Chrissie190 Posted September 22, 2008 Report Share Posted September 22, 2008 Hey,Sorry am new to all this but need help.Yesterday I found a trojan horse on my PC so downloaded spyzooka and also used AVG to remove all harmful stuff. Computer now shows as clean. However after doing so, whenever I click a link from either Google or Live Search I get redirected to "random" sites. Help would be greatly appreciated. Thanks.Heres the HJT Log:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 18:30:30, on 22/09/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Kontiki\KService.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdjserv.exeC:\WINDOWS\system32\lxdjcoms.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exeC:\WINDOWS\system32\tp4mon.exeC:\Program Files\Lexmark 1400 Series\lxdjamon.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\rundll32.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Kontiki\KHost.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exeC:\Program Files\Belkin\F5D7011\Belkinwcui.exeC:\Program Files\SpyZooka\spyzooka.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\AVG\AVG8\avgui.exeC:\Program Files\AVG\AVG8\avgscanx.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dllO4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exeO4 - HKLM\..\Run: [lxdjmon.exe] "C:\Program Files\Lexmark 1400 Series\lxdjmon.exe"O4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hideO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [DVDtoiPodConverter_upgrade] "C:\Program Files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" /upgradeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -allO4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /backgroundO4 - HKLM\..\Policies\Explorer\Run: [G0SPduvbFZ] C:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Belkin Wireless Utility.lnk = ?O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.htmlO9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.htmlO9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.htmlO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1192196331961O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192212744927O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO21 - SSODL: genadmui - {16824F4F-3B2B-AF53-C6C2-098B56D7403C} - C:\Program Files\gehndkd\genadmui.dllO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exeO23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exeO23 - Service: lxdjCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exeO23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exeO23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe--End of file - 7689 bytes Quote Link to post Share on other sites
sari Posted September 24, 2008 Report Share Posted September 24, 2008 Chrissie,Hi, and welcome to Besttechie.Please download SmitfraudFix (by S!Ri) to your Desktop.Double-click SmitfraudFix.exeSelect option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).Please copy/paste the content of that report into your next reply.**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.http://www.beyondlogic.org/consulting/proc...processutil.htmsari Quote Link to post Share on other sites
Chrissie190 Posted September 24, 2008 Author Report Share Posted September 24, 2008 Hi Sari,Thanks for your reply.Heres's the SmitFraudFix report.Chrissie.SmitFraudFix v2.354Scan done at 16:45:08.33, 24/09/2008Run from C:\Documents and Settings\Christianne\Desktop\SmitfraudFixOS: Microsoft Windows XP [Version 5.1.2600] - Windows_NTThe filesystem type is NTFSFix run in normal mode»»»»»»»»»»»»»»»»»»»»»»»» ProcessC:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Kontiki\KService.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdjserv.exeC:\WINDOWS\system32\lxdjcoms.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\ctfmon.exeC:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exeC:\WINDOWS\system32\tp4mon.exeC:\Program Files\Lexmark 1400 Series\lxdjamon.exeC:\Program Files\Windows Defender\MSASCui.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\rundll32.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\Kontiki\KHost.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\WINDOWS\system32\nohwvunu.exeC:\Program Files\Belkin\F5D7011\Belkinwcui.