Recommended Posts

Hey,

Sorry am new to all this but need help.

Yesterday I found a trojan horse on my PC so downloaded spyzooka and also used AVG to remove all harmful stuff. Computer now shows as clean. However after doing so, whenever I click a link from either Google or Live Search I get redirected to "random" sites.

Help would be greatly appreciated. Thanks.

Heres the HJT Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 18:30:30, on 22/09/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdjserv.exe

C:\WINDOWS\system32\lxdjcoms.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exe

C:\WINDOWS\system32\tp4mon.exe

C:\Program Files\Lexmark 1400 Series\lxdjamon.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

C:\Program Files\Belkin\F5D7011\Belkinwcui.exe

C:\Program Files\SpyZooka\spyzooka.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\AVG\AVG8\avgui.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [lxdjmon.exe] "C:\Program Files\Lexmark 1400 Series\lxdjmon.exe"

O4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [DVDtoiPodConverter_upgrade] "C:\Program Files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" /upgrade

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all

O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKLM\..\Policies\Explorer\Run: [G0SPduvbFZ] C:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Belkin Wireless Utility.lnk = ?

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1192196331961

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192212744927

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O21 - SSODL: genadmui - {16824F4F-3B2B-AF53-C6C2-098B56D7403C} - C:\Program Files\gehndkd\genadmui.dll

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: lxdjCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe

O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--

End of file - 7689 bytes

Link to post
Share on other sites

Chrissie,

Hi, and welcome to Besttechie.

Please download SmitfraudFix (by S!Ri) to your Desktop.

Double-click SmitfraudFix.exe

Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).

Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

http://www.beyondlogic.org/consulting/proc...processutil.htm

sari

Link to post
Share on other sites

Hi Sari,

Thanks for your reply.

Heres's the SmitFraudFix report.

Chrissie.

SmitFraudFix v2.354

Scan done at 16:45:08.33, 24/09/2008

Run from C:\Documents and Settings\Christianne\Desktop\SmitfraudFix

OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT

The filesystem type is NTFS

Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdjserv.exe

C:\WINDOWS\system32\lxdjcoms.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exe

C:\WINDOWS\system32\tp4mon.exe

C:\Program Files\Lexmark 1400 Series\lxdjamon.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

C:\WINDOWS\system32\nohwvunu.exe

C:\Program Files\Belkin\F5D7011\Belkinwcui.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\cmd.exe

C:\Program Files\Internet Explorer\iexplore.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\tdssservers.dat detected, use a Rootkit scanner

C:\WINDOWS\system32\tdssinit.dll detected, use a Rootkit scanner

C:\WINDOWS\system32\tdssl.dll detected, use a Rootkit scanner

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christianne

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Christianne\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\CHRIST~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]

"Source"="About:Home"

"SubscribedURL"="About:Home"

"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» o4Patch

!!!Attention, following keys are not inevitably infected!!!

o4Patch

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

!!!Attention, following keys are not inevitably infected!!!

IEDFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix

!!!Attention, following keys are not inevitably infected!!!

VACFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

!!!Attention, following keys are not inevitably infected!!!

404Fix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» AntiXPVSTFix

!!!Attention, following keys are not inevitably infected!!!

AntiXPVSTFix

Credits: Malware Analysis & Diagnostic

Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler

!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri

Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLs"="avgrsstx.dll"

"LoadAppInit_DLLs"=dword:00000001

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon

!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» RK

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Belkin 802.11g Network Adapter #2 - Packet Scheduler Miniport

DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{E8ACA906-D64B-4547-A512-406F0A6C5BFE}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS1\Services\Tcpip\..\{E8ACA906-D64B-4547-A512-406F0A6C5BFE}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS3\Services\Tcpip\..\{E8ACA906-D64B-4547-A512-406F0A6C5BFE}: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Link to post
Share on other sites

Chrissie,

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt

New HijackThis log.

sari

Link to post
Share on other sites

OK, don't really know if i did this right because when i tried to drag Recovery Console over Combofix it loaded but no blue installed screen came up?.

