Tech Support Forum banner
Status
Not open for further replies.

High CPU usage: Win32/TrojanDownloader.Small.EQN and Win32/TrojanDownloader.Small.NRS

2K views 13 replies 2 participants last post by  TheBruce1 
#1 ·
I saw these in my NOD32 AV Threat log. The ones I saw at first were the 8/30/2007 ones. I thought the infection had been contained and eliminated, but then I later received the 8/31/2007 ones and saw that ZoneAlarm was asking me for authorization for alot of programs it should have had authororized before such as both my Seamonkey and IE web browsers, even NOD was asking for permission to connect. I denied all but didn't tick the always remember option so I'd see when it would ask again. I tried to run the NOD standalone scanner on my system and it said "NOD32 Checking CRC of NOD32.EXE: file is corrupted, possibly due to infection." Now I was getting VERY nervous. I hadn't downloaded anything recently, I mainly use the system to check emails and play an online game. So I confronted my friend that had been over earlier and he said that he had downloaded a file via bittorrent and the the AV windows had popped up, but since it said quarantined/deleted he thought nothing of it and kept on going.

After some Google searches I came accross this forum and I'm hoping I can find some help here. I've downloaded DSS.exe already aswell as done the PandaAV scan, but NEITHER can finish it's scanning, they crash towards the end and I receive no logs :(. However DSS did download HijackThis and I ran it and did get a successful log there. I did find one line in particular that caught my attention due to the fact that it had such a weird name.

O20 - Winlogon Notify: ljjifgg - C:\WINDOWS\SYSTEM32\ljjifgg.dll


I believe that is one of the culprits and I'm hoping to find a way to get my system up and running again. I'll attach the HijackThis log. Please let me know if I should just add that file as a post since it seems rather small and I've seen other posts with the HijackThis logfile fully posted.

I also notice that the CPU usage of the nod32krn.exe process shoots WAY up to 97% or so alot of time and am worried that it is infecting other .exe's I also found the files my friend had downloaded and can zip those up and provide them if they need to be dissected.

All help would be greatly appreciated.



Time Module Object Name Threat Action User Information

8/31/2007 01:02:50 AMON file C:\TEMP\VRR632.tmp probably a variant of Win32/TrojanDownloader.Small.EQN trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/31/2007 01:02:49 AMON file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\05NYGZBT\dl[1].exe probably a variant of Win32/TrojanDownloader.Small.EQN trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/31/2007 01:02:48 AMON file C:\TEMP\VRR631.tmp a variant of Win32/TrojanDownloader.Small.NRS trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/31/2007 01:02:44 AMON file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I1C76VNC\adv735[1].exe a variant of Win32/TrojanDownloader.Small.NRS trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 23:54:00 AMON file C:\TEMP\VRR3.tmp probably a variant of Win32/TrojanDownloader.Small.EQN trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 23:54:00 AMON file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5W55GNJ4\dl[1].exe probably a variant of Win32/TrojanDownloader.Small.EQN trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 23:53:58 AMON file C:\TEMP\VRR2.tmp a variant of Win32/TrojanDownloader.Small.NRS trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 23:53:58 AMON file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\05NYGZBT\adv735[1].exe a variant of Win32/TrojanDownloader.Small.NRS trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 23:42:55 AMON file C:\TEMP\VRR2.tmp probably a variant of Win32/TrojanDownloader.Small.EQN trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 23:42:52 AMON file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\I1C76VNC\dl[1].exe probably a variant of Win32/TrojanDownloader.Small.EQN trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 23:42:45 AMON file C:\TEMP\VRR1.tmp a variant of Win32/TrojanDownloader.Small.NRS trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 23:42:44 AMON file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5W55GNJ4\adv735[1].exe a variant of Win32/TrojanDownloader.Small.NRS trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 21:33:00 AMON file C:\TEMP\VRR1E40.tmp probably a variant of Win32/TrojanDownloader.Small.EQN trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 21:32:58 AMON file C:\Documents and Settings\Enrique\Local Settings\Temporary Internet Files\Content.IE5\R411JK6D\dl[1].exe probably a variant of Win32/TrojanDownloader.Small.EQN trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 21:32:55 AMON file C:\TEMP\VRR1E3F.tmp a variant of Win32/TrojanDownloader.Small.NRS trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 21:32:51 AMON file C:\Documents and Settings\Enrique\Local Settings\Temporary Internet Files\Content.IE5\WLFQ23D9\adv735[1].exe a variant of Win32/TrojanDownloader.Small.NRS trojan quarantined - deleted NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: \??\C:\WINDOWS\system32\winlogon.exe. The file was moved to quarantine. You may close this window.

8/30/2007 21:32:40 AMON file C:\TEMP_E\GUQF296\wr.exe probably a variant of Win32/TrojanDownloader.Small.EQN trojan quarantined - deleted Event occurred on a new file created by the application: C:\TEMP_E\GUQF296\subst.exe. The file was moved to quarantine. You may close this window.
 

Attachments

See less See more
#2 ·
I've tried DSS and Panda again, Panda quits out IE completely near the middle after finding 2 infections and several files, DSS crashes towards the end. I'll try running it again and seeing if I find at what point this occurs. There are no log files in the Deckard directory. However Kaspersky's online scanner seems to work. I've looked up in the selfhelp thread stickied on this forum, but the VundoFix finds no files to remove. Also I am not getting any popups that this virus/trojan is supposed to have. Should I not use this system until I hear of a fix? I feel that the files infected list will only get worse the longer it runs. The in Zonealarm the file size of iexplore.exe file size is 621k, while on a friend's system it's 610k. While both systems have the same patches applied from MS, one is has a hyperthreading cpu, so I don't know if MS installs different versions for multicpu hardware.

