Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

"Your Computer Is Infected Balloon" Complete Takeover of my PC - HJT log

3K views 16 replies 2 participants last post by  squishthebug 
#1 ·
Thanks for any and all help in advance.

I have gotten the virus with the little balloon that pops up over the system tray telling you that you are infected and should click the balloon to go to a site to download spyware software.

The machine cannot execute files related to spyware/virus removal. Internet sites are being blocked that have anything to do with sypware/virus removal.
Task Manager cannot be accessed. Manual adjustment is immediately countered by virus.

HJT will not run. So I followed the instructions in another post over to radiosplace.com to get the old version of HJT, which would execute.

This is my current log:

Logfile of HijackThis v1.99.1
Scan saved at 10:14:29 AM, on 11/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\uesiuqcr.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Nick\Desktop\tool.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\uesiuqcr.exe,
O1 - Hosts: 208.78.218.62 forums.clubsi.com
O2 - BHO: getfn32.msiets - {21A237A4-3A94-4198-911D-647ED2263DD2} - C:\WINDOWS\system32\getfn32.dll
O2 - BHO: agadoo browser enhancer - {21EB8D32-481C-725E-55E9-366A2CD95BB3} - C:\WINDOWS\system32\qfmprxavrqhwurtw.dll (file missing)
O2 - BHO: (no name) - {5CAB59B4-55A3-4737-9FD5-B93C6430BF77} - C:\WINDOWS\system32\pwadswjy.dll
O2 - BHO: (no name) - {73259091-9574-4ED8-A40F-7F65AFC28634} - C:\WINDOWS\system32\hGVnmmnl.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {76D1AE63-62F6-4F45-A867-96EDE7ED1FA5} - C:\WINDOWS\system32\mlJDwVMD.dll
O2 - BHO: {bd1aac48-f465-c78a-3484-fe82b656450b} - {b054656b-28ef-4843-a87c-564f84caa1db} - C:\WINDOWS\system32\xttsmn.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: jrbrnm.dll xttsmn.dll
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: hGVnmmnl - hGVnmmnl.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Where to go from here?
 
See less See more
#3 ·
Thanks for your help. I had some issues with start up files and had to have time to sit down and run the recovery console to get those files back on the machine that had been deleted.

So I renamed combofix and finally got it to run. It found a rootkit, restarted the machine and ran fine. Things already look better. But let me post these logs and verify I'm clean and go from there! :up:

ComboFix
ComboFix 08-12-02.02 - xxxx 2008-12-03 23:35:35.1 - NTFSx86

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\default.htm
c:\windows\system32\av.dat
c:\windows\system32\dbtnul.dll
c:\windows\system32\DMVwDJlm.ini
c:\windows\system32\DMVwDJlm.ini2
c:\windows\system32\drivers\TDSSmqlt.sys
c:\windows\system32\getfn32.dll
c:\windows\system32\gside.exe
c:\windows\system32\hngpqsob.dll
c:\windows\system32\jpbmmulq.ini
c:\windows\system32\jrbrnm.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mlJDwVMD.dll
c:\windows\system32\neswkfcm.dll
c:\windows\system32\oyikptmm.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\pwadswjy.dll
c:\windows\system32\rswnw64l.exe
c:\windows\system32\smwin32.dll
c:\windows\system32\TDSShrxm.dll
c:\windows\system32\TDSSlxwp.dll
c:\windows\system32\TDSSmqxt.log
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoeqh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\winpfz33.sys
c:\windows\system32\x4
c:\windows\system32\xttsmn.dll
c:\windows\system32\yfmwswsl.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_TNIDRIVER
-------\Service_TnIDriver

