23 <DIR> d-------- C:\NVIDIA
2008-06-30 17:23 . 2007-06-29 01:54 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-30 17:15 . 2008-06-30 17:15 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-29 14:03 . 2008-07-02 14:10 347 --ahs---- C:\WINDOWS\system32\HiRCffii.ini
2008-06-27 08:51 . 2008-06-27 08:51 <DIR> d-------- C:\Program Files\Handbrake
2008-06-19 20:16 . 2008-06-19 20:16 <DIR> d-------- C:\Program Files\Axis Communications

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 20:45 --------- d-----w C:\Program Files\LogMeIn
2008-07-19 04:13 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\Azureus
2008-07-19 00:13 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\.purple
2008-07-19 00:11 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\foobar2000
2008-07-18 04:47 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\dvdcss
2008-07-18 04:20 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\Vso
2008-07-16 08:35 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\gtk-2.0
2008-07-13 09:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-12 22:36 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-11 23:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-08 07:03 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\Skype
2008-07-02 02:35 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\HouseCall 6.6
2008-07-01 22:07 --------- d-----w C:\Program Files\Azureus
2008-06-30 06:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-26 09:35 30 ----a-w C:\Program Files\Exiferupdate.ini
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 10:28 --------- d-----w C:\Program Files\MSECache
2008-06-06 09:35 --------- d-----w C:\Program Files\MediaMonkey
2008-05-27 04:24 --------- d-----w C:\Program Files\Driver Sweeper
2008-05-27 04:20 --------- d-----w C:\Program Files\Driver Cleaner Pro
2008-05-21 08:23 --------- d-----w C:\Program Files\Nokia
2008-05-21 08:23 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-19 03:24 83,288 ----a-w C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-05-19 03:23 87,352 ----a-w C:\WINDOWS\system32\LMIinit.dll
2008-05-19 03:23 24,608 ----a-w C:\WINDOWS\system32\LMIport.dll
2008-05-19 03:23 23,736 ----a-w C:\WINDOWS\system32\lmimirr.dll
2008-05-19 03:23 10,040 ----a-w C:\WINDOWS\system32\lmimirr2.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-28 22:45 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-15 11:36 47,360 ----a-w C:\Documents and Settings\FooFoo\Application Data\pcouffin.sys
2007-09-24 10:46 56 --sh--r C:\WINDOWS\system32\EF38DE41A8.sys
2007-09-24 10:46 2,722 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:07 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 19:55 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-15 08:09 157592]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 13:44 3100672]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:07 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 13:17 443968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-19 15:23 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= l3codecp.acm
"VIDC.AP41"= APmpg4v1.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.mjpg"= mcmjpg32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^FooFoo^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=C:\Documents and Settings\FooFoo\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALi5289]
--------- 2005-03-10 14:56 405504 C:\Program Files\ULI5289\ALi5289.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
--a------ 2006-08-11 14:53 42496 C:\WINDOWS\system32\CTXFIREG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Games\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"C:\\Games\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Games\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"C:\\Games\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"C:\\Games\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP1\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP1\\RpcSandraSrv.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"C:\\Games\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Games\\Ubisoft\\Lost Via Domus\\Yeti_Final_Win32.exe"=
"C:\\Games\\Ubisoft\\Lost Via Domus\\gu.exe"=
"C:\\Games\\Ubisoft\\Lost Via Domus\\detection\\Launcher.exe"=
"C:\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 JAHCI;JAHCI;C:\WINDOWS\system32\DRIVERS\JAHCI.sys [2005-05-13 01:12]
R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys [2004-12-01 10:49]
R0 Pnp680;SiI 680 ATA Controller;C:\WINDOWS\system32\DRIVERS\pnp680.sys [2006-06-20 12:36]
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 17:31]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\J]
\Shell\AutoRun\command - J:\AutoRunCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\K]
\Shell\AutoRun\command - K:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{64fbc724-f003-11dc-a7ce-00138f5159b4}]