Friday, August 31, 2007 17:16:16
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 1/09/2007
Kaspersky Anti-Virus database records: 401550
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Memory
Scan Statistics
Total number of scanned objects 1593
Number of viruses found 2
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 00:01:01

Infected Object Name Virus Name Last Action
[676] winlogon.exe => C:\WINDOWS\system32\ljjifgg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
[1412] spoolsv.exe => C:\WINDOWS\system32\spoolsv.exe Infected: Virus.Win32.Virut.l skipped
[1520] CachemanXP.exe => C:\PROGRA~1\CACHEM~1\CachemanXP.exe Infected: Virus.Win32.Virut.l skipped
[1552] DkService.exe => C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe Infected: Virus.Win32.Virut.l skipped
[1724] nTuneService.exe => C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe Infected: Virus.Win32.Virut.l skipped
[364] alg.exe => C:\WINDOWS\System32\alg.exe Infected: Virus.Win32.Virut.l skipped
[368] explorer.exe => C:\WINDOWS\system32\ljjifgg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
[2172] LifeChat.exe => C:\WINDOWS\system32\ljjifgg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
[2208] Windows Uptime.exe => C:\Program Files\Windows Uptime\Windows Uptime.exe Infected: Virus.Win32.Virut.l skipped
[2604] taskmgr.exe => C:\WINDOWS\system32\taskmgr.exe Infected: Virus.Win32.Virut.l skipped
[2596] explorer.exe => C:\WINDOWS\system32\ljjifgg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
[2800] wscntfy.exe => C:\WINDOWS\system32\wscntfy.exe Infected: Virus.Win32.Virut.l skipped
[3236] iexplore.exe => C:\Program Files\Internet Explorer\iexplore.exe Infected: Virus.Win32.Virut.l skipped
[3236] iexplore.exe => C:\WINDOWS\system32\ljjifgg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
Scan process completed.
 
#4 ·
Hello and welcome to TSF.

Please follow all instructions and in which order they come,if you have any questions,please ask before proceeding.

---------------------------------------------------------------

Its important that you follow this through until i give you the all clear,a lack of symptoms does not mean the infection is gone,its in your best interest that you follow this through to the end.

===============================================

Download this file - http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop




Go to
→ Run → paste in the single line command & click OK
"%userprofile%\desktop\combofix.exe" /killall
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=============================================

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt here.
  5. Please attach extra.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\Deckard\System Scanner\extra.txt
  3. Click Upload.
What DSS will do:
  • create a new System Restore point in Windows XP and Vista.
  • clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
  • check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

====================================================
Logs Required
C:\Combofix.txt
C:\Deckard\System Scanner\main.txt
C:\Deckard\System Scanner\extra.txt<-----Attached


Note:Only attach logs when you have been instructed to do so,thanks.

Let us know how your system is running.
 
#5 ·
Ok I ran into several problems, some I was able to get around. I was not able to get a Combofix.txt from running

"%userprofile%\desktop\combofix.exe" /killall

as you had said. Deckard System Scanner was not able to run on the default account I use even though it has Administrator rights it crashes at or right after the window says Examining Event Logs. Windows gives the box that says "dss.exe has encountered a problem and needs to close." However I logged off and used another account with Administrator rights and was able to get DSS to work, but combofix didn't create a log either.


Deckard's System Scanner v20070826.66
Run by Modesto on 2007-09-04 16:30:07
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 2 Restore Point(s) --
2: 2007-09-04 20:21:19 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2007-09-04 20:19:57 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.22 GiB (less than 15%) free.


-- HijackThis (run as Modesto.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:22 PM, on 9/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Microsoft LifeChat\LifeChat.exe
C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\Jetico\BESTCR~1\BCResident.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Documents and Settings\Modesto\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Modesto.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A3624CF3-54E1-4FD0-88EF-F9BDF3979F3A} - C:\WINDOWS\system32\ljjifgg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BestCrypt\BCWipeTM.exe" startup
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LifeChat] "C:\Program Files\Microsoft LifeChat\LifeChat.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKUS\S-1-5-21-839522115-1637723038-725345543-1003\..\Run: [WindowsUptime] "C:\Program Files\Windows Uptime\Windows Uptime.exe" /i (User 'Enrique')
O4 - HKUS\S-1-5-21-839522115-1637723038-725345543-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Enrique')
O4 - HKUS\S-1-5-21-839522115-1637723038-725345543-1003\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear (User 'Enrique')
O4 - HKUS\S-1-5-21-839522115-1637723038-725345543-1003\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 (User 'Enrique')
O4 - HKUS\S-1-5-21-839522115-1637723038-725345543-1003\..\Run: [G-Zapper] C:\Program Files\G-Zapper\GZapper 2.0.EXE (User 'Enrique')
O4 - Global Startup: BestCrypt Auto Open.lnk = C:\Program Files\Jetico\BestCrypt\BestCrypt.exe
O4 - Global Startup: distributed.net client.lnk = C:\Program Files\distributed.net\dnetc.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1182739290328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1182739281187
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: hplun.dll
O20 - Winlogon Notify: ljjifgg - C:\WINDOWS\SYSTEM32\ljjifgg.dll
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8006 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 NVR0Dev - c:\windows\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver>

S3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe" <Not Verified; Diskeeper Corporation; Diskeeper (TM) Disk Defragmenter>
R2 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe /startservice <Not Verified; NVIDIA; NVIDIA nTune>
R3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>