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\cmd.exeC:\Program Files\Internet Explorer\iexplore.exe»»»»»»»»»»»»»»»»»»»»»»»» hosts»»»»»»»»»»»»»»»»»»»»»»»» C:\»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32C:\WINDOWS\system32\tdssservers.dat detected, use a Rootkit scannerC:\WINDOWS\system32\tdssinit.dll detected, use a Rootkit scannerC:\WINDOWS\system32\tdssl.dll detected, use a Rootkit scanner»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christianne»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christianne\Application Data»»»»»»»»»»»»»»»»»»»»»»»» Start Menu»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CHRIST~1\FAVORI~1»»»»»»»»»»»»»»»»»»»»»»»» Desktop»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]"Source"="About:Home""SubscribedURL"="About:Home""FriendlyName"="My Current Home Page"»»»»»»»»»»»»»»»»»»»»»»»» o4Patch!!!Attention, following keys are not inevitably infected!!!o4PatchCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» IEDFix!!!Attention, following keys are not inevitably infected!!!IEDFixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» VACFix!!!Attention, following keys are not inevitably infected!!!VACFixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» 404Fix!!!Attention, following keys are not inevitably infected!!!404FixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix!!!Attention, following keys are not inevitably infected!!!AntiXPVSTFixCredits: Malware Analysis & DiagnosticCode: S!Ri»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler!!!Attention, following keys are not inevitably infected!!!SrchSTS.exe by S!RiSearch SharedTaskScheduler's .dll»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]"AppInit_DLLs"="avgrsstx.dll""LoadAppInit_DLLs"=dword:00000001»»»»»»»»»»»»»»»»»»»»»»»» Winlogon!!!Attention, following keys are not inevitably infected!!![HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,""System"=""»»»»»»»»»»»»»»»»»»»»»»»» RK»»»»»»»»»»»»»»»»»»»»»»»» DNSDescription: Belkin 802.11g Network Adapter #2 - Packet Scheduler MiniportDNS Server Search Order: 192.168.2.1HKLM\SYSTEM\CCS\Services\Tcpip\..\{E8ACA906-D64B-4547-A512-406F0A6C5BFE}: DhcpNameServer=192.168.2.1HKLM\SYSTEM\CS1\Services\Tcpip\..\{E8ACA906-D64B-4547-A512-406F0A6C5BFE}: DhcpNameServer=192.168.2.1HKLM\SYSTEM\CS3\Services\Tcpip\..\{E8ACA906-D64B-4547-A512-406F0A6C5BFE}: DhcpNameServer=192.168.2.1HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection»»»»»»»»»»»»»»»»»»»»»»»» End Quote Link to post Share on other sites
sari Posted September 24, 2008 Report Share Posted September 24, 2008 Chrissie,We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:http://www.bleepingcomputer.com/combofix/how-to-use-combofixPlease ensure you read this guide carefully and install the Recovery Console first.The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.Once installed, you should see a blue screen prompt that says:The Recovery Console was successfully installed.Please continue as follows:Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.Click Yes to allow ComboFix to continue scanning for malware.When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system:C:\ComboFix.txtNew HijackThis log.sari Quote Link to post Share on other sites
Chrissie190 Posted September 28, 2008 Author Report Share Posted September 28, 2008 OK, don't really know if i did this right because when i tried to drag Recovery Console over Combofix it loaded but no blue installed screen came up?. Combofix logComboFix 08-09-27.01 - Christianne 2008-09-28 9:39:52.1 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.225 [GMT 1:00]Running from: C:\Documents and Settings\Christianne\Desktop\ComboFix.exe * Created a new restore pointWARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\a.batC:\WINDOWS\base64.tmpC:\WINDOWS\bdn.comC:\WINDOWS\FVProtect.exeC:\WINDOWS\iTunesMusic.exeC:\WINDOWS\mssecu.exeC:\WINDOWS\system32\akttzn.exeC:\WINDOWS\system32\anticipator.dllC:\WINDOWS\system32\awtoolb.dllC:\WINDOWS\system32\bdn.comC:\WINDOWS\system32\bsva-egihsg52.exeC:\WINDOWS\system32\dpcproxy.exeC:\WINDOWS\system32\emesx.dllC:\WINDOWS\system32\h@tkeysh@@k.dllC:\WINDOWS\system32\hoproxy.dllC:\WINDOWS\system32\hxiwlgpm.datC:\WINDOWS\system32\hxiwlgpm.exeC:\WINDOWS\system32\medup012.dllC:\WINDOWS\system32\medup020.dllC:\WINDOWS\system32\msgp.exeC:\WINDOWS\system32\msnbho.dllC:\WINDOWS\system32\mssecu.exeC:\WINDOWS\system32\msvchost.exeC:\WINDOWS\system32\mtr2.exeC:\WINDOWS\system32\mwin32.exeC:\WINDOWS\system32\netode.exeC:\WINDOWS\system32\newsd32.exeC:\