Possible Virus

[freddyb44]

Hey everyone,

I am new here and wanted to know what you though of this.
I am starting to get pop ups on my PC at home, and I can't change my cookie settings. Does it sound like a virus? I just updated my version on NAV and don't know if there may be a setting in there that is keeping my from changing my cookie settings. The older version I had installed, had a setting that prevented me from changing my home page unless I turned the setting off. Just curious if anyone knew of something like that with the current NAV for cookies.

On a side note, NAV has said it has blocked a Trojan.Vundo so I don't know if this may be the cause of my headache. Any help is appreciated.

-Freddie

 

[ceewi1]

Popups are a classic symptom of Vundo, so it's quite likely. Please post a HijackThis log so we have more information:

Please download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
Most of what it lists will be harmless or even essential, don't fix anything yet.

 

[freddyb44]

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:34 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Weather Add-in for Windows Live Toolbar\WeatherDataClient.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 4797 bytes

 

[AznPride83]

Yeah, get AVG Free.

 

[ceewi1]

Certainly looks like Vundo.

1. Please download this file - Combofix to your desktop
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

Once done, please navigate to C:\Program Files\Trend Micro\HijackThis and rename HijackThis.exe to scanner.exe (or anything else that's not HijackThis.exe) and post a new HijackThis log as well.

 

[freddyb44]

Combofix and Hijackthis logs

First off thanks for all your help with this.

ComboFix 07-11-19.3 - Compaq_Administrator 2007-11-22 9:27:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.455 [GMT -8:00]
Running from: C:\Documents and Settings\Compaq_Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe.bak
C:\WINDOWS\system32\qfovkrbl
C:\WINDOWS\system32\qfovkrbl\bg1.gif
C:\WINDOWS\system32\qfovkrbl\bgtop.gif
C:\WINDOWS\system32\qfovkrbl\bottom1.gif
C:\WINDOWS\system32\qfovkrbl\essentials.gif
C:\WINDOWS\system32\qfovkrbl\icon1.ico
C:\WINDOWS\system32\qfovkrbl\install1.gif
C:\WINDOWS\system32\qfovkrbl\left1.gif
C:\WINDOWS\system32\qfovkrbl\li.gif
C:\WINDOWS\system32\qfovkrbl\logo.gif
C:\WINDOWS\system32\qfovkrbl\main.htm
C:\WINDOWS\system32\qfovkrbl\mainframe.htm
C:\WINDOWS\system32\qfovkrbl\qfovkrbl1.exe
C:\WINDOWS\system32\qfovkrbl\qfovkrbl2.exe
C:\WINDOWS\system32\qfovkrbl\qfovkrbl3.exe
C:\WINDOWS\system32\qfovkrbl\reinstall1.gif
C:\WINDOWS\system32\qfovkrbl\right1.gif
C:\WINDOWS\system32\qfovkrbl\s1.htm
C:\WINDOWS\system32\qfovkrbl\s2.htm
C:\WINDOWS\system32\qfovkrbl\s3.htm
C:\WINDOWS\system32\qfovkrbl\SMTop1.gif
C:\WINDOWS\system32\qfovkrbl\SMTop2.gif
C:\WINDOWS\system32\qfovkrbl\SMTop3.gif
C:\WINDOWS\system32\qfovkrbl\SMTop4.gif
C:\WINDOWS\system32\qfovkrbl\soft1_off.gif
C:\WINDOWS\system32\qfovkrbl\soft1_off_ext.gif
C:\WINDOWS\system32\qfovkrbl\soft1_on.gif
C:\WINDOWS\system32\qfovkrbl\soft1_on_ext.gif
C:\WINDOWS\system32\qfovkrbl\soft2_off.gif
C:\WINDOWS\system32\qfovkrbl\soft2_off_ext.gif
C:\WINDOWS\system32\qfovkrbl\soft2_on.gif
C:\WINDOWS\system32\qfovkrbl\soft2_on_ext.gif
C:\WINDOWS\system32\qfovkrbl\soft3_off.gif
C:\WINDOWS\system32\qfovkrbl\soft3_off_ext.gif
C:\WINDOWS\system32\qfovkrbl\soft3_on.gif
C:\WINDOWS\system32\qfovkrbl\soft3_on_ext.gif
C:\WINDOWS\system32\qfovkrbl\softbottom_off.gif
C:\WINDOWS\system32\qfovkrbl\softbottom_on.gif
C:\WINDOWS\system32\qfovkrbl\softleft_off.gif
C:\WINDOWS\system32\qfovkrbl\softleft_on.gif
C:\WINDOWS\system32\qfovkrbl\top1.gif
C:\WINDOWS\system32\qfovkrbl\top2.gif
C:\WINDOWS\system32\qfovkrbl\turnoff1.gif
C:\WINDOWS\system32\qfovkrbl\turnon1.gif
C:\WINDOWS\system32\qtstv.ini
C:\WINDOWS\system32\qtstv.ini2
C:\WINDOWS\system32\vtstq.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm


((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
.

2007-11-21 21:58 <DIR> d-------- C:\VundoFix Backups
2007-11-21 21:32 68,608 --a------ C:\WINDOWS\system32\access.cpl
2007-11-21 21:32 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2007-11-21 21:32 24,006 --a------ C:\WINDOWS\system32\gb2312.uce
2007-11-21 21:05 <DIR> d-------- C:\Program Files\Realtek
2007-11-21 21:05 487,424 --a------ C:\WINDOWS\RtlExUpd.dll
2007-11-21 17:14 7,168 --------- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2007-11-20 19:34 <DIR> d-------- C:\SAV32CLI
2007-11-19 22:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-19 22:22 83,085 --a------ C:\WINDOWS\system32\dwvtxswo.dll
2007-11-19 22:18 13,440 --a------ C:\WINDOWS\system32\drivers\PcdrNdisuio.sys
2007-11-18 22:03 <DIR> d-------- C:\Program Files\Zjqruxcm
2007-11-18 22:03 <DIR> d-------- C:\Program Files\rafyfips
2007-11-18 22:03 38,912 --a------ C:\WINDOWS\system32\ursrqrs.dll
2007-11-15 19:10 <DIR> d-------- C:\Program Files\Norton Internet Security
2007-11-15 19:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-30 19:55 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2007-10-30 19:55 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-22 17:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-22 05:57 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\Uniblue
2007-11-22 05:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-22 05:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 06:28 --------- d-----w C:\Program Files\QuickTime
2007-11-20 05:56 --------- d-----w C:\Program Files\Dl_cats
2007-11-16 03:28 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-11-16 03:28 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-11-16 03:28 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-11-16 03:28 --------- d-----w C:\Program Files\Symantec
2007-11-08 03:54 --------- d-----w C:\Program Files\DISC
2007-10-31 03:55 39,856 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2007-10-31 03:55 37,936 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2007-10-31 03:55 35,120 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2007-10-31 03:55 27,696 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2007-10-31 03:55 191,536 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2007-10-31 03:55 145,968 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2007-10-31 03:55 12,848 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2007-10-31 03:24 12,963 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2007-10-31 03:24 1,358 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2007-10-21 00:02 --------- d-----w C:\Program Files\Java
2007-10-20 06:01 --------- d-----w C:\Program Files\Guitar Pro 5
2007-10-16 05:09 --------- d-----w C:\Documents and Settings\Compaq_Administrator\Application Data\U3
2007-10-10 02:19 --------- d--h--w C:\Documents and Settings\Compaq_Administrator\Application Data\Move Networks
2007-09-29 15:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2007-09-28 05:01 --------- d-----w C:\Program Files\Google
2007-09-27 05:30 --------- d-----w C:\Program Files\Wal-Mart Music Downloads Store
2007-04-06 03:17 296 ----a-w C:\Documents and Settings\Compaq_Administrator\Application Data\wklnhst.dat
2007-02-13 02:40 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2006-02-19 10:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08C525F4-2EBD-396D-B12A-005661A8CF95}]
C:\Program Files\Zjqruxcm\fplvpaek.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
2007-11-18 22:03 38912 --a------ C:\WINDOWS\system32\ursrqrs.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f5e1597e-dc1f-49c8-b76b-97d64b7e3fbd}]
2007-11-22 08:26 79936 --a------ C:\WINDOWS\system32\bkkuocph.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 13:00]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-09 13:00 C:\WINDOWS\system32\rundll32.exe]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-06-04 18:05]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Program Files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 13:48]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 05:54 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"= C:\WINDOWS\system32\ursrqrs.dll [2007-11-18 22:03 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ursrqrs]
ursrqrs.dll 2007-11-18 22:03 38912 C:\WINDOWS\system32\ursrqrs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwsa32]
winwsa32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtstq.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlwaysReady Power Message APP]
ARPWRMSG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-09 13:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DISCover]
2006-03-15 18:12 1077248 --a------ C:\Program Files\DISC\DISCover.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiscUpdateManager]
2006-03-15 18:11 61440 --a------ C:\Program Files\DISC\DiscUpdMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 13:01 67584 --a------ C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]
2005-02-02 16:44 61440 --a------ C:\HP\KBD\KBD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
C:\Program Files\Logitech\Video\ManifestEngine.exe boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2005-07-19 16:32 221184 --a------ C:\WINDOWS\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCDrProfiler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2005-07-22 14:14 237568 --a------ C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Defender]
C:\Program Files\Ultimate Defender\UltimateDefender.exe hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wfshalml]
rundll32.exe C:\Program Files\rafyfips\natqnodk.dll,Init