S2 CachemanXPService (CachemanXP) - c:\progra~1\cachem~1\cachemanxp.exe <Not Verified; Outertech; >
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2007-08-27 11:52:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2007-08-15 00:03:16 280 --a------ C:\WINDOWS\Tasks\LifeChatTask.job


-- Files created between 2007-08-04 and 2007-09-04 -----------------------------

2007-08-31 19:56:33 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-08-31 19:56:33 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-08-31 19:56:33 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-08-31 19:56:33 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-08-31 19:56:33 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-08-31 19:56:33 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-08-31 19:56:33 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-08-31 19:56:33 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-08-31 19:56:33 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-08-31 19:56:33 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-08-31 19:56:33 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-08-31 19:56:33 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-08-31 19:56:33 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-08-31 19:56:33 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-08-31 19:41:14 0 d-------- C:\Program Files\Windows Live Safety Center
2007-08-31 17:20:28 0 d-------- C:\VundoFix Backups
2007-08-31 16:26:56 0 d-------- C:\Program Files\Trend Micro
2007-08-31 15:35:26 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-31 15:17:50 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-08-31 15:17:45 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-31 00:18:24 0 d-------- C:\WINDOWS\pss
2007-08-30 21:56:43 0 d-------- C:\ZZZ
2007-08-30 21:29:25 43542 --a------ C:\WINDOWS\system32\ljjifgg.dll
2007-08-30 20:23:01 0 d-------- C:\Documents and Settings\All Users\Application Data\GlobalSCAPE
2007-08-30 20:21:34 0 d-------- C:\Documents and Settings\Enrique\Application Data\GlobalSCAPE
2007-08-30 20:21:08 0 d-------- C:\Program Files\GlobalSCAPE
2007-08-30 20:01:19 0 d-------- C:\Program Files\PuTTY
2007-08-28 21:44:39 0 d-------- C:\Program Files\PeerGuardian2
2007-08-28 19:32:04 0 d--hs---- C:\Documents and Settings\eMule_Secure\Cookies
2007-08-28 19:32:04 0 dr-h----- C:\Documents and Settings\eMule_Secure\Application Data
2007-08-28 19:32:04 0 d---s---- C:\Documents and Settings\eMule_Secure\Application Data\Microsoft
2007-08-28 19:32:03 0 d--h----- C:\Documents and Settings\eMule_Secure\Templates
2007-08-28 19:32:03 0 dr------- C:\Documents and Settings\eMule_Secure\Start Menu
2007-08-28 19:32:03 0 dr-h----- C:\Documents and Settings\eMule_Secure\SendTo
2007-08-28 19:32:03 0 d--h----- C:\Documents and Settings\eMule_Secure\Recent
2007-08-28 19:32:03 0 d--h----- C:\Documents and Settings\eMule_Secure\PrintHood
2007-08-28 19:32:03 262144 --ah----- C:\Documents and Settings\eMule_Secure\NTUSER.DAT
2007-08-28 19:32:03 0 d--h----- C:\Documents and Settings\eMule_Secure\NetHood
2007-08-28 19:32:03 0 d-------- C:\Documents and Settings\eMule_Secure\My Documents
2007-08-28 19:32:03 0 d--h----- C:\Documents and Settings\eMule_Secure\Local Settings
2007-08-28 19:32:03 0 d-------- C:\Documents and Settings\eMule_Secure\Favorites
2007-08-28 19:32:03 0 d-------- C:\Documents and Settings\eMule_Secure\Desktop
2007-08-28 16:56:38 0 d-------- C:\Documents and Settings\Enrique\SecurityScans
2007-08-28 16:56:10 0 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-08-27 22:23:36 0 d-------- C:\Program Files\Smart Projects
2007-08-26 21:14:47 0 d-------- C:\Program Files\BACKUP
2007-08-26 21:14:46 193024 --a------ C:\Program Files\UNWISE.EXE
2007-08-26 21:05:42 0 d-------- C:\WINDOWS\BBSTORE
2007-08-26 21:02:51 0 d-------- C:\Program Files\SSI
2007-08-26 21:00:02 0 d-------- C:\CDRtemp
2007-08-26 20:39:11 0 d-------- C:\Program Files\DAEMON Tools
2007-08-26 20:34:39 685816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-26 20:15:59 0 d-------- C:\WINDOWS\Sun
2007-08-22 17:47:12 0 dr-h----- C:\Documents and Settings\Enrique\Recent
2007-08-20 17:19:54 0 d-------- C:\Program Files\Pro Imaging Powertoys
2007-08-20 17:07:52 0 d-------- C:\WINDOWS\system32\BattleHQ
2007-08-20 17:03:10 0 d-------- C:\WINDOWS\Close Combat Cross of Iron
2007-08-20 17:03:10 0 d-------- C:\Program Files\Close Combat
2007-08-20 16:56:06 0 d-------- C:\Program Files\eMule
2007-08-17 19:59:41 0 d--h----- C:\WINDOWS\PIF
2007-08-14 22:09:13 0 d-------- C:\Program Files\Microsoft LifeChat
2007-08-12 18:09:45 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-08-09 20:14:01 0 d-------- C:\Documents and Settings\Enrique\Application Data\teamspeak2
2007-08-09 20:12:58 0 d-------- C:\Program Files\Teamspeak2_RC2
2007-08-07 22:09:36 0 d-------- C:\Documents and Settings\Modesto\Application Data\WinRAR
2007-08-07 21:58:42 0 d-------- C:\Documents and Settings\Modesto\Application Data\DivX