WINDOWS\system32\ps1.exeC:\WINDOWS\system32\psof1.exeC:\WINDOWS\system32\psoft1.exeC:\WINDOWS\system32\regc64.dllC:\WINDOWS\system32\regm64.dllC:\WINDOWS\system32\Rundl1.exeC:\WINDOWS\system32\smpC:\WINDOWS\system32\smp\msrc.exeC:\WINDOWS\system32\sncntr.exeC:\WINDOWS\system32\ssurf022.dllC:\WINDOWS\system32\ssvchost.comC:\WINDOWS\system32\ssvchost.exeC:\WINDOWS\system32\sysreq.exeC:\WINDOWS\system32\taack.datC:\WINDOWS\system32\taack.exeC:\WINDOWS\system32\tdssinit.dllC:\WINDOWS\system32\tdssl.dllC:\WINDOWS\system32\tdssservers.datC:\WINDOWS\system32\temp#01.exeC:\WINDOWS\system32\thun.dllC:\WINDOWS\system32\thun32.dllC:\WINDOWS\system32\VBIEWER.OCXC:\WINDOWS\system32\vbsys2.dllC:\WINDOWS\system32\vcatchpi.dllC:\WINDOWS\system32\winlogonpc.exeC:\WINDOWS\system32\winsystem.exeC:\WINDOWS\system32\WINWGPX.EXEC:\WINDOWS\userconfig9x.dllC:\WINDOWS\winsystem.exeC:\WINDOWS\zip1.tmpC:\WINDOWS\zip2.tmpC:\WINDOWS\zip3.tmpC:\WINDOWS\zipped.tmp.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_TDSSSERV-------\Service_TDSSserv((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 ))))))))))))))))))))))))))))))).2008-09-28 09:50 . 2008-09-28 09:50 94,208 --a------ C:\WINDOWS\system32\mvgbyxmf.exe2008-09-24 16:45 . 2008-09-24 16:45 2,544 --a------ C:\WINDOWS\system32\tmp.reg2008-09-24 11:37 . 2008-09-24 14:22 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak2008-09-23 19:05 . 2008-09-23 19:05 102,400 --a------ C:\WINDOWS\system32\nohwvunu.exe2008-09-22 18:54 . 2008-09-22 18:54 <DIR> d-------- C:\Program Files\CCleaner2008-09-22 18:21 . 2008-09-22 18:21 <DIR> d-------- C:\Program Files\Trend Micro2008-09-21 19:28 . 2008-09-24 17:11 <DIR> d-------- C:\Documents and Settings\Christianne\Application Data\Spyzooka2008-09-21 17:37 . 2008-09-26 15:18 <DIR> d-------- C:\Program Files\SpyZooka2008-09-21 16:48 . 2008-09-21 16:53 <DIR> d-------- C:\Program Files\Common Files\Adobe2008-09-20 23:13 . 2008-09-20 23:13 <DIR> d-------- C:\Program Files\gehndkd2008-09-20 23:13 . 2008-09-20 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mnsjwbwt2008-09-20 23:13 . 2008-09-21 16:42 77,824 --a------ C:\WINDOWS\system32\TDSSqujy.dll2008-09-20 23:13 . 2008-09-21 16:42 36,352 --a------ C:\WINDOWS\system32\TDSSjjsm.dll.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-09-28 08:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki2008-09-24 11:24 --------- d-----w C:\Program Files\DivX2008-09-22 18:01 --------- d-----w C:\Program Files\GIMP-2.02008-09-21 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg82008-09-07 15:29 --------- d-----w C:\Program Files\Kontiki2008-08-30 13:50 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 3587120]"InfoApp"="C:\WINDOWS\system32\nohwvunu.exe" [2008-09-23 102400]"UiSmart"="C:\WINDOWS\system32\mvgbyxmf.exe" [2008-09-28 94208][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"lxdjamon"="C:\Program Files\Lexmark 1400 Series\lxdjamon.exe" [2007-03-05 20480]"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-12 185632]"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 1235736]"DVDtoiPodConverter_upgrade"="C:\Program Files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" [2007-12-06 822272]"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"TrackPointSrv"="tp4mon.exe" [2004-08-04 C:\WINDOWS\system32\tp4mon.exe]"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264][HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]"G0SPduvbFZ"="C:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exe" [2008-09-20 69632]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless Utility.lnk - C:\Program Files\Belkin\F5D7011\Belkinwcui.exe [2007-10-12 1572864][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"genadmui"= {16824F4F-3B2B-AF53-C6C2-098B56D7403C} - C:\Program Files\gehndkd\genadmui.dll [2008-09-20 106496][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=avgrsstx.dll[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Lexmark 1400 Series\\lxdjamon.exe"="C:\\Program Files\\Lexmark 1400 Series\\App4R.exe"="C:\\WINDOWS\\system32\\lxdjcoms.exe"="C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]R2 lxdjCATSCustConnectService;lxdjCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe [2007-04-27 99248][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc73d8f2-834f-11dd-a233-00d059d8facd}]\Shell\AutoRun\command - E:\wdsync.exe.Contents of the 'Scheduled Tasks' folder.