((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-03 22:37 . 2008-12-03 22:37 d-------- c:\program files\Trend Micro
2008-12-03 17:30 . 2004-08-03 19:56 50,688 --a------ c:\windows\system32\smss.exe
2008-12-03 17:29 . 2004-08-03 19:56 108,032 --a------ c:\windows\system32\services.exe
2008-12-03 17:28 . 2004-08-03 19:56 13,312 --a------ c:\windows\system32\lsass.exe
2008-12-03 17:26 . 2004-08-03 19:56 218,112 --a------ c:\windows\system32\wmiprvse.exe
2008-12-03 17:25 . 2004-08-03 19:56 502,272 --a------ c:\windows\system32\winlogon.exe
2008-12-03 17:22 . 2004-08-03 19:56 14,336 --a------ c:\windows\system32\svchost.exe
2008-11-25 10:48 . 2008-11-25 12:01 1,286 --a------ c:\windows\system32\tmp.reg
2008-11-25 10:45 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-25 10:45 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-25 10:45 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-25 10:45 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-25 10:45 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-25 10:45 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-25 10:45 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-25 10:45 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-25 10:45 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-25 10:45 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-25 00:55 . 2008-11-25 00:55 d-------- c:\documents and settings\Administrator\Application Data\Thunderbird
2008-11-25 00:55 . 2008-11-25 00:55 d-------- c:\documents and settings\Administrator\Application Data\Talkback
2008-11-25 00:35 . 2008-11-25 00:36 d-------- c:\program files\XoftSpySE
2008-11-25 00:23 . 2008-11-25 00:23 664 --a------ c:\windows\system32\d3d9caps.dat
2008-11-25 00:02 . 2008-11-25 00:02 d-------- c:\documents and settings\Administrator
2008-11-24 19:29 . 2008-11-24 19:29 d-------- c:\program files\Lavasoft
2008-11-24 19:29 . 2008-11-24 19:31 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-24 19:28 . 2008-11-25 11:10 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-24 01:14 . 2008-11-24 01:14 d-------- c:\program files\AskBarDis
2008-11-24 00:56 . 2008-11-24 01:06 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-23 17:51 . 2008-11-23 17:51 242 --a------ c:\windows\wininit.ini
2008-11-23 17:41 . 2008-11-23 17:41 153,522 --a------ c:\windows\system32\g71.exe
2008-11-23 17:39 . 2008-11-23 17:39 548,928 --a------ c:\windows\system32\ocntmsdl.exe
2008-11-23 17:38 . 2008-11-23 17:38 d-------- c:\windows\system32\mp
2008-11-23 17:38 . 2008-11-24 21:20 d-------- c:\windows\system32\ID2
2008-11-23 17:38 . 2008-11-24 21:20 d-------- c:\windows\system32\gp2
2008-11-23 17:38 . 2008-11-24 21:20 d-------- c:\windows\system32\dim
2008-11-23 17:38 . 2008-11-23 17:38 d-------- c:\temp\FT62
2008-11-23 17:38 . 2008-11-23 17:38 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-23 17:38 . 2008-11-23 17:38 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-23 17:38 . 2008-11-23 17:38 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-21 18:40 . 2008-11-21 18:40 d-------- c:\program files\iTunes
2008-11-21 18:40 . 2008-11-21 18:40 d-------- c:\program files\iPod
2008-11-21 18:40 . 2008-11-21 18:40 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 18:39 . 2008-11-21 18:39 d-------- c:\program files\QuickTime
2008-11-11 17:08 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 17:08 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-04 10:30 . 2008-11-04 10:30 90,112 --a------ c:\windows\system32\QuickTimeVR.qtx
2008-11-04 10:30 . 2008-11-04 10:30 57,344 --a------ c:\windows\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-25 05:23 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-24 22:29 12,158,987 ----a-w c:\program files\PROCESSLIST.DB
2008-11-24 22:29 1,090,659 ----a-w c:\program files\PROCESSLISTRELATED.DB
2008-11-21 23:40 --------- d-----w c:\program files\Common Files\Apple
2008-11-17 04:43 --------- d-----w c:\documents and settings\Nick\Application Data\Move Networks
2008-11-13 00:40 --------- d-----w c:\documents and settings\Nick\Application Data\FileZilla
2008-11-10 09:22 --------- d-----w c:\documents and settings\Nick\Application Data\uTorrent
2008-11-07 04:08 --------- d-----w c:\program files\Spybot
2008-11-03 05:01 --------- d-----w c:\program files\FileZilla FTP Client
2008-10-30 03:57 --------- d-----w c:\program files\Common Files\Adobe
2008-10-29 21:38 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.