Combofix log

ComboFix 08-09-27.01 - Christianne 2008-09-28 9:39:52.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.225 [GMT 1:00]

Running from: C:\Documents and Settings\Christianne\Desktop\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\a.bat

C:\WINDOWS\base64.tmp

C:\WINDOWS\bdn.com

C:\WINDOWS\FVProtect.exe

C:\WINDOWS\iTunesMusic.exe

C:\WINDOWS\mssecu.exe

C:\WINDOWS\system32\akttzn.exe

C:\WINDOWS\system32\anticipator.dll

C:\WINDOWS\system32\awtoolb.dll

C:\WINDOWS\system32\bdn.com

C:\WINDOWS\system32\bsva-egihsg52.exe

C:\WINDOWS\system32\dpcproxy.exe

C:\WINDOWS\system32\emesx.dll

C:\WINDOWS\system32\h@tkeysh@@k.dll

C:\WINDOWS\system32\hoproxy.dll

C:\WINDOWS\system32\hxiwlgpm.dat

C:\WINDOWS\system32\hxiwlgpm.exe

C:\WINDOWS\system32\medup012.dll

C:\WINDOWS\system32\medup020.dll

C:\WINDOWS\system32\msgp.exe

C:\WINDOWS\system32\msnbho.dll

C:\WINDOWS\system32\mssecu.exe

C:\WINDOWS\system32\msvchost.exe

C:\WINDOWS\system32\mtr2.exe

C:\WINDOWS\system32\mwin32.exe

C:\WINDOWS\system32\netode.exe

C:\WINDOWS\system32\newsd32.exe

C:\WINDOWS\system32\ps1.exe

C:\WINDOWS\system32\psof1.exe

C:\WINDOWS\system32\psoft1.exe

C:\WINDOWS\system32\regc64.dll

C:\WINDOWS\system32\regm64.dll

C:\WINDOWS\system32\Rundl1.exe

C:\WINDOWS\system32\smp

C:\WINDOWS\system32\smp\msrc.exe

C:\WINDOWS\system32\sncntr.exe

C:\WINDOWS\system32\ssurf022.dll

C:\WINDOWS\system32\ssvchost.com

C:\WINDOWS\system32\ssvchost.exe

C:\WINDOWS\system32\sysreq.exe

C:\WINDOWS\system32\taack.dat

C:\WINDOWS\system32\taack.exe

C:\WINDOWS\system32\tdssinit.dll

C:\WINDOWS\system32\tdssl.dll

C:\WINDOWS\system32\tdssservers.dat

C:\WINDOWS\system32\temp#01.exe

C:\WINDOWS\system32\thun.dll

C:\WINDOWS\system32\thun32.dll

C:\WINDOWS\system32\VBIEWER.OCX

C:\WINDOWS\system32\vbsys2.dll

C:\WINDOWS\system32\vcatchpi.dll

C:\WINDOWS\system32\winlogonpc.exe

C:\WINDOWS\system32\winsystem.exe

C:\WINDOWS\system32\WINWGPX.EXE

C:\WINDOWS\userconfig9x.dll

C:\WINDOWS\winsystem.exe

C:\WINDOWS\zip1.tmp

C:\WINDOWS\zip2.tmp

C:\WINDOWS\zip3.tmp

C:\WINDOWS\zipped.tmp

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_TDSSSERV

-------\Service_TDSSserv

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))

.

2008-09-28 09:50 . 2008-09-28 09:50 94,208 --a------ C:\WINDOWS\system32\mvgbyxmf.exe

2008-09-24 16:45 . 2008-09-24 16:45 2,544 --a------ C:\WINDOWS\system32\tmp.reg

2008-09-24 11:37 . 2008-09-24 14:22 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

2008-09-23 19:05 . 2008-09-23 19:05 102,400 --a------ C:\WINDOWS\system32\nohwvunu.exe

2008-09-22 18:54 . 2008-09-22 18:54 <DIR> d-------- C:\Program Files\CCleaner

2008-09-22 18:21 . 2008-09-22 18:21 <DIR> d-------- C:\Program Files\Trend Micro

2008-09-21 19:28 . 2008-09-24 17:11 <DIR> d-------- C:\Documents and Settings\Christianne\Application Data\Spyzooka

2008-09-21 17:37 . 2008-09-26 15:18 <DIR> d-------- C:\Program Files\SpyZooka

2008-09-21 16:48 . 2008-09-21 16:53 <DIR> d-------- C:\Program Files\Common Files\Adobe

2008-09-20 23:13 . 2008-09-20 23:13 <DIR> d-------- C:\Program Files\gehndkd

2008-09-20 23:13 . 2008-09-20 23:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mnsjwbwt

2008-09-20 23:13 . 2008-09-21 16:42 77,824 --a------ C:\WINDOWS\system32\TDSSqujy.dll

2008-09-20 23:13 . 2008-09-21 16:42 36,352 --a------ C:\WINDOWS\system32\TDSSjjsm.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-09-28 08:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki

2008-09-24 11:24 --------- d-----w C:\Program Files\DivX

2008-09-22 18:01 --------- d-----w C:\Program Files\GIMP-2.0

2008-09-21 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8

2008-09-07 15:29 --------- d-----w C:\Program Files\Kontiki

2008-08-30 13:50 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]

"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 3587120]

"InfoApp"="C:\WINDOWS\system32\nohwvunu.exe" [2008-09-23 102400]

"UiSmart"="C:\WINDOWS\system32\mvgbyxmf.exe" [2008-09-28 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lxdjamon"="C:\Program Files\Lexmark 1400 Series\lxdjamon.exe" [2007-03-05 20480]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-12 185632]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-30 1235736]

"DVDtoiPodConverter_upgrade"="C:\Program Files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" [2007-12-06 822272]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"TrackPointSrv"="tp4mon.exe" [2004-08-04 C:\WINDOWS\system32\tp4mon.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]

"G0SPduvbFZ"="C:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exe" [2008-09-20 69632]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Belkin Wireless Utility.lnk - C:\Program Files\Belkin\F5D7011\Belkinwcui.exe [2007-10-12 1572864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"genadmui"= {16824F4F-3B2B-AF53-C6C2-098B56D7403C} - C:\Program Files\gehndkd\genadmui.dll [2008-09-20 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Lexmark 1400 Series\\lxdjamon.exe"=

"C:\\Program Files\\Lexmark 1400 Series\\App4R.exe"=

"C:\\WINDOWS\\system32\\lxdjcoms.exe"=

"C:\\Program Files\\Kontiki\\KService.exe"=

"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]

R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]

R2 lxdjCATSCustConnectService;lxdjCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe [2007-04-27 99248]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc73d8f2-834f-11dd-a233-00d059d8facd}]

\Shell\AutoRun\command - E:\wdsync.exe

.

Contents of the 'Scheduled Tasks' folder

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - C:\Program Files\MSN Messenger\MsnMsgr.Exe

HKLM-Run-lxdjmon.exe - C:\Program Files\Lexmark 1400 Series\lxdjmon.exe

.

------- Supplementary Scan -------

.

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab

C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab

C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-09-28 09:50:53

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

C:\WINDOWS\system32\ibmpmsvc.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\lxdjserv.exe

C:\WINDOWS\system32\lxdjcoms.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\wltrysvc.exe

C:\WINDOWS\system32\bcmwltry.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\AVG\AVG8\avgrsx.exe

C:\Program Files\AVG\AVG8\avgrsx.exe

.

**************************************************************************

.

Completion time: 2008-09-28 9:58:46 - machine was rebooted [Christianne]

ComboFix-quarantined-files.txt 2008-09-28 08:58:28

Pre-Run: 20,347,887,616 bytes free

Post-Run: 20,490,129,408 bytes free

187 --- E O F --- 2008-09-26 12:49:38

HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:09:38, on 28/09/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdjserv.exe

C:\WINDOWS\system32\lxdjcoms.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exe

C:\WINDOWS\system32\tp4mon.exe

C:\Program Files\Lexmark 1400 Series\lxdjamon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\WINDOWS\system32\mvgbyxmf.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

C:\Program Files\Belkin\F5D7011\Belkinwcui.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Program Files\AVG\AVG8\avgrsx.exe

C:\Program Files\AVG\AVG8\avgrsx.exe

C:\Program Files\AVG\AVG8\avgrsx.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [DVDtoiPodConverter_upgrade] "C:\Program Files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" /upgrade

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all

O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

O4 - HKCU\..\Run: [infoApp] C:\WINDOWS\system32\nohwvunu.exe

O4 - HKCU\..\Run: [uiSmart] C:\WINDOWS\system32\mvgbyxmf.exe

O4 - HKLM\..\Policies\Explorer\Run: [G0SPduvbFZ] C:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Belkin Wireless Utility.lnk = ?

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1192196331961

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192212744927

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O21 - SSODL: genadmui - {16824F4F-3B2B-AF53-C6C2-098B56D7403C} - C:\Program Files\gehndkd\genadmui.dll

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: lxdjCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe

O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--

End of file - 5799 bytes

Link to post
Share on other sites

Chrissie,

I would really like for the recovery console to be installed. While I don't anticipate that we'll need it, there are still a number of infected files present. Would you please try dragging the recovery console file over to Combofix again? If you're asked to accept any EULAs by Microsoft, please accept them - it's a just a license agreement for the recovery console software. Once you've completed that, re-run combofix and post the log.

Thanks,

sari

Link to post
Share on other sites

Chrissie,

First, I want to verify that what you're dragging looks like this:

RC1-4.gif.

Second, let's delete your version of Combofix and download a newer one.

