Virtumonde, and other pop-ups - Free Antivirus Forum

Virtumonde, and other pop-ups

BullGuard Antivirus Forum > Virus > Alerts & New Threats > Virtumonde, and other pop-ups

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

sianbootay
New Member

Date Joined Aug 2006
Total Posts : 21

Posted 2-19-2008 7:22 (GMT +1)

hi, this problem started to occur yesterday which was February 17, 2008, i scanned my computer with Ad-aware SE right when i started to notice pop-ups occuring while i was browsing the internet, Ad-aware found the threat called "Virtumonde", i removed it and thought it was resolve this issue, but yet did i know that pop-ups were still occuring, i thought ad-aware didnt remove all of it and i figureded that all i needed was an update of definitions, while trying to do so, it said there was an error to retrieve it, can someone please help....

Here is my HijackThis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:17:31 PM, on 2/18/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Documents and Settings\Sian Saechao\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV .exe
O4 - HKLM\..\Run: [304ec11e] rundll32.exe "C:\WINDOWS\System32\vfsvusdm.dll",b
O4 - HKLM\..\Run: [BM337df282] Rundll32.exe "C:\WINDOWS\System32\sxhwxcae.dll",s
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Support - {BAB8A816-F2A3-4717-B1FB-0270130332B4} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4007 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 2-19-2008 9:17 (GMT +1)

Hello

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

and save to the desktop.

Important-> Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Close all other browser windows.

Go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /killall

When finished, it will produce a logfile located at C:\ComboFix.txt.

Post the contents of that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

sianbootay
New Member

Date Joined Aug 2006
Total Posts : 21

Posted 2-19-2008 10:01 (GMT +1)

OK, here is my Combofix Log.

ComboFix 08-02-19.2 - Sian Saechao 2008-02-19 0:31:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.247 [GMT -8:00]
Running from: C:\Documents and Settings\Sian Saechao\desktop\combofix.exe
Command switches used :: /killall
* Created a new restore point

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gebyy.dll
C:\Cpqs\Scom\srmclean.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Sian Saechao\My Documents\TSKS~1
C:\Program Files\COMPAQ\Coloreal\coloreal.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Microsoft Works\WkDetect.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu72.exe
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSConfig .exe
C:\WINDOWS\system32\gebyy.dll
C:\WINDOWS\system32\gebyy.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\mdsuvsfv.ini
C:\WINDOWS\system32\pptrvkfp.dll
C:\WINDOWS\system32\RCX21.tmp
C:\WINDOWS\system32\RCX22.tmp
C:\WINDOWS\system32\RCX25.tmp
C:\WINDOWS\system32\spool\drivers\w32x86\3\CMPDPSRV .exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CMPDPSRV.exe
C:\WINDOWS\system32\sxhwxcae.dll
C:\WINDOWS\system32\vfsvusdm.dll
C:\WINDOWS\system32\yybeg.ini
C:\WINDOWS\system32\yybeg.ini2

----- BITS: Possible infected sites -----

hxxp://80.93.48.74
.
((((((((((((((((((((((((( Files Created from 2008-01-19 to 2008-02-19 )))))))))))))))))))))))))))))))
.