------- Sigcheck -------

2004-08-10 06:00 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\$NtServicePackUninstall$\svchost.exe
2008-04-13 19:12 14336 27c6d03bcdb8cfeb96b716f3d8be3e18 c:\windows\ServicePackFiles\i386\svchost.exe
2004-08-03 19:56 14336 8f078ae4ed187aaabc0a305146de6716 c:\windows\system32\svchost.exe

2004-08-10 06:00 502272 01c3346c241652f43aed8e2149881bfe c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e c:\windows\ServicePackFiles\i386\winlogon.exe
2004-08-03 19:56 502272 01c3346c241652f43aed8e2149881bfe c:\windows\system32\winlogon.exe

2004-08-10 06:00 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\$NtServicePackUninstall$\services.exe
2008-04-13 19:12 108544 0e776ed5f7cc9f94299e70461b7b8185 c:\windows\ServicePackFiles\i386\services.exe
2004-08-03 19:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 c:\windows\system32\services.exe

2004-08-10 06:00 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\$NtServicePackUninstall$\lsass.exe
2004-08-03 19:56 13312 84885f9b82f4d55c6146ebf6065d75d2 c:\windows\system32\lsass.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-29 7700480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=jrbrnm.dll xttsmn.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2005-12-19 08:08 1347584 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE.exe]
--------- 2005-02-23 14:57 57344 c:\program files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 04:39 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 12:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-11-29 23:29 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-05-10 09:22 405504 c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-05-30 14:54 21718312 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2008-04-13 19:12 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-11-29 23:29 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-11-29 23:29 1622016 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5B2D501F-D2A9-4034-87AF-957A3941DCBC} - c:\windows\system32\mlJDwVMD.dll
BHO-{b054656b-28ef-4843-a87c-564f84caa1db} - c:\windows\system32\xttsmn.dll
ShellExecuteHooks-{73259091-9574-4ED8-A40F-7F65AFC28634} - (no file)
Notify-hGVnmmnl - hGVnmmnl.dll
MSConfigStartUp-skdngjubrpcbhrk - c:\windows\system32\qfmprxavrqhwurtw.dll

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\na2f0geg.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\na2f0geg.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\np-mswmp.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npnul32.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\NPOFF12.DLL
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\nppdf32.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin2.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin3.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin4.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin5.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin6.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 23:43:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-12-03 23:48:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-04 04:48:22

Pre-Run: 643,293,184 bytes free
Post-Run: 1,028,743,168 bytes free

265 --- E O F --- 2008-11-11 22:22:10
Hijackthis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:00:04 AM, on 12/4/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla\Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: jrbrnm.dll xttsmn.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3611 bytes
 
#4 ·
Open Notepad and copy and paste the text in the code box below into it:
Code:
KILLALL::
File::
c:\windows\system32\jrbrnm.dll 
Folder::
c:\program files\AskBarDis
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

Click Exit on the Main menu to close the program.

Please download Malwarebytes Anti-Malware and save it to your desktop. alternate link 1 alternate link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply with a new hijackthis log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*]Archives
      [*]Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 10.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u10-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u10-windows-i586-p.exe and select "Run as an Administrator".)
 
#6 ·
ComboFix 08-12-04.04 - xxxx 2008-12-04 21:37:05.2 - NTFSx86

Running from: c:\documents and settings\Nick\Desktop\jog.exe
Command switches used :: c:\documents and settings\Nick\Desktop\CFScript.txt

FILE ::
c:\windows\system32\jrbrnm.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskBarDis
c:\program files\AskBarDis\bar\bin\askBar.dll
c:\program files\AskBarDis\bar\bin\askPopStp.dll
c:\program files\AskBarDis\bar\bin\psvince.dll
c:\program files\AskBarDis\bar\Settings\config.dat
c:\program files\AskBarDis\bar\Settings\config.dat.bak
c:\program files\AskBarDis\unins000.dat
c:\program files\AskBarDis\unins000.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-05 to 2008-12-05 )))))))))))))))))))))))))))))))
.