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1

Link 2

Link 3

**Note: It is important that it is saved directly to your desktop**

Once it's saved, drag the recovery console to it again, and report back here.

Thanks,

sari

Link to post
Share on other sites

Sari,

Thanks for your extra help and for your patience, I have finally got it working. The report is below:

ComboFix 08-10-07.06 - Christianne 2008-10-08 14:04:05.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.235 [GMT 1:00]

Running from: C:\Documents and Settings\Christianne\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Christianne\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\WINDOWS\system32\TDSSjjsm.dll

C:\WINDOWS\system32\TDSSqujy.dll

.

((((((((((((((((((((((((( Files Created from 2008-09-08 to 2008-10-08 )))))))))))))))))))))))))))))))

.

2008-09-24 16:45 . 2008-09-24 16:45 2,544 --a------ C:\WINDOWS\system32\tmp.reg

2008-09-24 11:37 . 2008-09-24 14:22 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

2008-09-22 18:54 . 2008-09-22 18:54 <DIR> d-------- C:\Program Files\CCleaner

2008-09-22 18:21 . 2008-09-22 18:21 <DIR> d-------- C:\Program Files\Trend Micro

2008-09-21 19:28 . 2008-09-24 17:11 <DIR> d-------- C:\Documents and Settings\Christianne\Application Data\Spyzooka

2008-09-21 17:37 . 2008-10-01 13:10 <DIR> d-------- C:\Program Files\SpyZooka

2008-09-21 16:48 . 2008-09-21 16:53 <DIR> d-------- C:\Program Files\Common Files\Adobe

2008-09-20 23:13 . 2008-09-20 23:13 <DIR> d-------- C:\Program Files\gehndkd

2008-09-20 23:13 . 2008-09-29 21:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\mnsjwbwt

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-10-08 13:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki

2008-09-24 11:24 --------- d-----w C:\Program Files\DivX

2008-09-22 18:01 --------- d-----w C:\Program Files\GIMP-2.0

2008-09-21 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8

2008-09-07 15:29 --------- d-----w C:\Program Files\Kontiki

2008-08-30 13:50 97,928 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys

2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll

2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe

2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll

2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll

2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll

2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll

2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll

2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll

2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll

2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll

.

((((((((((((((((((((((((((((( snapshot@2008-09-28_ 9.57.33.34 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-10-08 11:57:29 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_188.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 1032640]

"Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 3587120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"lxdjamon"="C:\Program Files\Lexmark 1400 Series\lxdjamon.exe" [2007-03-05 20480]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-11-12 185632]

"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-29 1234712]

"DVDtoiPodConverter_upgrade"="C:\Program Files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" [2007-12-06 822272]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]

"TrackPointSrv"="tp4mon.exe" [2004-08-04 C:\WINDOWS\system32\tp4mon.exe]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\

Belkin Wireless Utility.lnk - C:\Program Files\Belkin\F5D7011\Belkinwcui.exe [2007-10-12 1572864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"genadmui"= {16824F4F-3B2B-AF53-C6C2-098B56D7403C} - C:\Program Files\gehndkd\genadmui.dll [2008-09-20 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"C:\\Program Files\\Lexmark 1400 Series\\lxdjamon.exe"=

"C:\\Program Files\\Lexmark 1400 Series\\App4R.exe"=

"C:\\WINDOWS\\system32\\lxdjcoms.exe"=

"C:\\Program Files\\Kontiki\\KService.exe"=

"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=

"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-30 97928]

R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-30 231704]

R2 lxdjCATSCustConnectService;lxdjCATSCustConnectService;C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe [2007-04-27 99248]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dc73d8f2-834f-11dd-a233-00d059d8facd}]

\Shell\AutoRun\command - E:\wdsync.exe

.

Contents of the 'Scheduled Tasks' folder

2008-10-08 C:\WINDOWS\Tasks\MP Scheduled Scan.job

- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-InfoApp - C:\WINDOWS\system32\nohwvunu.exe

HKCU-Run-UiSmart - C:\WINDOWS\system32\mvgbyxmf.exe

HKCU-Run-ProcSrvWin - C:\WINDOWS\system32\ujwjujen.exe

HKLM-Explorer_Run-G0SPduvbFZ - C:\Documents and Settings\All Users\Application Data\mnsjwbwt\enkjyzyp.exe

.

------- Supplementary Scan -------

.

O16 -: DirectAnimation Java Classes - file://C:\WINDOWS\Java\classes\dajava.cab

C:\WINDOWS\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab

C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-10-08 14:07:52

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\TEMP\TMP0000004AA325041F5F7E47E1 524288 bytes

scan completed successfully

hidden files: 1

**************************************************************************

.