- - - - ORPHANS REMOVED - - - -HKCU-Run-MsnMsgr - C:\Program Files\MSN Messenger\MsnMsgr.ExeHKLM-Run-lxdjmon.exe - C:\Program Files\Lexmark 1400 Series\lxdjmon.exe.------- Supplementary Scan -------.O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cabC:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osdO16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cabC:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-09-28 09:50:53Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.------------------------ Other Running Processes ------------------------.C:\WINDOWS\system32\ibmpmsvc.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\Program Files\Kontiki\KService.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\lxdjserv.exeC:\WINDOWS\system32\lxdjcoms.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\system32\wltrysvc.exeC:\WINDOWS\system32\bcmwltry.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\AVG\AVG8\avgrsx.exeC:\Program Files\AVG\AVG8\avgrsx.exe.**************************************************************************.Completion time: 2008-09-28 9:58:46 - machine was rebooted [Christianne]ComboFix-quarantined-files.txt 2008-09-28 08:58:28Pre-Run: 20,347,887,616 bytes freePost-Run: 20,490,129,408 bytes free187 --- E O F --- 2008-09-26 12:49:38HiJackThis LogLogfile of Trend Micro HijackThis v2.0.2Scan saved at 10:09:38, on 28/09/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Kontiki\KService.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdjserv.exeC:\WINDOWS\system32\lxdjcoms.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\ctfmon.exeC:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exeC:\WINDOWS\system32\tp4mon.exeC:\Program Files\Lexmark 1400 Series\lxdjamon.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\rundll32.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\WINDOWS\system32\mvgbyxmf.exeC:\Program Files\Kontiki\KHost.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\Program Files\Belkin\F5D7011\Belkinwcui.exeC:\WINDOWS\system32\wuauclt.exeC:\WINDOWS\explorer.exeC:\Program Files\AVG\AVG8\avgrsx.exeC:\Program Files\AVG\AVG8\avgrsx.exeC:\Program Files\AVG\AVG8\avgrsx.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exeO4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [DVDtoiPodConverter_upgrade] "C:\Program Files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" /upgradeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -allO4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO4 - HKCU\..\Run: [infoApp] C:\WINDOWS\system32\nohwvunu.exeO4 - HKCU\..\Run: [uiSmart] C:\WINDOWS\system32\mvgbyxmf.exeO4 - HKLM\..\Policies\Explorer\Run: [G0SPduvbFZ] C:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exeO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Belkin Wireless Utility.lnk = ?O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1192196331961O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192212744927O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO21 - SSODL: genadmui - {16824F4F-3B2B-AF53-C6C2-098B56D7403C} - C:\Program Files\gehndkd\genadmui.dllO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exeO23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exeO23 - Service: lxdjCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exeO23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exeO23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe--End of file - 5799 bytes Quote Link to post Share on other sites
sari Posted September 30, 2008 Report Share Posted September 30, 2008 Chrissie,I would really like for the recovery console to be installed. While I don't anticipate that we'll need it, there are still a number of infected files present. Would you please try dragging the recovery console file over to Combofix again? If you're asked to accept any EULAs by Microsoft, please accept them - it's a just a license agreement for the recovery console software. Once you've completed that, re-run combofix and post the log.Thanks,sari Quote Link to post Share on other sites
Chrissie190 Posted October 3, 2008 Author Report Share Posted October 3, 2008 Sari, I seem to have come across a slight problem. Every time I try to drag the file across to combofix, Combofix tries to run and just produces another report. No blue installed screen appears. I re-read the guide and tried starting again but it still didnt work. Chrissie Quote Link to post Share on other sites