2008-12-04 00:06 . 2008-12-04 00:06 d-------- c:\documents and settings\Nick\Application Data\Malwarebytes
2008-12-04 00:06 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 00:05 . 2008-12-04 00:08 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 00:05 . 2008-12-04 00:05 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 00:05 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 22:37 . 2008-12-03 22:37 d-------- c:\program files\Trend Micro
2008-12-03 17:30 . 2004-08-03 19:56 50,688 --a------ c:\windows\system32\smss.exe
2008-12-03 17:29 . 2004-08-03 19:56 108,032 --a------ c:\windows\system32\services.exe
2008-12-03 17:28 . 2004-08-03 19:56 13,312 --a------ c:\windows\system32\lsass.exe
2008-12-03 17:26 . 2004-08-03 19:56 218,112 --a------ c:\windows\system32\wmiprvse.exe
2008-12-03 17:25 . 2004-08-03 19:56 502,272 --a------ c:\windows\system32\winlogon.exe
2008-12-03 17:22 . 2004-08-03 19:56 14,336 --a------ c:\windows\system32\svchost.exe
2008-11-25 10:48 . 2008-11-25 12:01 1,286 --a------ c:\windows\system32\tmp.reg
2008-11-25 10:45 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-25 10:45 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-25 10:45 . 2008-10-01 14:51 87,552 --a------ c:\windows\system32\VACFix.exe
2008-11-25 10:45 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\o4Patch.exe
2008-11-25 10:45 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-25 10:45 . 2008-10-10 07:58 82,944 --a------ c:\windows\system32\IEDFix.C.exe
2008-11-25 10:45 . 2008-08-18 11:19 82,432 --a------ c:\windows\system32\404Fix.exe
2008-11-25 10:45 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-25 10:45 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-25 10:45 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-25 00:55 . 2008-11-25 00:55 d-------- c:\documents and settings\Administrator\Application Data\Thunderbird
2008-11-25 00:55 . 2008-11-25 00:55 d-------- c:\documents and settings\Administrator\Application Data\Talkback
2008-11-25 00:35 . 2008-11-25 00:36 d-------- c:\program files\XoftSpySE
2008-11-25 00:23 . 2008-11-25 00:23 664 --a------ c:\windows\system32\d3d9caps.dat
2008-11-25 00:02 . 2008-11-25 00:02 d-------- c:\documents and settings\Administrator
2008-11-24 19:29 . 2008-11-24 19:29 d-------- c:\program files\Lavasoft
2008-11-24 19:29 . 2008-12-04 00:09 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-24 19:28 . 2008-12-04 00:09 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-24 00:56 . 2008-11-24 01:06 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-23 17:51 . 2008-11-23 17:51 242 --a------ c:\windows\wininit.ini
2008-11-23 17:41 . 2008-11-23 17:41 153,522 --a------ c:\windows\system32\g71.exe
2008-11-23 17:38 . 2008-11-24 21:20 d-------- c:\windows\system32\ID2
2008-11-23 17:38 . 2008-11-24 21:20 d-------- c:\windows\system32\gp2
2008-11-23 17:38 . 2008-11-24 21:20 d-------- c:\windows\system32\dim
2008-11-23 17:38 . 2008-11-23 17:38 d-------- c:\temp\FT62
2008-11-23 17:38 . 2008-11-23 17:38 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-23 17:38 . 2008-11-23 17:38 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-23 17:38 . 2008-11-23 17:38 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-21 18:40 . 2008-11-21 18:40 d-------- c:\program files\iTunes
2008-11-21 18:40 . 2008-11-21 18:40 d-------- c:\program files\iPod
2008-11-21 18:40 . 2008-11-21 18:40 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 18:39 . 2008-11-21 18:39 d-------- c:\program files\QuickTime
2008-11-11 17:08 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 17:08 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 13:45 --------- d-----w c:\program files\Spybot
2008-12-04 13:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-25 05:23 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-24 22:29 12,158,987 ----a-w c:\program files\PROCESSLIST.DB
2008-11-24 22:29 1,090,659 ----a-w c:\program files\PROCESSLISTRELATED.DB
2008-11-21 23:40 --------- d-----w c:\program files\Common Files\Apple
2008-11-17 04:43 --------- d-----w c:\documents and settings\Nick\Application Data\Move Networks
2008-11-13 00:40 --------- d-----w c:\documents and settings\Nick\Application Data\FileZilla
2008-11-10 09:22 --------- d-----w c:\documents and settings\Nick\Application Data\uTorrent
2008-11-03 05:01 --------- d-----w c:\program files\FileZilla FTP Client
2008-10-30 03:57 --------- d-----w c:\program files\Common Files\Adobe
2008-10-29 21:38 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-03_23.47.44.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-04 04:38:31 52,764 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-05 01:46:04 52,764 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-04 04:38:31 380,350 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-05 01:46:04 380,350 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-05 02:42:21 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6b0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-29 7700480]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2005-12-19 08:08 1347584 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE.exe]
--------- 2005-02-23 14:57 57344 c:\program files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 04:39 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 12:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-11-29 23:29 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-05-10 09:22 405504 c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-05-30 14:54 21718312 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2008-04-13 19:12 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-11-29 23:29 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-11-29 23:29 1622016 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\na2f0geg.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\na2f0geg.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\np-mswmp.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npnul32.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\NPOFF12.DLL
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\nppdf32.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin2.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin3.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin4.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin5.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin6.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 21:42:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(832)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-12-04 21:46:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-05 02:46:15
ComboFix2.txt 2008-12-04 04:48:38