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yfudmjyz]
regsvr32 /u C:\Documents and Settings\All Users\Application Data\yfudmjyz.dll

S3 PCD5SRVC{8A863ACB-F5F6CC6A-05010003};PCD5SRVC{8A863ACB-F5F6CC6A-05010003} - PCDR Kernel Mode Service Helper Driver;\??\C:\PROGRA~1\PC-DOC~1\PCD5SRVC.pkms
S4 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe -service

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-11-20 04:38:26 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Compaq_Administrator.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 09:46:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-22 9:48:41 - machine was rebooted
.
--- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:03 AM, on 11/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Weather Add-in for Windows Live Toolbar\WeatherDataClient.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PRESARIO&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08C525F4-2EBD-396D-B12A-005661A8CF95} - C:\Program Files\Zjqruxcm\fplvpaek.dll (file missing)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll (file missing)
O2 - BHO: (no name) - {2C80EAD3-74CD-4700-83A4-AA878CD1C03C} - C:\WINDOWS\system32\ursrqrs.dll
O2 - BHO: (no name) - {2CB7C776-05F0-46F2-A377-B61E9664020E} - C:\WINDOWS\system32\jkhff.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\webhelper.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: {dbf3e7b4-6d79-b67b-8c94-f1cde7951e5f} - {f5e1597e-dc1f-49c8-b76b-97d64b7e3fbd} - C:\WINDOWS\system32\bkkuocph.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O20 - Winlogon Notify: ursrqrs - C:\WINDOWS\SYSTEM32\ursrqrs.dll
O20 - Winlogon Notify: winwsa32 - winwsa32.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7008 bytes

 

[Buzz1927]

• Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  File::
  C:\WINDOWS\system32\dwvtxswo.dll
  C:\WINDOWS\system32\ursrqrs.dll
  C:\WINDOWS\system32\bkkuocph.dll
  C:\Documents and Settings\All Users\Application Data\yfudmjyz.dll
  C:\WINDOWS\system32\jkhff.dll
  
  Folder::
  C:\Program Files\Zjqruxcm
  C:\Program Files\Ultimate Defender
  C:\Program Files\rafyfips
  
  Registry::
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{08C525F4-2EBD-396D-B12A-005661A8CF95}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}]
  [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f5e1597e-dc1f-49c8-b76b-97d64b7e3fbd}]
  [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
  "{2C80EAD3-74CD-4700-83A4-AA878CD1C03C}"=-
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ursrqrs]
  [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwsa32]
  [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
  "Authentication Packages"=-
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Defender]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wfshalml]
  [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yfudmjyz]

• Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.
  
  
  
  
  
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.

CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Once done, please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a RiskTool; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between good and malicious use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Please post:

• The ComboFix log
• The Smitfraudfix log
• A new HijackThis log

 

[freddyb44]

Update

I just wanted to give you an update on the status of this.
I did exactly as you stated in the post before mine and well after it did it's thing, nothing on my PC worked. I couldn't open up IE7, I couldn't copy and paste anything and thus not able to back anything up so because of the virus I lost everything. I had all my pics backed up somewhere, so that's really all that matters, but I ended up reformated the HD, so I am good now, just starting from scratch. Thanks for all your help.