sari Posted October 4, 2008 Report Share Posted October 4, 2008 Chrissie,I'm checking on this - we'll get it resolved and get the rest of the PC cleaned up. Quote Link to post Share on other sites
sari Posted October 6, 2008 Report Share Posted October 6, 2008 Chrissie,First, I want to verify that what you're dragging looks like this:.Second, let's delete your version of Combofix and download a newer one.Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofixLink 1Link 2Link 3**Note: It is important that it is saved directly to your desktop**Once it's saved, drag the recovery console to it again, and report back here.Thanks,sari Quote Link to post Share on other sites
Chrissie190 Posted October 8, 2008 Author Report Share Posted October 8, 2008 Sari,Thanks for your extra help and for your patience, I have finally got it working. The report is below:ComboFix 08-10-07.06 - Christianne 2008-10-08 14:04:05.2 - NTFSx86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.235 [GMT 1:00]Running from: C:\Documents and Settings\Christianne\Desktop\ComboFix.exeCommand switches used :: C:\Documents and Settings\Christianne\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe * Created a new restore point.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).C:\WINDOWS\system32\TDSSjjsm.dllC:\WINDOWS\system32\TDSSqujy.dll.((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 ))))))))))))))))))))))))))))))).2008-09-24 16:45 . 2008-09-24 16:45 2,544 --a------ C:\WINDOWS\system32\tmp.reg2008-09-24 11:37 . 2008-09-24 14:22 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak2008-09-22 18:54 . 2008-09-22 18:54 <DIR> d-------- C:\Program Files\CCleaner2008-09-22 18:21 . 2008-09-22 18:21 <DIR> d-------- C:\Program Files\Trend Micro2008-09-21 19:28 . 2008-09-24 17:11 <DIR> d-------- C:\Documents and Settings\Christianne\Application Data\Spyzooka2008-09-21 17:37 . 2008-10-01 13:10 <DIR> d-------- C:\Program Files\SpyZooka2008-09-21 16:48 . 2008-09-21 16:53 <DIR> d-------- C:\Program Files\Common Files\Adobe2008-09-20 23:13 . 2008-09-20 23:13 <DIR> d-------- C:\Program Files\gehndkd2008-09-20 23:13 . 2008-09-29 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mnsjwbwt.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-10-08 13:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki2008-09-24 11:24 --------- d-----w C:\Program Files\DivX2008-09-22 18:01 --------- d-----w C:\Program Files\GIMP-2.02008-09-21 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg82008-09-07 15:29 --------- d-----w C:\Program Files\Kontiki2008-08-30 13:50 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll.((((((((((((((((((((((((((((( snapshot@2008-09-28_ 9.57.33.34 ))))))))))))))))))))))))))))))))))))))))).+ 2008-10-08 11:57:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_188.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 3587120][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"lxdjamon"="C:\Program Files\Lexmark 1400 Series\lxdjamon.exe" [2007-03-05 20480]"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-12 185632]"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]"DVDtoiPodConverter_upgrade"="C:\Program Files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" [2007-12-06 822272]"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]"TrackPointSrv"="tp4mon.exe" [2004-08-04 C:\WINDOWS\system32\tp4mon.exe]"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless Utility.lnk - C:\Program Files\Belkin\F5D7011\Belkinwcui.exe [2007-10-12 1572864][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"genadmui"= {16824F4F-3B2B-AF53-C6C2-098B56D7403C} - C:\Program Files\gehndkd\genadmui.dll [2008-09-20 106496][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=avgrsstx.dll[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Lexmark 1400 Series\\lxdjamon.exe"="C:\\Program Files\\Lexmark 1400 Series\\App4R.exe"="C:\\WINDOWS\\system32\\lxdjcoms.exe"="C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]R2 lxdjCATSCustConnectService;lxdjCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe [2007-04-27 99248][HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc73d8f2-834f-11dd-a233-00d059d8facd}]\Shell\AutoRun\command - E:\wdsync.exe.Contents of the 'Scheduled Tasks' folder2008-10-08 C:\WINDOWS\Tasks\MP Scheduled Scan.job- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20].