virtumundo!!!! help!! new log..:D

[zhiantryn]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:18 PM, on 5/24/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Adobe\Adobe Photoshop CS2\Photoshop.exe
C:\DOCUME~1\martin\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\martin\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Documents and Settings\martin\My Documents\My Pictures\rj\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {EE5A1465-1E73-4784-8F63-45983FDF0DB8} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BM1fd74f42] Rundll32.exe "C:\WINDOWS\System32\hjltfqgi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ols/en/x86/client/wuweb_site.cab?915122538904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ols/en/x86/client/muweb_site.cab?915122508300
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O20 - Winlogon Notify: iifgFVol - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 3674 bytes


please help me.. thanks!!

 

[techpro5238]

Step1

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
• Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

 

[zhiantryn]

ComboFix 08-05-21.3 - martin 2008-05-24 20:18:58.1 - NTFSx86
Running from: C:\Documents and Settings\martin\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM1fd74f42.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\afyirgtn.ini
C:\WINDOWS\system32\ebofugue.ini
C:\WINDOWS\system32\fglhtwaj.ini
C:\WINDOWS\system32\KnWHNqru.ini
C:\WINDOWS\system32\KnWHNqru.ini2
C:\WINDOWS\system32\mrphkbmu.exe
C:\WINDOWS\system32\qsewyvbk.exe
C:\WINDOWS\system32\rpruoblv.ini
C:\WINDOWS\system32\vvcvmpcs.ini
C:\WINDOWS\system32\vvcvmpcs.ini2
C:\WINDOWS\system32\vvcvmpcs.tmp
C:\WINDOWS\system32\xyyxIRqr.ini
C:\WINDOWS\system32\xyyxIRqr.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-24 18:00 . 2008-05-24 18:00 370,176 --a------ C:\WINDOWS\system32\rqRIxyyx.dll.vir
2008-05-24 16:34 . 2008-05-24 16:34 <DIR> d-------- C:\VundoFix Backups
2008-05-24 16:15 . 2008-05-24 16:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-24 04:38 . 2008-05-24 04:38 126,464 --a------ C:\WINDOWS\system32\hjltfqgi.dll
2008-05-23 22:06 . 2008-05-23 22:15 <DIR> d-------- C:\Program Files\ESET
2008-05-23 22:06 . 2008-05-23 22:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-23 21:31 . 2008-05-23 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-05-23 21:30 . 2008-05-23 21:30 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-22 09:22 . 2008-05-22 09:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-16 08:56 . 2008-05-16 08:56 <DIR> d-------- C:\Program Files\WinFF
2008-05-16 08:56 . 1999-01-01 03:34 <DIR> d-------- C:\Documents and Settings\martin\Application Data\WinFF
2008-05-09 22:19 . 2008-05-09 22:19 <DIR> d-------- C:\Program Files\YouTube Downloader
2008-05-06 11:38 . 2004-03-09 09:58 646,656 --a------ C:\WINDOWS\system32\sxs.dll
2008-05-06 11:38 . 2004-03-09 09:58 646,656 --a--c--- C:\WINDOWS\system32\dllcache\sxs.dll
2008-05-06 11:37 . 2008-05-06 11:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-06 11:33 . 2008-05-06 11:34 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-06 11:20 . 2008-05-06 11:41 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-05-05 23:32 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-05 23:32 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-25 03:41 . 2008-05-24 18:06 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 03:13 . 2008-05-24 16:23 1,234 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-24 20:15 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-24 20:15 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-24 20:15 . 2007-12-13 19:40 77,824 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-24 20:15 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-24 20:15 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-24 20:15 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-24 19:54 . 2008-04-24 19:54 <DIR> d-------- C:\Program Files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 13:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-22 07:04 --------- d-----w C:\Documents and Settings\martin\Application Data\uTorrent
2008-05-10 06:34 --------- d-----w C:\Documents and Settings\martin\Application Data\U3
2008-04-27 17:21 --------- d-----w C:\Documents and Settings\martin\Application Data\Image Zone Express
2008-04-27 11:41 --------- d-----w C:\Program Files\LimeWire
2008-04-24 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-04-22 04:17 --------- d-----w C:\Program Files\Kaspersky Lab
2008-04-22 02:01 --------- d-----w C:\Documents and Settings\martin\Application Data\AVG7
2008-04-17 02:27 --------- d-----w C:\Program Files\Yahoo!
2007-12-14 20:58 784 -c--a-w C:\Documents and Settings\martin\Application Data\mpauth.dat
2007-11-06 07:51 348 ----a-w C:\Documents and Settings\martin\.cb_layout.bin
2007-10-25 17:14 6,167,112 -c--a-w C:\Program Files\Firefox Setup 2.0.0.3.exe
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM1fd74f42"="C:\WINDOWS\System32\hjltfqgi.dll" [2008-05-24 04:38 126464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgFVol]