-- Find3M Report ---------------------------------------------------------------

2007-09-04 16:27:15 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-09-04 16:01:44 0 d-------- C:\Program Files\distributed.net
2007-08-31 17:32:51 0 d-------- C:\Program Files\CachemanXP
2007-08-31 17:32:30 0 d-------- C:\Program Files\Microsoft IntelliPoint
2007-08-31 17:32:26 0 d-------- C:\Program Files\Microsoft IntelliType Pro
2007-08-31 17:32:21 0 d-------- C:\Program Files\Windows Uptime
2007-08-31 17:32:14 0 d-------- C:\Program Files\FlashGet
2007-08-31 16:02:37 0 d-------- C:\Program Files\MSN Messenger
2007-08-31 00:53:30 0 d-------- C:\Program Files\Trillian
2007-08-31 00:01:03 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-30 20:20:48 0 d-------- C:\Program Files\Common Files\InstallShield
2007-08-30 00:01:57 0 d-------- C:\Program Files\G-Zapper
2007-08-28 21:33:37 0 d-------- C:\Program Files\uTorrent
2007-08-28 15:03:14 0 d-------- C:\Program Files\World of Warcraft
2007-08-27 23:31:05 0 d-------- C:\Program Files\DivX
2007-08-27 22:03:44 0 d-------- C:\Program Files\Common Files\Ahead
2007-08-26 21:14:52 17246 --a------ C:\Program Files\INSTALL.LOG
2007-08-26 21:14:50 72 --a------ C:\Program Files\UNWISE.INI
2007-08-20 17:16:25 0 d-------- C:\Program Files\Opera
2007-08-16 19:24:14 10488 --a------ C:\WINDOWS\mozver.dat
2007-08-14 21:28:24 0 d-------- C:\Program Files\Guild Wars
2007-08-09 17:11:31 163840 --a------ C:\WINDOWS\SeaMonkeyUninstall.exe
2007-08-09 17:10:57 163840 --a------ C:\WINDOWS\GREUninstall.exe
2007-08-09 17:10:26 0 d-------- C:\Program Files\Common Files
2007-08-02 20:36:28 0 d-------- C:\Program Files\NVIDIA Corporation
2007-08-02 20:35:02 0 d-------- C:\Documents and Settings\Modesto\Application Data\Adobe
2007-08-01 20:19:12 0 d-------- C:\Program Files\Stardock
2007-08-01 19:43:56 0 d-------- C:\Program Files\Common Files\Stardock
2007-07-30 22:32:04 0 d-------- C:\Program Files\Messenger Plus! Live
2007-07-30 22:32:02 0 d-------- C:\Program Files\Windows Live
2007-07-30 19:19:16 53080 --a------ C:\WINDOWS\system32\wuauclt.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2007-07-27 18:46:14 0 d-------- C:\Program Files\DVD Identifier
2007-07-26 21:44:51 0 d-------- C:\Program Files\HyperSnap 6
2007-07-26 19:06:48 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe <Not Verified; DivX, Inc.; DivX Codec Version Checker>
2007-07-26 19:06:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 19:03:48 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2007-07-26 19:03:48 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2007-07-26 19:03:38 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2007-07-26 19:03:38 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 19:03:38 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 19:03:38 740442 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2007-07-26 19:03:02 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-23 22:08:41 0 d-------- C:\Program Files\QuickTime
2007-07-23 22:03:41 0 d-------- C:\Program Files\Apple Software Update
2007-07-23 21:43:45 0 d-------- C:\Program Files\Java
2007-07-03 12:33:04 6912 --a------ C:\WINDOWS\nvoclock.sys <Not Verified; NVidia Corp.; NVidia System Utility Driver>
2007-07-03 12:32:58 397312 --a------ C:\WINDOWS\ntuneoem.dll <Not Verified; NVIDIA; NVIDIA nTune>
2007-07-03 12:32:06 1622016 --a------ C:\WINDOWS\NVBenchMarks.dll <Not Verified; NVIDIA; NVIDIA nTune>
2007-07-03 12:31:48 28672 --a------ C:\WINDOWS\AutoTuneScript.dll <Not Verified; NVIDIA; NVIDIA nTune>
2007-06-29 00:43:00 1638400 --a------ C:\WINDOWS\system32\nwiz.exe
2007-06-29 00:43:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2007-06-29 00:43:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2007-06-29 00:43:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43:00 1474560 --a------ C:\WINDOWS\system32\nview.dll
2007-06-29 00:43:00 1417216 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-06-29 00:43:00 552960 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43:00 438272 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-27 19:05:02 972072 --a------ C:\WINDOWS\UNNeroMediaHome.exe <Not Verified; Nero AG; Nero Installer>
2007-06-26 17:52:43 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2007-06-26 17:52:43 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2007-06-26 14:12:02 972072 --a------ C:\WINDOWS\UNNeroVision.exe <Not Verified; Nero AG; Nero Installer>
2007-06-24 22:49:14 335 --a------ C:\WINDOWS\nsreg.dat
2007-06-24 22:22:36 298104 --a------ C:\WINDOWS\system32\imon.dll <Not Verified; Eset; NOD32 Antivirus System>
2007-06-24 20:47:24 0 -rahs---- C:\MSDOS.SYS
2007-06-24 20:47:24 0 -rahs---- C:\IO.SYS
2007-06-24 20:47:24 0 --a------ C:\CONFIG.SYS
2007-06-24 20:47:24 0 --a------ C:\AUTOEXEC.BAT
2007-06-24 20:43:31 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-06-24 16:17:59 62 --ahs---- C:\Documents and Settings\Modesto\Application Data\desktop.ini
2007-06-19 04:41:48 262144 --a------ C:\WINDOWS\BCUnInstall.exe <Not Verified; Jetico; BCUnInstall>
2007-06-13 06:23:07 1043968 --a------ C:\WINDOWS\explorer.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3624CF3-54E1-4FD0-88EF-F9BDF3979F3A}]
08/30/2007 09:29 PM 43542 --a------ C:\WINDOWS\system32\ljjifgg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [08/03/2004 10:32 PM]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/03/2004 10:32 PM]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [08/03/2004 10:32 PM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [06/24/2007 10:22 PM]
"BCWipeTM Startup"="C:\Program Files\Jetico\BestCrypt\BCWipeTM.exe" [06/09/2007 02:57 AM]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [02/05/2007 03:52 PM]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [11/21/2006 05:08 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [05/11/2007 03:06 AM]
"CTHelper"="CTHELPER.EXE" [08/11/2006 02:56 PM C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [08/11/2006 02:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [06/29/2007 06:24 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [06/21/2007 09:54 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [06/29/2007 12:43 AM]
"nwiz"="nwiz.exe" [06/29/2007 12:43 AM C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [06/29/2007 12:43 AM C:\WINDOWS\system32\nvmctray.dll]
"LifeChat"="C:\Program Files\Microsoft LifeChat\LifeChat.exe" [01/26/2007 02:31 PM]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [03/01/2007 03:57 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [07/03/2007 12:32 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BestCrypt Auto Open.lnk - C:\Program Files\Jetico\BestCrypt\BestCrypt.exe [2/14/2007 8:58:33 AM]
distributed.net client.lnk - C:\Program Files\distributed.net\dnetc.exe [9/10/2006 3:25:38 AM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A3624CF3-54E1-4FD0-88EF-F9BDF3979F3A}"= C:\WINDOWS\system32\ljjifgg.dll [08/30/2007 09:29 PM 43542]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjifgg]
ljjifgg.dll 08/30/2007 09:29 PM 43542 C:\WINDOWS\system32\ljjifgg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=hplun.dll