2008-02-18 10:50 . 2008-02-18 10:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 10:50 . 2008-02-18 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 10:21 . 2008-02-18 11:54 13,265 --a------ C:\WINDOWS\BM337df282.xml
2008-02-18 10:21 . 2008-02-18 22:34 22 --a------ C:\WINDOWS\pskt.ini
2008-02-16 21:11 . 2008-02-16 23:34 2,040 --a------ C:\WINDOWS\DISPLAY1_Monitor0_be.ICM
2008-02-16 21:10 . 2008-02-18 22:34 143,360 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-02-16 21:10 . 2008-02-18 22:34 90,112 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-02-16 20:17 . 2008-02-16 23:34 381,952 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2008-02-16 20:16 . 2008-02-16 20:16 270,698 --a------ C:\WINDOWS\system32\L83C7.tmp
2008-02-16 20:16 . 2008-02-16 20:16 181,965 --a------ C:\WINDOWS\system32\L6D80.tmp
2008-02-02 16:27 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-02-02 16:27 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-02-02 16:27 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-02-02 16:27 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-02-02 16:27 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-02-02 16:27 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-02-02 16:27 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-02-02 16:24 . 2004-07-09 04:27 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2008-02-01 23:28 . 2008-02-01 23:28 <DIR> d-------- C:\Program Files\OGPlanet
2008-01-25 16:00 . 2008-01-25 16:00 <DIR> d-------- C:\Documents and Settings\Sian Saechao\Application Data\Viewpoint
2008-01-23 19:30 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-23 19:30 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-19 08:34 --------- d-----w C:\Program Files\Microsoft Works
2008-02-19 08:20 --------- d-----w C:\Program Files\Warcraft III
2008-02-18 18:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-18 18:44 --------- d-----w C:\Documents and Settings\Sian Saechao\Application Data\Lavasoft
2008-02-17 07:45 --------- d--h--w C:\Documents and Settings\Sian Saechao\Application Data\ijjigame
2008-02-12 06:51 --------- d-----w C:\Program Files\Steam
2008-02-10 00:57 --------- d-----w C:\Documents and Settings\Sian Saechao\Application Data\Aim
2008-01-26 00:25 --------- d-----w C:\Program Files\WC3Banlist
2008-01-19 06:41 --------- d-----w C:\Program Files\Google
2008-01-19 05:21 --------- d-----w C:\Documents and Settings\Sian Saechao\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}
2008-01-19 05:19 --------- d-----w C:\Documents and Settings\Sian Saechao\Application Data\LimeWire
2008-01-19 05:18 --------- d-----w C:\Program Files\Java
2008-01-19 05:16 --------- d-----w C:\Program Files\Common Files\Java
2008-01-18 04:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 04:43 --------- d-----w C:\Program Files\Compaq IJ650 Inkjet Printer
2008-01-10 03:14 --------- d-----w C:\Documents and Settings\Sian Saechao\Application Data\Template
2007-12-22 04:36 --------- d-----w C:\Documents and Settings\Sian Saechao\Application Data\Ventrilo
2007-12-21 10:45 --------- d-----w C:\Program Files\Winamp
2007-12-19 19:58 --------- d-----w C:\Program Files\WinPcap
2007-12-19 19:50 --------- d-----w C:\Program Files\Ventrilo
2007-12-19 07:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2007-12-19 07:15 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-12-19 05:59 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-19 05:46 --------- d-----w C:\Program Files\Viewpoint
2007-12-19 05:46 --------- d-----w C:\Program Files\AIM
2007-12-19 05:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-19 05:41 --------- d-----w C:\Program Files\COMPAQ
2007-12-19 05:39 --------- d-----w C:\Program Files\Common Files\Real
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.
[code]<pre>
----a-w            36,864 2008-02-19 06:34:04 C:\CPQS\scom\srmclean .exe
----a-w           131,072 2008-02-19 06:34:05 C:\Program Files\COMPAQ\Coloreal\coloreal .exe
----a-w            28,672 2008-02-19 06:34:05 C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK .exe
----a-w           132,496 2008-02-17 07:34:14 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w            28,739 2008-02-17 07:34:19 C:\Program Files\Microsoft Works\WkDetect .exe
----a-w            90,112 2008-02-19 06:34:04 C:\WINDOWS\system32\hkcmd .exe
----a-w           143,360 2008-02-19 06:34:04 C:\WINDOWS\system32\igfxtray .exe
----a-w            40,960 2008-02-19 06:34:03 C:\WINDOWS\system32\spool\drivers\w32x86\3\CMPDPSRV .exe
</pre>[/code]

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{07C7156E-D651-4ACC-9AD3-498C916E9651}]
C:\WINDOWS\System32\mljhiff.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [ ]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [ ]
"WorksFUD"="" []
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [ ]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2005-04-01 16:16 5562368]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2005-04-01 16:16 86016]
"CMPDPSRV"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV .exe" [2008-02-18 22:34 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{07C7156E-D651-4ACC-9AD3-498C916E9651}"= C:\WINDOWS\System32\mljhiff.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhiff]
mljhiff.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-08-10 07:37 61440 C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIMWDInstallFilename]
--------- 2004-01-12 12:29 102400 C:\PROGRA~1\AIM\AIMWDI~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINDOWS\System32\gebyy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2005-04-01 16:16 1495040 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrModule12]
C:\Program Files\QdrModule\QdrModule12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack12]
C:\Program Files\QdrPack\QdrPack12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qgww]
C:\Program Files\W?nSxS\w?wexec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu72.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2006-03-10 09:45 35328 C:\Program Files\Winamp\winampa.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Microsoft Works Portfolio"=C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
"Microsoft Works Update Detection"=C:\Program Files\Microsoft Works\WkDetect.exe

R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 14:36]
R3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\System32\DRIVERS\ptserlp.sys [2001-08-17 05:28]
S1 EACMOS;EACMOS;C:\WINDOWS\System32\drivers\EACMOS.SYS []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2005-08-02 13:10]
S3 XDva037;XDva037;C:\WINDOWS\System32\XDva037.sys []

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-19 00:38:08
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-02-19 0:43:43 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-19 08:43:37

and here is my HijackThis Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:56, on 2008-02-19
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV .exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Sian Saechao\Desktop\HijackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O2 - BHO: (no name) - {07C7156E-D651-4ACC-9AD3-498C916E9651} - C:\WINDOWS\System32\mljhiff.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV .exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Support - {BAB8A816-F2A3-4717-B1FB-0270130332B4} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O20 - Winlogon Notify: mljhiff - mljhiff.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 4013 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 2-19-2008 10:29 (GMT +1)

Please download to desktop:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
Run it, and post the log it produce - (log txt)