Pre-Run: 795,455,488 bytes free
Post-Run: 784,322,560 bytes free

228 --- E O F --- 2008-11-11 22:22:10
Malwarebytes' Anti-Malware 1.31
Database version: 1461
Windows 5.1.2600 Service Pack 3

12/5/2008 9:05:16 AM
mbam-log-2008-12-05 (09-05-16).txt

Scan type: Full Scan (C:\|)
Objects scanned: 202706
Time elapsed: 6 hour(s), 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:43 PM, on 12/5/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla\Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-220523388-1645522239-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3805 bytes
Look clean?
 
#7 ·
Did you update Malwarebytes before you ran it?

Open Notepad and copy and paste the text in the code box below into it:
Code:
DirLook::
c:\windows\system32\ID2
c:\windows\system32\gp2
c:\windows\system32\dim
Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

I don't see any anti-virus software running.
Look in the TSG Library of Knowledge for suggestions. Some are purchased and some are free. Pick one and get your system protected.
 
#8 ·
This is what Kaspersky found:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 05, 2008 16:03:43
Records in database: 1438812
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 154735
Threat name: 8
Infected objects: 10
Suspicious objects: 3
Duration of the scan: 01:57:42

File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Nick\Application Data\Thunderbird\Profiles\3y66l5c8.default\ImapMail\garnet.acns.fsu.edu\INBOX Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Qoobox\Quarantine\C\WINDOWS\system32\av.dat.vir Infected: not-a-virus:AdWare.Win32.BHO.ecy 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\getfn32.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.eag 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gside.exe.vir Infected: Trojan-Downloader.Win32.Zlob.ymu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hngpqsob.dll.vir Infected: Trojan.Win32.Monder.zzo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jrbrnm.dll.vir Infected: Trojan.Win32.Monder.zzo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\neswkfcm.dll.vir Infected: Trojan.Win32.Monder.zzo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rswnw64l.exe.vir Infected: Trojan-Downloader.Win32.Agent.afzg 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xttsmn.dll.vir Infected: Trojan.Win32.Monder.zzo 1
C:\WINDOWS\system32\g71.exe Infected: Trojan-Clicker.Win32.Agent.bsu 1

The selected area was scanned.
And yes, malware-bytes is updated.

Doing the new ComboFix now.
 