\Shell\AutoRun\command - N:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-10 20:22:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-14 12:53:00 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 21:00:00 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 22:00:00 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 23:00:00 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 00:00:00 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 01:00:00 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 02:00:00 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 03:00:00 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 04:00:00 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-18 05:00:00 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-18 06:00:00 C:\WINDOWS\Tasks\At19.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-14 13:00:00 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 07:00:00 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 08:00:00 C:\WINDOWS\Tasks\At21.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 09:00:00 C:\WINDOWS\Tasks\At22.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-18 10:00:00 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-18 11:00:00 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-14 12:09:00 C:\WINDOWS\Tasks\At25.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-14 13:00:00 C:\WINDOWS\Tasks\At26.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-14 14:00:00 C:\WINDOWS\Tasks\At27.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-14 15:00:00 C:\WINDOWS\Tasks\At28.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-14 16:00:00 C:\WINDOWS\Tasks\At29.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-14 14:00:00 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-14 17:00:00 C:\WINDOWS\Tasks\At30.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-14 18:00:00 C:\WINDOWS\Tasks\At31.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-17 19:00:00 C:\WINDOWS\Tasks\At32.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-17 20:00:00 C:\WINDOWS\Tasks\At33.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-19 21:00:00 C:\WINDOWS\Tasks\At34.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-19 22:00:00 C:\WINDOWS\Tasks\At35.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-19 23:00:00 C:\WINDOWS\Tasks\At36.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-19 00:00:00 C:\WINDOWS\Tasks\At37.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-19 01:00:00 C:\WINDOWS\Tasks\At38.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-19 02:00:00 C:\WINDOWS\Tasks\At39.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-14 15:00:00 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 03:00:00 C:\WINDOWS\Tasks\At40.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-19 04:00:00 C:\WINDOWS\Tasks\At41.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-18 05:00:01 C:\WINDOWS\Tasks\At42.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-18 06:00:00 C:\WINDOWS\Tasks\At43.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-19 07:00:00 C:\WINDOWS\Tasks\At44.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-19 08:00:00 C:\WINDOWS\Tasks\At45.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-19 09:00:00 C:\WINDOWS\Tasks\At46.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-18 10:00:00 C:\WINDOWS\Tasks\At47.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-18 11:00:00 C:\WINDOWS\Tasks\At48.job"
- C:\WINDOWS\system32\tuGNwD11.exe
"2008-07-14 12:48:03 C:\WINDOWS\Tasks\At49.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-14 16:00:01 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-14 13:00:01 C:\WINDOWS\Tasks\At50.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-14 14:00:04 C:\WINDOWS\Tasks\At51.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-14 15:00:02 C:\WINDOWS\Tasks\At52.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-14 16:00:06 C:\WINDOWS\Tasks\At53.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-14 17:00:02 C:\WINDOWS\Tasks\At54.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-14 18:00:04 C:\WINDOWS\Tasks\At55.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-17 19:00:01 C:\WINDOWS\Tasks\At56.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-17 20:00:01 C:\WINDOWS\Tasks\At57.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-19 21:00:00 C:\WINDOWS\Tasks\At58.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-19 22:00:00 C:\WINDOWS\Tasks\At59.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-14 17:00:00 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 23:00:00 C:\WINDOWS\Tasks\At60.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-19 00:00:00 C:\WINDOWS\Tasks\At61.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-19 01:00:00 C:\WINDOWS\Tasks\At62.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-19 02:00:00 C:\WINDOWS\Tasks\At63.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-19 03:00:00 C:\WINDOWS\Tasks\At64.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-19 04:00:00 C:\WINDOWS\Tasks\At65.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-18 05:00:01 C:\WINDOWS\Tasks\At66.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-18 06:00:00 C:\WINDOWS\Tasks\At67.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-19 07:00:00 C:\WINDOWS\Tasks\At68.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-19 08:00:00 C:\WINDOWS\Tasks\At69.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-14 18:00:00 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-19 09:00:00 C:\WINDOWS\Tasks\At70.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-18 10:00:00 C:\WINDOWS\Tasks\At71.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-18 11:00:00 C:\WINDOWS\Tasks\At72.job"
- C:\WINDOWS\system32\5en5w4w4.exe
"2008-07-17 19:00:00 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
"2008-07-17 20:00:00 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\TwCBHyDE.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-601ecf6f - C:\WINDOWS\system32\esqtsvob.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 10:47:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-07-20 11:17:07 - machine was rebooted [FooFoo]
ComboFix-quarantined-files.txt 2008-07-19 23:16:03

Pre-Run: 19,138,838,528 bytes free
Post-Run: 19,204,481,024 bytes free

377 --- E O F --- 2008-07-19 02:00:57
ArmyofGhosts's Avatar
Junior Member with 8 posts.
  