-- End of Deckard's System Scanner: finished at 2007-09-04 16:33:19 ------------
 

Attachments

#7 · (Edited)
It seems it didn't run, I don't know if it's a new build of combofix.exe but one of the times when the window came up and closed right away I was able to catch it saying something about "GREP" don't know if it's an error or what, however on Friday when I made my first post I had downloaded Combofix from one of the subjects here while I was reading as to what tools to download and what to do. I ran that combofix just now and it ran up to a certain extent. Again no log file created, but it created a catchme.zip file on my desktop with the file ljjifgg.dll in it.

The error this combofix quits out the window says "AutoScan" on the top inside the window it says "A new window shall open to continue the disinfection process." At which point a windows dialog box opens up that says "Unable to open the script file." The only option is to click OK and combofix has already quit, the desktop is blank but I can reboot/shutdown via hitting ctrl alt del to bring up taskmanager.

The only combofix.txt file was available in the combofix directory but it basically has no data

ComboFix 07-08-30.3 - "Modesto" 2007-09-04 18:39:36.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.642 [GMT -4:00]
 
#8 ·
Ok I've REdownloaded Combofix again from the url you had posted seems they fixed whatever problem it had or maybe it was on my end that the virus on my system was modifying downloaded files. I finally got a log.

ComboFix 07-08-30.3 - "Modesto" 2007-09-04 19:49:24.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.657 [GMT -4:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ljjifgg.dll


((((((((((((((((((((((((( Files Created from 2007-08-04 to 2007-09-04 )))))))))))))))))))))))))))))))