Completion time: 2008-10-08 14:11:46

ComboFix-quarantined-files.txt 2008-10-08 13:11:22

Pre-Run: 20,240,527,360 bytes free

Post-Run: 20,266,315,776 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

127 --- E O F --- 2008-10-07 16:50:17

Link to post
Share on other sites

Chrissie,

It looks like those runs cleaned up a lot of the issues.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O21 - SSODL: genadmui - {16824F4F-3B2B-AF53-C6C2-098B56D7403C} - C:\Program Files\gehndkd\genadmui.dll

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

genadmui

Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):

C:\Program Files\gehndkd

After that, Reboot.

Please post a new hijackthis log.

Link to post
Share on other sites

Followed the instructions and heres the hjt log,

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:08:35, on 14/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16705)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\System32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Kontiki\KService.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdjserv.exe

C:\WINDOWS\system32\lxdjcoms.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\tp4mon.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\Program Files\Lexmark 1400 Series\lxdjamon.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\Kontiki\KHost.exe

C:\Program Files\Veoh Networks\Veoh\VeohClient.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Belkin\F5D7011\Belkinwcui.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll

O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe

O4 - HKLM\..\Run: [lxdjamon] "C:\Program Files\Lexmark 1400 Series\lxdjamon.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [DVDtoiPodConverter_upgrade] "C:\Program Files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" /upgrade

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all

O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Belkin Wireless Utility.lnk = ?

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1192196331961

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1192212744927

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - AppInit_DLLs: avgrsstx.dll

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe

O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe

O23 - Service: lxdjCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxdjserv.exe

O23 - Service: lxdj_device - - C:\WINDOWS\system32\lxdjcoms.exe

O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--

End of file - 5378 bytes

Link to post
Share on other sites

Chrissie,

That looks better - I'm going to have you run an online virus scanner just as a final check.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases

[*]Click on My Computer under Scan.

[*]Once the scan is complete, it will display the results. Click on View Scan Report.

[*]You will see a list of infected items there. Click on Save Report As....

[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

[*]Please post this log in your next reply.

Upgrading Java:

  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u7-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right cklick on the jre-6u7-windows-i586-p.exe and select "Run as an Administrator.")

Link to post
Share on other sites

Sari,

Heres the Kaspersky WebScanner report:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7 REPORT

Wednesday, October 15, 2008

Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner 7 version: 7.0.25.0

Program database last update: Wednesday, October 15, 2008 00:05:37

Records in database: 1312160

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Files scanned: 44005

Threat name: 3

Infected objects: 4

Suspicious objects: 0

Duration of the scan: 02:37:19

File name / Threat name / Threats count

C:\Documents and Settings\Christianne\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\Documents and Settings\Christianne\Desktop\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1

C:\Program Files\SpyZooka\spyzooka.exe Infected: not-a-virus:FraudTool.Win32.SpyZooka.a 1

C:\QooBox\Quarantine\C\WINDOWS\system32\TDSSqujy.dll.vir Infected: Rootkit.Win32.Clbd.kf 1

The selected area was scanned.

Link to post
Share on other sites

Chrissie,

That looks good. Just a little clean up, and you should be ready to go.

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    CF_Cleanup.png

You can also delete the smitfraudfix program we installed at the beginning.

Now lets Reset and Re-enable your System Restore to remove any infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected, but that's good news).

Turn OFF System Restore.

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.

Restart your computer.

Turn ON System Restore.

  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check Turn off System Restore.
  • Click Apply, and then click OK.

System Restore will now be active again.

Another essential is to keep your computer updated with the latest operating system patches and security fixes. Windows Updates are constantly being revised to combat the newest hacks and threats, Microsoft releases security updates that help your computer from becoming vunerable. It is best if you have these set to download automatically.

Automatic Updates for Windows

  • Click Start.
  • Select Settings and then Control Panel.
  • Select Automatic Updates.
  • Click Automatic (recommended)
  • Choose a day and a time when you know the computer will be on and connected to the internet.
  • Click Apply then OK.

In addition to Windows updates, you also need to ensure that your version of Java is the latest.Click here to download the latest version (Java Runtime Environment (JRE) 6 Update 7). Once downloaded, install it and then Reboot your computer.

It is most important that you also uninstall older versions of Java.

  • Click Start, Control Panel, Add/Remove Programs.
  • Delete all Java updates except Java 6 Update 7

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  3. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
  4. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  5. ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  6. MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  8. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

sari

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...