Join Date: Jul 2008
Experience: Advanced
19-Jul-2008, 07:28 PM #4
Hijack This log
And here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:26:34 a.m., on 20/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ig?hl=en&amp;source=iglk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.2.100.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://lancare.lantech.co.nz/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shoc...sh/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://camera.buffalotrace.com/activex/AMC.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5034/CTPID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F3134CF-B1FB-4F67-800E-CC28A25B2838}: NameServer = 203.96.152.4,203.96.152.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII.SP1\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 9013 bytes
sjpritch25's Avatar
Computer Specs
Distinguished Member with 6,966 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
19-Jul-2008, 08:49 PM #5
Download the attached file CFScript.txt to your Desktop




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!


=======================================


Please download Malwarebytes Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan, then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.
Attached Files
File Type: txt CFScript.txt (2.2 KB, 5 views)
__________________
My Blog
Microsoft Valuable Professional Consumer--Security 2007-2009
If i have helped you, please make a donation to keep the site running. All proceeds go directly to the site!!! Donate Here
Concerned about Browser Security!!! Consider Mozilla Firefox 3.0 and NoScript
Operating System Ubuntu Hardy Heron 8.04
ArmyofGhosts's Avatar
Junior Member with 8 posts.
  
Join Date: Jul 2008
Experience: Advanced
19-Jul-2008, 10:04 PM #6
Combofix Log
Thanks again.

Here is my latest Combofix log:

ComboFix 08-07-19.1 - FooFoo 2008-07-20 13:29:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1509 [GMT 12:00]
Running from: C:\Documents and Settings\FooFoo\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\FooFoo\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\FooFoo\Start Menu\Programs\Startup\PowerReg Scheduler.exe
C:\WINDOWS\pss\PowerReg Scheduler.exe
C:\WINDOWS\system32\5en5w4w4.exe
C:\WINDOWS\system32\HiRCffii.ini
C:\WINDOWS\system32\tuGNwD11.exe
C:\WINDOWS\system32\TwCBHyDE.exe
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\HiRCffii.ini
C:\WINDOWS\Tasks\At1.job
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job

.
((((((((((((((((((((((((( Files Created from 2008-06-20 to 2008-07-20 )))))))))))))))))))))))))))))))
.

2008-07-16 08:15 . 2008-07-16 08:15 0 --a------ C:\WINDOWS\system32\TwCBHyDE.exe.a_a
2008-07-13 21:33 . 2008-07-13 21:33 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-13 10:19 . 2008-07-13 10:19 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-07-13 10:19 . 2008-07-20 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-13 10:19 . 2008-07-20 13:32 15,866,400 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-13 10:19 . 2008-07-20 10:45 241,604 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-13 10:19 . 2008-07-13 10:36 96,966 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-07-13 10:19 . 2008-07-13 10:36 88,774 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-07-13 10:19 . 2008-07-20 13:35 61,216 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-07-13 10:19 . 2008-07-20 10:45 15,776 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-07-13 10:18 . 2008-07-13 10:18 <DIR> d-------- C:\kav
2008-07-13 09:10 . 2008-07-13 22:00 <DIR> d-------- C:\fixwareout
2008-07-12 11:57 . 2008-07-12 11:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-12 11:57 . 2008-07-12 11:57 <DIR> d-------- C:\Documents and Settings\FooFoo\Application Data\SUPERAntiSpyware.com
2008-07-12 11:57 . 2008-07-12 11:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-12 11:26 . 2008-07-12 11:26 0 --a------ C:\WINDOWS\system32\tuGNwD11.exe.a_a
2008-07-08 19:34 . 2008-07-08 19:35 <DIR> d-------- C:\Program Files\Aspell
2008-07-08 19:33 . 2008-07-08 19:35 <DIR> d-------- C:\Program Files\Pidgin
2008-07-07 22:25 . 2008-07-20 13:28 4,958,588 --a------ C:\WINDOWS\{00000004-00000000-00000007-00001102-00000004-20021102}.BAK
2008-07-07 15:22 . 2008-07-07 15:22 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-02 15:23 . 2008-07-02 15:23 <DIR> d-------- C:\VundoFix Backups
2008-07-02 15:15 . 2008-07-02 17:01 211 --a------ C:\WINDOWS\wininit.ini
2008-07-02 14:30 . 2008-07-02 14:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 18:39 . 2008-06-30 18:39 <DIR> d-------- C:\Program Files\ViewSonic
2008-06-30 18:39 . 2008-06-30 18:40 102 --a------ C:\WINDOWS\VSWizard.ini
2008-06-30 17:30 . 2008-06-30 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-06-30 17:24 . 2008-06-30 17:24 <DIR> d-------- C:\WINDOWS\nview
2008-06-30 17:24 . 2007-06-29 00:43 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-06-30 17:24 . 2008-07-17 16:49 127,254 --a------ C:\WINDOWS\system32\nvapps.xml
2008-06-30 17:24 . 2007-06-29 00:43 17,463 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-06-30 17:23 . 2008-06-30 17:23 <DIR> d-------- C:\NVIDIA
2008-06-30 17:23 . 2007-06-29 01:54 356,352 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-06-30 17:15 . 2008-06-30 17:15 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-27 08:51 . 2008-06-27 08:51 <DIR> d-------- C:\Program Files\Handbrake