2007-09-04 19:57 16,384 --a----t- C:\TEMP\Perflib_Perfdata_1ac.dat
2007-09-04 19:56 16,384 --a----t- C:\TEMP\Perflib_Perfdata_7b0.dat
2007-09-04 19:03 16,384 --a----t- C:\TEMP\Perflib_Perfdata_6f8.dat
2007-09-04 17:43 160,256 --a------ C:\WINDOWS\nircmd.exe
2007-09-04 17:39 16,384 --a----t- C:\TEMP\Perflib_Perfdata_7d0.dat
2007-09-04 16:38 <DIR> d-------- C:\DOCUME~1\Modesto\APPLIC~1\Talkback
2007-09-04 16:12 <DIR> d-------- C:\ComboFix1
2007-09-04 16:00 16,384 --a----t- C:\TEMP\Perflib_Perfdata_730.dat
2007-09-04 16:00 16,384 --a----t- C:\TEMP\Perflib_Perfdata_684.dat
2007-08-31 19:41 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-08-31 17:20 <DIR> d-------- C:\VundoFix Backups
2007-08-31 16:26 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-31 16:24 <DIR> d-------- C:\Deckard
2007-08-31 15:35 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-31 15:17 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-31 15:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-31 15:05 16,384 --a----t- C:\TEMP\Perflib_Perfdata_610.dat
2007-08-31 00:18 <DIR> d-------- C:\WINDOWS\pss
2007-08-30 23:53 16,384 --a----t- C:\TEMP\Perflib_Perfdata_700.dat
2007-08-30 23:51 16,384 --a----t- C:\TEMP\Perflib_Perfdata_ea4.dat
2007-08-30 23:42 16,384 --a----t- C:\TEMP\Perflib_Perfdata_764.dat
2007-08-30 23:42 16,384 --a----t- C:\TEMP\Perflib_Perfdata_708.dat
2007-08-30 23:42 16,384 --a----t- C:\TEMP\Perflib_Perfdata_6e4.dat
2007-08-30 21:56 <DIR> d-------- C:\ZZZ
2007-08-30 20:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE
2007-08-30 20:21 <DIR> d-------- C:\Program Files\GlobalSCAPE
2007-08-30 20:01 <DIR> d-------- C:\Program Files\PuTTY
2007-08-28 21:44 <DIR> d-------- C:\Program Files\PeerGuardian2
2007-08-28 16:56 <DIR> d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2007-08-27 23:34 16,384 --a----t- C:\TEMP\Perflib_Perfdata_724.dat
2007-08-27 23:21 16,384 --a----t- C:\TEMP\Perflib_Perfdata_6e8.dat
2007-08-27 23:11 16,384 --a----t- C:\TEMP\Perflib_Perfdata_7c0.dat
2007-08-27 22:59 16,384 --a----t- C:\TEMP\Perflib_Perfdata_72c.dat
2007-08-27 22:23 <DIR> d-------- C:\Program Files\Smart Projects
2007-08-26 21:14 193,024 --a------ C:\Program Files\UNWISE.EXE
2007-08-26 21:14 <DIR> d-------- C:\Program Files\BACKUP
2007-08-26 21:05 <DIR> d-------- C:\WINDOWS\BBSTORE
2007-08-26 21:02 <DIR> d-------- C:\Program Files\SSI
2007-08-26 21:00 <DIR> d-------- C:\CDRtemp
2007-08-26 20:43 16,384 --a----t- C:\TEMP\Perflib_Perfdata_738.dat
2007-08-26 20:39 <DIR> d-------- C:\Program Files\DAEMON Tools
2007-08-26 20:34 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-20 17:19 <DIR> d-------- C:\Program Files\Pro Imaging Powertoys
2007-08-20 17:07 <DIR> d-------- C:\WINDOWS\system32\BattleHQ
2007-08-20 17:03 <DIR> d-------- C:\WINDOWS\Close Combat Cross of Iron
2007-08-20 17:03 <DIR> d-------- C:\Program Files\Close Combat
2007-08-20 16:56 <DIR> d-------- C:\Program Files\eMule
2007-08-17 19:59 <DIR> d--h----- C:\WINDOWS\PIF
2007-08-14 22:12 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-08-14 22:09 <DIR> d-------- C:\Program Files\Microsoft LifeChat
2007-08-12 18:09 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-08-09 20:12 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2007-08-07 22:09 <DIR> d-------- C:\DOCUME~1\Modesto\APPLIC~1\WinRAR
2007-08-07 21:58 <DIR> d-------- C:\DOCUME~1\Modesto\APPLIC~1\DivX


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-04 19:58 5503008 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-09-04 19:54 65516 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-09-04 16:01 --------- d-------- C:\Program Files\distributed.net
2007-08-31 17:32 --------- d-------- C:\Program Files\Windows Uptime
2007-08-31 17:32 --------- d-------- C:\Program Files\Microsoft IntelliType Pro
2007-08-31 17:32 --------- d-------- C:\Program Files\Microsoft IntelliPoint
2007-08-31 17:32 --------- d-------- C:\Program Files\FlashGet
2007-08-31 17:32 --------- d-------- C:\Program Files\CachemanXP
2007-08-31 16:02 --------- d-------- C:\Program Files\MSN Messenger
2007-08-31 00:53 --------- d-------- C:\Program Files\Trillian
2007-08-31 00:01 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-30 20:20 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-08-30 00:01 --------- d-------- C:\Program Files\G-Zapper
2007-08-28 21:33 --------- d-------- C:\Program Files\uTorrent
2007-08-28 15:03 --------- d-------- C:\Program Files\World of Warcraft
2007-08-27 23:31 --------- d-------- C:\Program Files\DivX
2007-08-27 22:03 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-27 21:59 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-08-26 21:14 72 --a------ C:\Program Files\UNWISE.INI
2007-08-26 21:14 17246 --a------ C:\Program Files\INSTALL.LOG
2007-08-20 17:16 --------- d-------- C:\Program Files\Opera
2007-08-14 21:28 --------- d-------- C:\Program Files\Guild Wars
2007-08-09 17:11 163840 --a------ C:\WINDOWS\SeaMonkeyUninstall.exe
2007-08-09 17:10 163840 --a------ C:\WINDOWS\GREUninstall.exe
2007-08-02 20:36 --------- d-------- C:\Program Files\NVIDIA Corporation
2007-08-02 20:33 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-08-01 20:19 --------- d-------- C:\Program Files\Stardock
2007-08-01 19:52 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-08-01 19:52 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-08-01 19:52 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-08-01 19:43 --------- d-------- C:\Program Files\Common Files\Stardock
2007-07-31 16:28 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Messenger Plus!
2007-07-30 22:32 --------- d-------- C:\Program Files\Windows Live
2007-07-30 22:32 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-27 18:46 --------- d-------- C:\Program Files\DVD Identifier
2007-07-26 21:44 --------- d-------- C:\Program Files\HyperSnap 6
2007-07-26 19:06 765952 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-07-26 19:06 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-07-26 19:06 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 19:06 144704 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-07-26 19:06 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-07-26 19:06 120056 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-07-26 19:06 118520 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-07-26 19:06 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-07-26 19:03 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-07-26 19:03 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-07-26 19:03 81920 --a------ C:\WINDOWS\system32\dpl100.dll
2007-07-26 19:03 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-07-26 19:03 740442 --a------ C:\WINDOWS\system32\DivX.dll
2007-07-26 19:03 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2007-07-26 19:03 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-07-26 19:03 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2007-07-26 19:03 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-07-26 19:03 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-07-26 19:03 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-07-26 19:03 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-07-26 19:03 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-23 22:08 --------- d-------- C:\Program Files\QuickTime
2007-07-23 22:03 --------- d-------- C:\Program Files\Apple Software Update
2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-07-03 12:33 6912 --a------ C:\WINDOWS\nvoclock.sys
2007-07-03 12:32 397312 --a------ C:\WINDOWS\ntuneoem.dll
2007-07-03 12:32 1622016 --a------ C:\WINDOWS\NVBenchMarks.dll
2007-07-03 12:31 28672 --a------ C:\WINDOWS\AutoTuneScript.dll
2007-06-29 01:54 401408 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-06-29 00:43 8466432 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-06-29 00:43 81920 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-06-29 00:43 765952 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-06-29 00:43 6729728 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-06-29 00:43 6234112 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-06-29 00:43 5690624 --a------ C:\WINDOWS\system32\nv4_disp.dll
2007-06-29 00:43 552960 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-06-29 00:43 5455872 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-06-29 00:43 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-06-29 00:43 458752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-06-29 00:43 45056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-06-29 00:43 438272 --a------ C:\WINDOWS\system32\keystone.exe
2007-06-29 00:43 401408 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-06-29 00:43 37376 --a------ C:\WINDOWS\system32\nvcod.dll
2007-06-29 00:43 360448 --a------ C:\WINDOWS\system32\nvapi.dll
2007-06-29 00:43 3600384 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-06-29 00:43 3518464 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-06-29 00:43 3321856 --a------ C:\WINDOWS\system32\nvgames.dll
2007-06-29 00:43 3072000 --a------ C:\WINDOWS\system32\nvgamesr.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-03 22:32]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-03 22:32]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-24 22:22]
"BCWipeTM Startup"="C:\Program Files\Jetico\BestCrypt\BCWipeTM.exe" [2007-06-09 02:57]
"IntelliPoint"="c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 15:52]
"itype"="c:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 17:08]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 C:\WINDOWS\system32\CTXFIHLP.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43]
"nwiz"="nwiz.exe" [2007-06-29 00:43 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2007-06-29 00:43 C:\WINDOWS\system32\nvmctray.dll]
"LifeChat"="C:\Program Files\Microsoft LifeChat\LifeChat.exe" [2007-01-26 14:31]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 12:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=hplun.dll