R1 epfwtdir;epfwtdir;C:\WINDOWS\System32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;C:\WINDOWS\System32\drivers\cwbmidi.sys [2001-08-17 12:19]
R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\System32\drivers\cwbwdm.sys [2001-08-17 12:19]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\System32\DRIVERS\NtApm.sys [2001-08-17 21:47]
S3 V0090VID;Creative WebCam Vista Plus;C:\WINDOWS\System32\DRIVERS\V0090Vid.sys [2005-04-14 09:00]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 20:23:23
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-24 20:26:36
ComboFix-quarantined-files.txt 2008-05-24 12:26:12

Pre-Run: 4,599,328,768 bytes free
Post-Run: 4,612,808,704 bytes free

103 --- E O F --- 2008-05-06 03:42:18

 

[zhiantryn]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:30:18 PM, on 5/24/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\martin\My Documents\My Pictures\rj\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [BM1fd74f42] Rundll32.exe "C:\WINDOWS\System32\hjltfqgi.dll",s
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ols/en/x86/client/wuweb_site.cab?915122538904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ols/en/x86/client/muweb_site.cab?915122508300
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O20 - Winlogon Notify: iifgFVol - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 3767 bytes

 

[techpro5238]

Step1

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\system32\rqRIxyyx.dll.vir
C:\WINDOWS\system32\hjltfqgi.dll
C:\WINDOWS\system32\tmp.reg
C:\Program Files\Firefox Setup 2.0.0.3.exe
C:\WINDOWS\web\related.htm

Folder::
C:\Documents and Settings\All Users\Application Data\TEMP

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgFVol]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM1fd74f42"=-

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Step2

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [BM1fd74f42] Rundll32.exe "C:\WINDOWS\System32\hjltfqgi.dll",s
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: iifgFVol - C:\WINDOWS\

Now close all windows other than HiJackThis, then click Fix Checked.

Step3

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Logs Required In Next Post
-------------------------------

ComboFix Log
New Hijackthis Log

Kind Regards,
Techpro5238

 

[techpro5238]

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  • C:\Documents and Settings\martin\.cb_layout.bin
• Click on the submit button
  
• Please add this to the other logs in your next reply.

 

[zhiantryn]

jotti scan

Scan taken on 26 May 2008 14:32:59 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

[zhiantryn]

ComboFix 08-05-21.3 - martin 2008-05-26 22:16:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.75 [GMT 8:00]Running from: C:\Documents and Settings\martin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\martin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Program Files\Firefox Setup 2.0.0.3.exe
C:\WINDOWS\system32\hjltfqgi.dll
C:\WINDOWS\system32\rqRIxyyx.dll.vir
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\web\related.htm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\TEMP
C:\Program Files\Firefox Setup 2.0.0.3.exe
C:\WINDOWS\system32\hjltfqgi.dll
C:\WINDOWS\system32\rqRIxyyx.dll.vir
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\web\related.htm