- - - - ORPHANS REMOVED - - - -HKCU-Run-InfoApp - C:\WINDOWS\system32\nohwvunu.exeHKCU-Run-UiSmart - C:\WINDOWS\system32\mvgbyxmf.exeHKCU-Run-ProcSrvWin - C:\WINDOWS\system32\ujwjujen.exeHKLM-Explorer_Run-G0SPduvbFZ - C:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exe.------- Supplementary Scan -------.O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cabC:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osdO16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cabC:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd.**************************************************************************catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-10-08 14:07:52Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... C:\WINDOWS\TEMP\TMP0000004AA325041F5F7E47E1 524288 bytesscan completed successfullyhidden files: 1**************************************************************************.Completion time: 2008-10-08 14:11:46ComboFix-quarantined-files.txt 2008-10-08 13:11:22Pre-Run: 20,240,527,360 bytes freePost-Run: 20,266,315,776 bytes freeWindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn127 --- E O F --- 2008-10-07 16:50:17 Quote Link to post Share on other sites
sari Posted October 14, 2008 Report Share Posted October 14, 2008 Chrissie, It looks like those runs cleaned up a lot of the issues. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. O21 - SSODL: genadmui - {16824F4F-3B2B-AF53-C6C2-098B56D7403C} - C:\Program Files\gehndkd\genadmui.dllNow close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.Please remove these entries from Add/Remove Programs in the Control Panel(if present):genadmuiPlease note any other programs that you dont recognize in that list in your next responsePlease delete these folders using Windows Explorer(if present):C:\Program Files\gehndkdAfter that, Reboot.Please post a new hijackthis log. Quote Link to post Share on other sites
Chrissie190 Posted October 14, 2008 Author Report Share Posted October 14, 2008 Followed the instructions and heres the hjt log,Logfile of Trend Micro HijackThis v2.0.2Scan saved at 19:08:35, on 14/10/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16705)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\System32\ibmpmsvc.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Kontiki\KService.exeC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdjserv.exeC:\WINDOWS\system32\lxdjcoms.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\WINDOWS\System32\wltrysvc.exeC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\tp4mon.exeC:\PROGRA~1\AVG\AVG8\avgrsx.exeC:\Program Files\Lexmark 1400 Series\lxdjamon.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\WINDOWS\system32\rundll32.exeC:\PROGRA~1\AVG\AVG8\avgtray.exeC:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exeC:\Program Files\Kontiki\KHost.exeC:\Program Files\Veoh Networks\Veoh\VeohClient.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Belkin\F5D7011\Belkinwcui.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\system32\wuauclt.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dllO3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dllO4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exeO4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgentO4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exeO4 - HKLM\..\Run: [DVDtoiPodConverter_upgrade] "C:\Program Files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" /upgradeO4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -allO4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHideO4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')O4 - Global Startup: Belkin Wireless Utility.lnk = ?O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1192196331961O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192212744927O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dllO20 - AppInit_DLLs: avgrsstx.dllO23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exeO23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exeO23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exeO23 - Service: lxdjCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exeO23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exeO23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe--End of file - 5378 bytes Quote Link to post Share on other sites