R1 BC_3DES;BC_3DES;C:\WINDOWS\system32\drivers\BC_3DES.sys
R1 BC_BF128;BC_BF128;C:\WINDOWS\system32\drivers\BC_BF128.sys
R1 BC_BF448;BC_BF448;C:\WINDOWS\system32\drivers\BC_BF448.sys
R1 BC_BFish;BC_BFish;C:\WINDOWS\system32\drivers\BC_BFish.sys
R1 BC_CAST;BC_CAST;C:\WINDOWS\system32\drivers\BC_CAST.sys
R1 BC_DES;BC_DES;C:\WINDOWS\system32\drivers\BC_DES.sys
R1 BC_Gost;BC_Gost;C:\WINDOWS\system32\drivers\BC_Gost.sys
R1 BC_RC6;BC_RC6;C:\WINDOWS\system32\drivers\BC_RC6.sys
R1 BC_RIJN;BC_RIJN;C:\WINDOWS\system32\drivers\BC_RIJN.sys
R1 BC_SERP;BC_SERP;C:\WINDOWS\system32\drivers\BC_SERP.sys
R1 BC_TFISH;BC_TFISH;C:\WINDOWS\system32\drivers\BC_TFISH.sys
R1 bcbus;BestCrypt bus driver;C:\WINDOWS\system32\DRIVERS\bcbus.sys
R1 fsh;fsh;C:\WINDOWS\system32\drivers\fsh.sys
R2 CachemanXPService;CachemanXP;C:\PROGRA~1\CACHEM~1\CachemanXP.exe
R3 LNE100;Linksys LNE100TX(v5) Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\LNE100V5.sys
R3 mhk;mhk;C:\WINDOWS\system32\drivers\mhk.sys
R3 moh;moh;C:\WINDOWS\system32\drivers\moh.sys
R3 NVR0Dev;NVR0Dev;\??\C:\WINDOWS\nvoclock.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
S4 BCSWAP;BCSWAP;C:\WINDOWS\system32\drivers\BCSWAP.sys


Contents of the 'Scheduled Tasks' folder
2007-08-27 15:52:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
2007-08-15 04:03:16 C:\WINDOWS\Tasks\LifeChatTask.job - C:\Program Files\Microsoft LifeChat\LifeChat.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 19:56:40
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-09-04 20:01:55 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-04 20:01

--- E O F ---
 
#9 ·
Good job on getting Combofix to run.

-----------------------------

CLEANUP! version 4.52 – TEMP FILE CLEANING

Please download Cleanup! and install it. You will use this later.

=================================================

P2P

P2P - I see you have P2P software eMule installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

===================================================

From your log it would appear that you are running two antivirus products,namely NOD32 and Zonealarm Antivirus v7.0 Free,whlist you may thing that having two antivirus products on-board is better than one,nothing can be further from the truth,they will fight for control,slow your system down,miss infections,in the end this can lead to a system crash.

Please uninstall one,i would recommend keeping NOD32.

======================================================

Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

FlashGet(JetCar)(Optional) Although Softpedia had marked Flashget as having a "5-star Editor Review" award (for version 1.8), since 1.9 Softpedia has revoked their "100% Clean Award", because as soon as it is started, the program tries to call various servers around the world every 3 seconds. This is also why they no longer host the latest version.