#9 ·
ComboFix
ComboFix 08-12-05.02 - Nick 2008-12-05 20:11:45.3 - NTFSx86

Running from: c:\documents and settings\Nick\Desktop\jog.exe
Command switches used :: c:\documents and settings\Nick\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-04 22:01 . 2008-12-04 22:01 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 21:52 . 2008-12-04 22:00 d-------- c:\documents and settings\Nick\.SunDownloadManager
2008-12-04 00:06 . 2008-12-04 00:06 d-------- c:\documents and settings\Nick\Application Data\Malwarebytes
2008-12-04 00:06 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 00:05 . 2008-12-04 00:08 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 00:05 . 2008-12-04 00:05 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 00:05 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 22:37 . 2008-12-03 22:37 d-------- c:\program files\Trend Micro
2008-12-03 17:30 . 2004-08-03 19:56 50,688 --a------ c:\windows\system32\smss.exe
2008-12-03 17:29 . 2004-08-03 19:56 108,032 --a------ c:\windows\system32\services.exe
2008-12-03 17:28 . 2004-08-03 19:56 13,312 --a------ c:\windows\system32\lsass.exe
2008-12-03 17:26 . 2004-08-03 19:56 218,112 --a------ c:\windows\system32\wmiprvse.exe
2008-12-03 17:25 . 2004-08-03 19:56 502,272 --a------ c:\windows\system32\winlogon.exe
2008-12-03 17:22 . 2004-08-03 19:56 14,336 --a------ c:\windows\system32\svchost.exe
2008-11-25 10:48 . 2008-11-25 12:01 1,286 --a------ c:\windows\system32\tmp.reg
2008-11-25 10:45 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-25 10:45 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-25 10:45 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-25 10:45 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-25 10:45 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-25 10:45 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-25 00:55 . 2008-11-25 00:55 d-------- c:\documents and settings\Administrator\Application Data\Thunderbird
2008-11-25 00:55 . 2008-11-25 00:55 d-------- c:\documents and settings\Administrator\Application Data\Talkback
2008-11-25 00:35 . 2008-11-25 00:36 d-------- c:\program files\XoftSpySE
2008-11-25 00:23 . 2008-12-05 13:46 664 --a------ c:\windows\system32\d3d9caps.dat
2008-11-25 00:02 . 2008-11-25 00:02 d-------- c:\documents and settings\Administrator
2008-11-24 19:29 . 2008-11-24 19:29 d-------- c:\program files\Lavasoft
2008-11-24 19:29 . 2008-12-04 00:09 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-24 19:28 . 2008-12-04 00:09 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-24 00:56 . 2008-11-24 01:06 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-23 17:51 . 2008-11-23 17:51 242 --a------ c:\windows\wininit.ini
2008-11-23 17:41 . 2008-11-23 17:41 153,522 --a------ c:\windows\system32\g71.exe
2008-11-23 17:38 . 2008-11-24 21:20 d-------- c:\windows\system32\ID2
2008-11-23 17:38 . 2008-11-24 21:20 d-------- c:\windows\system32\gp2
2008-11-23 17:38 . 2008-11-24 21:20 d-------- c:\windows\system32\dim
2008-11-23 17:38 . 2008-11-23 17:38 d-------- c:\temp\FT62
2008-11-23 17:38 . 2008-11-23 17:38 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-23 17:38 . 2008-11-23 17:38 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-23 17:38 . 2008-11-23 17:38 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-21 18:40 . 2008-11-21 18:40 d-------- c:\program files\iTunes
2008-11-21 18:40 . 2008-11-21 18:40 d-------- c:\program files\iPod
2008-11-21 18:40 . 2008-11-21 18:40 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 18:39 . 2008-11-21 18:39 d-------- c:\program files\QuickTime
2008-11-11 17:08 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 17:08 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 03:01 --------- d-----w c:\program files\Java
2008-12-04 13:45 --------- d-----w c:\program files\Spybot
2008-12-04 13:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-25 05:23 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-24 22:29 12,158,987 ----a-w c:\program files\PROCESSLIST.DB
2008-11-24 22:29 1,090,659 ----a-w c:\program files\PROCESSLISTRELATED.DB
2008-11-21 23:40 --------- d-----w c:\program files\Common Files\Apple
2008-11-17 04:43 --------- d-----w c:\documents and settings\Nick\Application Data\Move Networks
2008-11-13 00:40 --------- d-----w c:\documents and settings\Nick\Application Data\FileZilla
2008-11-10 09:22 --------- d-----w c:\documents and settings\Nick\Application Data\uTorrent
2008-11-03 05:01 --------- d-----w c:\program files\FileZilla FTP Client
2008-10-30 03:57 --------- d-----w c:\program files\Common Files\Adobe
2008-10-29 21:38 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-06 02:16 1,900,544 ----a-w c:\windows\system32\usbaaplrc.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\system32\dim ----

---- Directory of c:\windows\system32\gp2 ----

---- Directory of c:\windows\system32\ID2 ----

((((((((((((((((((((((((((((( snapshot@2008-12-03_23.47.44.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 05:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-12-05 03:01:34 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-10 05:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-05 03:01:34 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 06:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-05 03:01:34 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-12-04 04:38:31 52,764 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-06 01:05:49 52,764 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-04 04:38:31 380,350 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-06 01:05:49 380,350 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-06 01:01:44 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_58c.dat
+ 2008-12-06 01:01:44 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_694.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-29 7700480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2005-12-19 08:08 1347584 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE.exe]
--------- 2005-02-23 14:57 57344 c:\program files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 04:39 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 12:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-11-29 23:29 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-05-10 09:22 405504 c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-05-30 14:54 21718312 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2008-04-13 19:12 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-11-29 23:29 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-11-29 23:29 1622016 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\na2f0geg.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\na2f0geg.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\np-mswmp.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npnul32.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\NPOFF12.DLL
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\nppdf32.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin2.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin3.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin4.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin5.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin6.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-05 20:15:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2008-12-05 20:17:43
ComboFix-quarantined-files.txt 2008-12-06 01:16:58
ComboFix2.txt 2008-12-05 02:46:39
ComboFix3.txt 2008-12-04 04:48:38

Pre-Run: 11,844,554,752 bytes free
Post-Run: 11,885,105,152 bytes free

226 --- E O F --- 2008-11-11 22:22:10
 
#10 ·
You have something in your Thunderbird inbox that is infected so you need to clean that out.