sari Posted October 14, 2008 Report Share Posted October 14, 2008 Chrissie, That looks better - I'm going to have you run an online virus scanner just as a final check. Please do an online scan with Kaspersky WebScannerKaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.Read through the requirements and privacy statement and click on Accept button.It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.When the downloads have finished, click on Settings.Make sure the following is checked.Spyware, Adware, Dialers, and other potentially dangerous programsArchivesMail databases[*]Click on My Computer under Scan.[*]Once the scan is complete, it will display the results. Click on View Scan Report.[*]You will see a list of infected items there. Click on Save Report As....[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.[*]Please post this log in your next reply.Upgrading Java:Download the latest version of Java Runtime Environment (JRE) 6 Update 7.Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".Click the "Download" button to the right.Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".Click on Continue.Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..Close any programs you may have running - especially your web browser.Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.Check any item with Java Runtime Environment (JRE or J2SE) in the name.Click the Remove or Change/Remove button.Repeat as many times as necessary to remove each Java version.Reboot your computer once all Java components are removed.Then from your desktop double-click on the download to install the newest version.(Vista users, right cklick on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.") Quote Link to post Share on other sites
Chrissie190 Posted October 15, 2008 Author Report Share Posted October 15, 2008 Sari,Heres the Kaspersky WebScanner report:--------------------------------------------------------------------------------KASPERSKY ONLINE SCANNER 7 REPORT Wednesday, October 15, 2008 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Wednesday, October 15, 2008 00:05:37 Records in database: 1312160--------------------------------------------------------------------------------Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yesScan area - My Computer: C:\ D:\Scan statistics: Files scanned: 44005 Threat name: 3 Infected objects: 4 Suspicious objects: 0 Duration of the scan: 02:37:19File name / Threat name / Threats countC:\Documents and Settings\Christianne\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1C:\Documents and Settings\Christianne\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1C:\Program Files\SpyZooka\spyzooka.exe Infected: not-a-virus:FraudTool.Win32.SpyZooka.a 1C:\QooBox\Quarantine\C\WINDOWS\system32\TDSSqujy.dll.vir Infected: Rootkit.Win32.Clbd.kf 1The selected area was scanned. Quote Link to post Share on other sites
sari Posted October 15, 2008 Report Share Posted October 15, 2008 Chrissie,That looks good. Just a little clean up, and you should be ready to go.Follow these steps to uninstall Combofix and tools used in the removal of malware Click START then RUN Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.You can also delete the smitfraudfix program we installed at the beginning.Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).Turn OFF System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK.Restart your computer.Turn ON System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check Turn off System Restore.Click Apply, and then click OK.System Restore will now be active again.Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.Automatic Updates for WindowsClick Start.Select Settings and then Control Panel.Select Automatic Updates.Click Automatic (recommended)Choose a day and a time when you know the computer will be on and connected to the internet.Click Apply then OK.In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 7). Once downloaded, install it and then Reboot your computer.It is most important that you also uninstall older versions of Java.Click Start, Control Panel, Add/Remove Programs.Delete all Java updates except Java 6 Update 7The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.SpywareBlaster - Great prevention tool to keep nasties from installing on your system.SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computerWindows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.sari Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.