Java(TM) SE Runtime Environment 6 Update 1 Do not uninstall Java update 2

====================================================

Open HijackThis and click on 'Do a System Scan Only'. Check the following entries (If they still exist, make sure you do not miss any)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A3624CF3-54E1-4FD0-88EF-F9BDF3979F3A} - C:\WINDOWS\system32\ljjifgg.dll
O20 - Winlogon Notify: ljjifgg - C:\WINDOWS\SYSTEM32\ljjifgg.dll


Please remember to close all other windows, including browsers then click Fix checked.

====================================================

*WARNING* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Clean out your Temporary Internet files.


Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users
  • Click on the Temporary Files tab and uncheck the box for Scan drives for files matching if it’s checked.
Click OK
Press the CleanUp! button to start the program.. Once it's finished Cleanup will ask you to logoff/reboot. Please select YES.

======================================================

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on
    located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on
    then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


Paste the Panda Scan report into your next reply.

===================================================

Run Deckard System Scanner once again.

===================================================
Logs Required
Panda scan report
C:\Deckard\System Scanner\main.txt


Let us know how your system is behaving,thanks.
 
#10 ·
The Flashget version I have is 1.73, I never liked the ones beyond that. Also I have ZoneAlarm Security Suite but only use the firewall portion of it. The Antivirus and Antispyware portion of it is disabled. I use NOD32 as the antivirus.

I've run into a problem. I ran HijackThis and removed the line, which was the only one left of the three mentioned:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


After that I ran Cleanup with the options mentioned and logged off and rebooted. When the system came back up, I am unable to log into either of the 2 accounts on the system. As soon as I log in I briefly see the desktop and then it logs me back off to the user select screen. I can however log in via safe mode.
 
#12 ·
Yep, just reformatted and am in the process of setting everything back up now. Luckily I always slipstream my XP CD everytime a new SP comes out and don't have to download too many updates. Hoping for SP3 someday :).

However I have a couple of questions. Before reformatting and all it seemed that most of the malware had been removed when logging in to the system. However I created another admin account before the reformat and to my surprise found that the Trojan downloaders somehow resurfaced on this new account. It got files of 1.exe 2.exe and 3.exe in the Startup folder and some other things. Any reason the other accounts didn't have this? Next is a segway, don't know if it would be able to answered here or another thread would be required, preferably I'd like it here. Should I stick with NOD or should I look to another solution like Panda? The AV in Zonealarm is Kaspersky or uses their definitions? I was using NOD instead of the Zonealarm AV b/c ZA seemed to slow down the system considerably. Also could any of the .exe file that had been infected with the Virtumonde actually been cleaned or would they have to have been replaced with the originals? Most if not all exe's that normally ran had been editted/infected.
 
#14 ·
Hello again

Those files(1.exe 2.exe and 3.exe)are bad,just reformat and create new account(s) when setting-up your Windows accounts.

As for the NOD/Zonealarm question i would recommend you keep NOD32 and install Comodo firewall,with NOD and Comodo and a decent Antispyware product or two such as AVG Antispyware and SuperAntispyware should offer greater protection,see below for more details.

Limited User Account would help,but i could never say that it would not stop you from becoming infected,the most important part of the security of your system is you.

Any other problems not related to malware removal please see the Windows XP section of this forum.

----------------------------

MICROSOFT UPDATES

1.Click Start,Run, type sysdm.cpl, and then press OK.
2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended).

Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday".

------------------------------------------------------------------------------------------

Useful Information and Programs to keep you safe.

TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages:

* Content category
* Phishing scam detection
* Site reputation
* Page reputation

WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites.

WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites.
Note:Only compatible with Firefox 1.5 and higher.

Only install one of the above

--------------------------------------------------------------------------------------

Alternate Browsers
Try the following free alternate browsers rather than Internet Explorer
Firefox
Opera
Maxthon

------------------------------------------------------------------------------------------

If your thinking of changing your Firewall and Anti-Virus products,here are some excellent free products.


Free Firewalls
A good firewall will monitor incoming and outgoing traffic. NOTE: Microsoft's Firewall does not monitor outgoing traffic. If you do not have a firewall, here are 3 free ones available for personal use:
Comodo Personal Firewall
Sygate Personal Firewall
ZoneAlarm

Free AntiVirus Products
Avast!
Antivir free
AVG Antivirus


Only install one firewall and one antivirus product

-------------------------------------------------------------------------------------------

Free Antispyware Products
SuperAntiSpyware
AVG Antispyware Free
Ad-Aware
Spybot S&D
Download SpywareBlaster 3.5.1 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.
Download Spyware Guard to catch and block spyware before it can execute.

------------------------------------------------------------------

Download IE-SPYAD.EXE to block access to malicious websites so you cannot be redirected to them from an infected site or email. IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impairs attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. This is a self-extracting .ZIP file, save it to your desktop. Once downloaded, double-click on it to extract the files inside (default dir is C:\IE-SPYAD)

* Now navigate to C:\ie-spyad. Double click to open it.
* From within the folder, double-click install.bat
* Select Option #2 - Install the new IE-SPYAD list, by typing 2
* Then return to the main menu.
* Select option #4 - Add the old porn sites domain, by typing 4

The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.

If your having trouble downloading & extracting,see link below for guidance:
http://www.mvps.org/winhelp2002/hosts2.htm

Once you have extracted the host file,double click on it and a new window will open.

Double-click on mvps.batand follow the prompts

---------------------------------------------------------------

Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here:
Using Winpatrol to protect your computer.

----------------------------------------

SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users.

Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released.

==============================================

Also, please take a look at these well written articles:

PC Safety and Security--What Do I Need?

HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein
THE ANTI-SPYWARE TUTORIAL
MAKING INTERNET EXPLORER SAFER
Understanding and Using Firewalls

**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

Good luck.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top