Open Notepad and copy and paste the text in the code box below into it:
Code:
KILLALL::
File::
C:\WINDOWS\system32\g71.exe
Save the file to you desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.



This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
#11 ·
Sorry I couldn't get back to you yesterday, my Internet went down.

ComboFix 08-12-05.06 - xxx 2008-12-06 13:04:52.4 - NTFSx86 MINIMAL

Running from: c:\documents and settings\xxxx\Desktop\jog.exe
Command switches used :: c:\documents and settings\xxxx\Desktop\CFScript.txt

FILE ::
c:\windows\system32\g71.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\g71.exe

.
((((((((((((((((((((((((( Files Created from 2008-11-06 to 2008-12-06 )))))))))))))))))))))))))))))))
.

2008-12-04 22:01 . 2008-12-04 22:01 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-04 21:52 . 2008-12-04 22:00 d-------- c:\documents and settings\Nick\.SunDownloadManager
2008-12-04 00:06 . 2008-12-04 00:06 d-------- c:\documents and settings\Nick\Application Data\Malwarebytes
2008-12-04 00:06 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-04 00:05 . 2008-12-04 00:08 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-04 00:05 . 2008-12-04 00:05 d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-04 00:05 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 22:37 . 2008-12-03 22:37 d-------- c:\program files\Trend Micro
2008-12-03 17:30 . 2004-08-03 19:56 50,688 --a------ c:\windows\system32\smss.exe
2008-12-03 17:29 . 2004-08-03 19:56 108,032 --a------ c:\windows\system32\services.exe
2008-12-03 17:28 . 2004-08-03 19:56 13,312 --a------ c:\windows\system32\lsass.exe
2008-12-03 17:26 . 2004-08-03 19:56 218,112 --a------ c:\windows\system32\wmiprvse.exe
2008-12-03 17:25 . 2004-08-03 19:56 502,272 --a------ c:\windows\system32\winlogon.exe
2008-12-03 17:22 . 2004-08-03 19:56 14,336 --a------ c:\windows\system32\svchost.exe
2008-11-25 10:48 . 2008-11-25 12:01 1,286 --a------ c:\windows\system32\tmp.reg
2008-11-25 10:45 . 2007-09-05 23:22 289,144 --a------ c:\windows\system32\VCCLSID.exe
2008-11-25 10:45 . 2006-04-27 16:49 288,417 --a------ c:\windows\system32\SrchSTS.exe
2008-11-25 10:45 . 2008-05-18 20:40 82,944 --a------ c:\windows\system32\IEDFix.exe
2008-11-25 10:45 . 2003-06-05 20:13 53,248 --a------ c:\windows\system32\Process.exe
2008-11-25 10:45 . 2004-07-31 17:50 51,200 --a------ c:\windows\system32\dumphive.exe
2008-11-25 10:45 . 2007-10-03 23:36 25,600 --a------ c:\windows\system32\WS2Fix.exe
2008-11-25 00:55 . 2008-11-25 00:55 d-------- c:\documents and settings\Administrator\Application Data\Thunderbird
2008-11-25 00:55 . 2008-11-25 00:55 d-------- c:\documents and settings\Administrator\Application Data\Talkback
2008-11-25 00:35 . 2008-11-25 00:36 d-------- c:\program files\XoftSpySE
2008-11-25 00:23 . 2008-12-05 13:46 664 --a------ c:\windows\system32\d3d9caps.dat
2008-11-25 00:02 . 2008-11-25 00:02 d-------- c:\documents and settings\Administrator
2008-11-24 19:29 . 2008-11-24 19:29 d-------- c:\program files\Lavasoft
2008-11-24 19:29 . 2008-12-04 00:09 d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-24 19:28 . 2008-12-04 00:09 d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-24 00:56 . 2008-11-24 01:06 d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-23 17:51 . 2008-11-23 17:51 242 --a------ c:\windows\wininit.ini
2008-11-23 17:38 . 2008-11-24 21:20 d-------- c:\windows\system32\ID2
2008-11-23 17:38 . 2008-11-24 21:20 d-------- c:\windows\system32\gp2
2008-11-23 17:38 . 2008-11-24 21:20 d-------- c:\windows\system32\dim
2008-11-23 17:38 . 2008-11-23 17:38 d-------- c:\temp\FT62
2008-11-23 17:38 . 2008-11-23 17:38 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-11-23 17:38 . 2008-11-23 17:38 29,184 --a------ c:\windows\system32\MSINET.oca
2008-11-23 17:38 . 2008-11-23 17:38 2,407 --a------ c:\windows\system32\MSINET.DEP
2008-11-21 18:40 . 2008-11-21 18:40 d-------- c:\program files\iTunes
2008-11-21 18:40 . 2008-11-21 18:40 d-------- c:\program files\iPod
2008-11-21 18:40 . 2008-11-21 18:40 d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-21 18:39 . 2008-11-21 18:39 d-------- c:\program files\QuickTime
2008-11-11 17:08 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-11 17:08 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-05 03:01 --------- d-----w c:\program files\Java
2008-12-04 13:45 --------- d-----w c:\program files\Spybot
2008-12-04 13:45 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-25 05:23 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-24 22:29 12,158,987 ----a-w c:\program files\PROCESSLIST.DB
2008-11-24 22:29 1,090,659 ----a-w c:\program files\PROCESSLISTRELATED.DB
2008-11-21 23:40 --------- d-----w c:\program files\Common Files\Apple
2008-11-17 04:43 --------- d-----w c:\documents and settings\Nick\Application Data\Move Networks
2008-11-13 00:40 --------- d-----w c:\documents and settings\Nick\Application Data\FileZilla
2008-11-10 09:22 --------- d-----w c:\documents and settings\Nick\Application Data\uTorrent
2008-11-03 05:01 --------- d-----w c:\program files\FileZilla FTP Client
2008-10-30 03:57 --------- d-----w c:\program files\Common Files\Adobe