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

sianbootay
New Member

Date Joined Aug 2006
Total Posts : 21

Posted 2-19-2008 8:12 (GMT +1)

ok, here is my log.txt

[code]
Ran on 2008-02-19 - 11:04:48.57

----a-w            36,864 2008-02-19 06:34:04 C:\CPQS\scom\srmclean .exe
----a-w           131,072 2008-02-19 06:34:05 C:\Program Files\COMPAQ\Coloreal\coloreal .exe
----a-w            28,672 2008-02-19 06:34:05 C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK .exe
----a-w           132,496 2008-02-17 07:34:14 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w            28,739 2008-02-17 07:34:19 C:\Program Files\Microsoft Works\WkDetect .exe
----a-w            90,112 2008-02-19 06:34:04 C:\WINDOWS\system32\hkcmd .exe
----a-w           143,360 2008-02-19 06:34:04 C:\WINDOWS\system32\igfxtray .exe
----a-w            40,960 2008-02-19 06:34:03 C:\WINDOWS\system32\spool\drivers\w32x86\3\CMPDPSRV .exe

Entries:                8 (8)
Directories:            0 Files:             8
Bytes:            632,275 Blocks:        1,236
[/code]

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 2-20-2008 4:15 (GMT +1)

http://www.ctrlaltdel.dk/forum/uploads/FBJSWF/2007-12-29_095939_RenV.gif

Referring to the picture above, drag Log.txt into renv.exe-file.

Post the log it produce, in next reply, along with new combofix log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

sianbootay
New Member

Date Joined Aug 2006
Total Posts : 21

Posted 2-20-2008 6:52 (GMT +1)

Here is my Combo.Fix Log

[code]
Ran on 2008-02-19 - 21:43:27.85

Entries:                0 (0)
Directories:            0 Files:             0
Bytes:                  0 Blocks:            0
[/code]

and here is my HijackThis Log.

ComboFix 08-02-19.2 - Sian Saechao 2008-02-19 21:44:04.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.239 [GMT -8:00]
Running from: C:\Documents and Settings\Sian Saechao\Desktop\ComboFix.exe

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-01-20 to 2008-02-20 )))))))))))))))))))))))))))))))
.

2008-02-18 10:50 . 2008-02-18 10:50 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-18 10:50 . 2008-02-18 10:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-18 10:21 . 2008-02-18 11:54 13,265 --a------ C:\WINDOWS\BM337df282.xml
2008-02-18 10:21 . 2008-02-18 22:34 22 --a------ C:\WINDOWS\pskt.ini
2008-02-16 21:11 . 2008-02-16 23:34 2,040 --a------ C:\WINDOWS\DISPLAY1_Monitor0_be.ICM
2008-02-16 20:17 . 2008-02-16 23:34 381,952 --a------ C:\WINDOWS\mrofinu72.exe.tmp
2008-02-16 20:16 . 2008-02-16 20:16 270,698 --a------ C:\WINDOWS\system32\L83C7.tmp
2008-02-16 20:16 . 2008-02-16 20:16 181,965 --a------ C:\WINDOWS\system32\L6D80.tmp
2008-02-02 16:27 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2008-02-02 16:27 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2008-02-02 16:27 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-02-02 16:27 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2008-02-02 16:27 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-02-02 16:27 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2008-02-02 16:27 . 2007-07-20 00:57 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2008-02-02 16:24 . 2004-07-09 04:27 1,769,472 --a------ C:\WINDOWS\system32\dxdiagn.dll
2008-02-01 23:28 . 2008-02-01 23:28 <DIR> d-------- C:\Program Files\OGPlanet
2008-01-25 16:00 . 2008-01-25 16:00 <DIR> d-------- C:\Documents and Settings\Sian Saechao\Application Data\Viewpoint
2008-01-23 19:30 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-23 19:30 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-20 05:43 --------- d-----w C:\Program Files\Microsoft Works
2008-02-20 02:27 --------- d-----w C:\Program Files\Warcraft III
2008-02-18 18:49 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-18 18:44 --------- d-----w C:\Documents and Settings\Sian Saechao\Application Data\Lavasoft
2008-02-17 07:45 --------- d--h--w C:\Documents and Settings\Sian Saechao\Application Data\ijjigame
2008-02-12 06:51 --------- d-----w C:\Program Files\Steam
2008-02-10 00:57 --------- d-----w C:\Documents and Settings\Sian Saechao\Application Data\Aim
2008-01-26 00:25 --------- d-----w C:\Program Files\WC3Banlist
2008-01-19 06:41 --------- d-----w C:\Program Files\Google
2008-01-19 05:21 --------- d-----w C:\Documents and Settings\Sian Saechao\Application Data\{27ABEAD9-B7C4-4994-891F-48F5F48861FA}
2008-01-19 05:19 --------- d-----w C:\Documents and Settings\Sian Saechao\Application Data\LimeWire
2008-01-19 05:18 --------- d-----w C:\Program Files\Java
2008-01-19 05:16 --------- d-----w C:\Program Files\Common Files\Java
2008-01-18 04:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 04:43 --------- d-----w C:\Program Files\Compaq IJ650 Inkjet Printer
2008-01-10 03:14 --------- d-----w C:\Documents and Settings\Sian Saechao\Application Data\Template
2007-12-22 04:36 --------- d-----w C:\Documents and Settings\Sian Saechao\Application Data\Ventrilo
2007-12-21 10:45 --------- d-----w C:\Program Files\Winamp
2007-12-19 07:15 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-12-14 19:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
.