.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-24 20:29 . 2008-05-24 20:29 0 --a------ C:\WINDOWS\BM1fd74f42.xml
2008-05-24 16:34 . 2008-05-24 16:34 <DIR> d-------- C:\VundoFix Backups
2008-05-24 16:15 . 2008-05-24 16:15 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-23 22:06 . 2008-05-23 22:15 <DIR> d-------- C:\Program Files\ESET
2008-05-23 22:06 . 2008-05-23 22:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-05-23 21:31 . 2008-05-23 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-05-23 21:30 . 2008-05-23 21:30 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-05-22 09:22 . 2008-05-22 09:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-16 08:56 . 2008-05-16 08:56 <DIR> d-------- C:\Program Files\WinFF
2008-05-16 08:56 . 1999-01-01 03:34 <DIR> d-------- C:\Documents and Settings\martin\Application Data\WinFF
2008-05-09 22:19 . 2008-05-09 22:19 <DIR> d-------- C:\Program Files\YouTube Downloader
2008-05-06 11:38 . 2004-03-09 09:58 646,656 --a------ C:\WINDOWS\system32\sxs.dll
2008-05-06 11:38 . 2004-03-09 09:58 646,656 --a--c--- C:\WINDOWS\system32\dllcache\sxs.dll
2008-05-06 11:37 . 2008-05-06 11:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-06 11:33 . 2008-05-06 11:34 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-05-06 11:20 . 2008-05-06 11:41 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-05-05 23:32 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-05 23:32 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 13:41 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-22 07:04 --------- d-----w C:\Documents and Settings\martin\Application Data\uTorrent
2008-05-10 06:34 --------- d-----w C:\Documents and Settings\martin\Application Data\U3
2008-04-27 17:21 --------- d-----w C:\Documents and Settings\martin\Application Data\Image Zone Express
2008-04-27 11:41 --------- d-----w C:\Program Files\LimeWire
2008-04-24 18:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVG7
2008-04-24 11:54 --------- d-----w C:\Program Files\Trend Micro
2008-04-22 04:17 --------- d-----w C:\Program Files\Kaspersky Lab
2008-04-22 02:01 --------- d-----w C:\Documents and Settings\martin\Application Data\AVG7
2008-04-17 02:27 --------- d-----w C:\Program Files\Yahoo!
2007-12-14 20:58 784 -c--a-w C:\Documents and Settings\martin\Application Data\mpauth.dat
2007-11-06 07:51 348 ----a-w C:\Documents and Settings\martin\.cb_layout.bin
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-05-24_20.25.47.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 12:10:55 2,048 -cs-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 14:21:43 2,048 -cs-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

R1 epfwtdir;epfwtdir;C:\WINDOWS\System32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]
R3 cwbmidi_device;Crystal WDM MPU-401 UART Driver;C:\WINDOWS\System32\drivers\cwbmidi.sys [2001-08-17 12:19]
R3 cwbwdm_device;Crystal WDM Audio Codec Driver;C:\WINDOWS\System32\drivers\cwbwdm.sys [2001-08-17 12:19]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\System32\DRIVERS\NtApm.sys [2001-08-17 21:47]
S3 V0090VID;Creative WebCam Vista Plus;C:\WINDOWS\System32\DRIVERS\V0090Vid.sys [2005-04-14 09:00]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 22:22:22
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\system32\HPZipm12.exe
.
**************************************************************************
.
Completion time: 2008-05-26 22:26:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-26 14:26:29
ComboFix2.txt 2008-05-26 14:03:16
ComboFix3.txt 2008-05-24 12:26:37

Pre-Run: 4,584,656,896 bytes free
Post-Run: 4,570,603,520 bytes free

99 --- E O F --- 2008-05-06 03:42:18

 

[zhiantryn]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:08 PM, on 5/26/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\martin\My Documents\My Pictures\rj\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ols/en/x86/client/wuweb_site.cab?915122538904
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ols/en/x86/client/muweb_site.cab?915122508300
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

--
End of file - 3169 bytes

 

[techpro5238]

Hello,

You weren't just supposed to post the new logs, but you were supposed to follow my three steps. First, I wanted you to run that CFScript through ComboFix, and then I wanted you to to delete the entries with Hijackthis (if they still existed). Then I wanted you to run ATF Cleaner.

Please do the three steps in post 5, and post the resulting ComboFix and Hijackthis Logs. Follow the steps exactly as I put them, and it will make both our jobs easier.