2008-10-29 21:38 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((( snapshot@2008-12-03_23.47.44.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 05:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2008-12-05 03:01:34 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-10 05:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-05 03:01:34 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 06:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-05 03:01:34 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-12-04 04:38:31 52,764 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-06 18:07:02 52,764 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-04 04:38:31 380,350 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-06 18:07:02 380,350 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-06 18:10:34 16,384 ----atw c:\windows\temp\Perflib_Perfdata_778.dat
+ 2008-12-06 18:10:34 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-11-29 7700480]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-04 136600]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth Manager.lnk
backup=c:\windows\pss\Bluetooth Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Extender Resource Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Extender Resource Monitor.lnk
backup=c:\windows\pss\Extender Resource Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 19:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
--a------ 2005-12-19 08:08 1347584 c:\windows\system32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSVolFE.exe]
--------- 2005-02-23 14:57 57344 c:\program files\Creative\Mixer\CTSVolFE.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-04-01 04:39 486856 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 12:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-11-29 23:29 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2007-05-10 09:22 405504 c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-05-30 14:54 21718312 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2008-04-13 19:12 110592 c:\windows\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-11-29 23:29 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-11-29 23:29 1622016 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\PlayOnline\\SquareEnix\\PlayOnlineViewer\\pol.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2008-11-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\na2f0geg.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/ig
FF -: plugin - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\na2f0geg.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071102000004.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.30401.0.dll
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\np-mswmp.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npdeploytk.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npnul32.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\NPOFF12.DLL
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\nppdf32.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin2.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin3.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin4.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin5.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin6.dll
FF -: plugin - c:\program files\Mozilla\Firefox\plugins\npqtplugin7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-06 13:10:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(828)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\RMSvc.exe
c:\windows\ehome\McrdSvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-12-06 13:15:33 - machine was rebooted [Nick]
ComboFix-quarantined-files.txt 2008-12-06 18:15:10
ComboFix2.txt 2008-12-06 01:17:44
ComboFix3.txt 2008-12-05 02:46:39
ComboFix4.txt 2008-12-04 04:48:38

Pre-Run: 14,036,287,488 bytes free
Post-Run: 11,874,037,760 bytes free

231 --- E O F --- 2008-11-11 22:22:10
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:23 PM, on 12/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-220523388-1645522239-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3759 bytes
 
#13 ·
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:49 AM, on 12/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Mozilla\Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-220523388-1645522239-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4570 bytes
 
#16 ·
You should remove all of the tools I requested you to download and/or folders associated with them now. It is pointless to keep these tools around as they are updated so frequently that the tools can be outdated within a few days, sometimes within just hours.

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Now you should Clean up your PC

Here are some additional links for you to check out to help you with your computer security.

How did I get infected in the first place.

Secunia software inspector & update checker

Good free tools and advice on how to tighten your security settings.

Security Help Tools

Also check out TSG Library of Knowledge

You're welcome!
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top