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-20 01:28 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\Azureus
2008-07-19 20:45 --------- d-----w C:\Program Files\LogMeIn
2008-07-19 00:13 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\.purple
2008-07-19 00:11 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\foobar2000
2008-07-18 04:47 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\dvdcss
2008-07-18 04:20 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\Vso
2008-07-16 08:35 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\gtk-2.0
2008-07-13 09:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-12 22:36 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
2008-07-11 23:57 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-08 07:03 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\Skype
2008-07-02 02:35 --------- d-----w C:\Documents and Settings\FooFoo\Application Data\HouseCall 6.6
2008-07-01 22:07 --------- d-----w C:\Program Files\Azureus
2008-06-30 06:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-28 03:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-06-26 09:35 30 ----a-w C:\Program Files\Exiferupdate.ini
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 08:16 --------- d-----w C:\Program Files\Axis Communications
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 10:28 --------- d-----w C:\Program Files\MSECache
2008-06-06 09:35 --------- d-----w C:\Program Files\MediaMonkey
2008-05-27 04:24 --------- d-----w C:\Program Files\Driver Sweeper
2008-05-27 04:20 --------- d-----w C:\Program Files\Driver Cleaner Pro
2008-05-21 08:23 --------- d-----w C:\Program Files\Nokia
2008-05-21 08:23 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-19 03:24 83,288 ----a-w C:\WINDOWS\system32\LMIRfsClientNP.dll
2008-05-19 03:23 87,352 ----a-w C:\WINDOWS\system32\LMIinit.dll
2008-05-19 03:23 24,608 ----a-w C:\WINDOWS\system32\LMIport.dll
2008-05-19 03:23 23,736 ----a-w C:\WINDOWS\system32\lmimirr.dll
2008-05-19 03:23 10,040 ----a-w C:\WINDOWS\system32\lmimirr2.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-28 22:45 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-02-15 11:36 47,360 ----a-w C:\Documents and Settings\FooFoo\Application Data\pcouffin.sys
2007-09-24 10:46 56 --sh--r C:\WINDOWS\system32\EF38DE41A8.sys
2007-09-24 10:46 2,722 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:07 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-01 19:55 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-09-15 08:09 157592]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 14:03 63048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:25 144784]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-09-07 13:44 3100672]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"nwiz"="nwiz.exe" [2007-06-29 00:43 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:07 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-28 13:17 443968]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\Shell ExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-19 15:23 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.DIV3"= DivXc32.dll
"vidc.DIV4"= DivXc32f.dll
"msacm.divxa32"= DivXa32.acm
"msacm.l3codec"= l3codecp.acm
"VIDC.AP41"= APmpg4v1.dll
"VIDC.HFYU"= huffyuv.dll
"VIDC.mjpg"= mcmjpg32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ALi5289]
--------- 2005-03-10 14:56 405504 C:\Program Files\ULI5289\ALi5289.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-11-16 19:04 139264 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
--a------ 2006-08-11 14:53 42496 C:\WINDOWS\system32\CTXFIREG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Games\\THQ\\Gas Powered Games\\Supreme Commander\\bin\\SupremeCommander.exe"=
"C:\\Games\\THQ\\Gas Powered Games\\GPGNet\\GPG.Multiplayer.Client.exe"=
"C:\\Games\\Sierra Entertainment\\World in Conflict\\wic.exe"=
"C:\\Games\\Sierra Entertainment\\World in Conflict\\wic_online.exe"=
"C:\\Games\\Sierra Entertainment\\World in Conflict\\wic_ds.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP1\\Win32\\RpcDataSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Professional Business XII.SP1\\RpcSandraSrv.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3y.exe"=
"C:\\Games\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Games\\Ubisoft\\Lost Via Domus\\Yeti_Final_Win32.exe"=
"C:\\Games\\Ubisoft\\Lost Via Domus\\gu.exe"=
"C:\\Games\\Ubisoft\\Lost Via Domus\\detection\\Launcher.exe"=
"C:\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Games\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Icmp Settings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 JAHCI;JAHCI;C:\WINDOWS\system32\DRIVERS\JAHCI.sys [2005-05-13 01:12]
R0 m5289;m5289;C:\WINDOWS\system32\DRIVERS\m5289.sys [2004-12-01 10:49]
R0 Pnp680;SiI 680 ATA Controller;C:\WINDOWS\system32\DRIVERS\pnp680.sys [2006-06-20 12:36]
R0 uliagpkx;ULi AGP Bus Filter Driver;C:\WINDOWS\system32\DRIVERS\agpkx.sys [2005-05-03 17:31]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2008-02-28 15:31]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2008-03-07 13:39]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 ULI5261XP;ULi M526X Ethernet NT Driver;C:\WINDOWS\system32\DRIVERS\ULILAN51.SYS [2005-03-22 20:36]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;C:\WINDOWS\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]
S3 nmwcdnsuc;Nokia USB Flashing Generic;C:\WINDOWS\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\J]
\Shell\AutoRun\command - J:\AutoRunCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\K]
\Shell\AutoRun\command - K:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountp oints2\{64fbc724-f003-11dc-a7ce-00138f5159b4}]
\Shell\AutoRun\command - N:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-10 20:22:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-20 13:35:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-20 13:54:37
ComboFix-quarantined-files.txt 2008-07-20 01:53:34
ComboFix2.txt 2008-07-19 23:17:08

Pre-Run: 18,918,019,072 bytes free
Post-Run: 18,920,247,296 bytes free

357 --- E O F --- 2008-07-19 02:00:57
ArmyofGhosts's Avatar
Junior Member with 8 posts.
  
Join Date: Jul 2008
Experience: Advanced
19-Jul-2008, 10:06 PM #7
Hijack This log
Here is my HijackThis log. I'm about to run Malwarebytes Anti-Malware and will post the log shortly.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:59 p.m., on 20/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/ig?hl=en&amp;source=iglk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15030/CTSUEng.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.2.100.cab
O16 - DPF: {556EEC63-31E2-47C3-BF29-DFF799D2FE04} (Remote Access ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://lancare.lantech.co.nz/inc/kaxRemote.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shoc...sh/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://camera.buffalotrace.com/activex/AMC.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupda...5034/CTPID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{6F3134CF-B1FB-4F67-800E-CC28A25B2838}: NameServer = 203.96.152.4,203.96.152.12
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional Business XII.SP1\RpcSandraSrv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 9019 bytes
sjpritch25's Avatar
Computer Specs
Distinguished Member with 6,966 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
19-Jul-2008, 10:08 PM #8
MBAM log.
ArmyofGhosts's Avatar
Junior Member with 8 posts.
  
Join Date: Jul 2008
Experience: Advanced
19-Jul-2008, 10:15 PM #9
Malwarebytes Anti-Malware log
And here is the Malwarebytes Anti-Malware log:

Malwarebytes' Anti-Malware 1.21
Database version: 967
Windows 5.1.2600 Service Pack 2

2:14:37 p.m. 20/07/2008
mbam-log-7-20-2008 (14-14-37).txt

Scan type: Quick Scan
Objects scanned: 41556
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/unicows.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\ WINDOWS\Downloaded Program Files\unicows.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\unicows.dll (Trojan.Agent) -> Quarantined and deleted successfully.
sjpritch25's Avatar
Computer Specs
Distinguished Member with 6,966 posts.
  
Join Date: Sep 2005
Location: Florida
Experience: Advanced
19-Jul-2008, 10:18 PM #10
How is everything running??
ArmyofGhosts's Avatar
Junior Member with 8 posts.
  
Join Date: Jul 2008
Experie