Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • Please log in to reply
6 replies to this topic

#1 curlybob

curlybob

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 22 October 2007 - 03:36 AM

I have been suffering from the virtumonde virus over the past weeks, with the help of Richie from the HJT team I have run numerous virus scan's but Sygate informs me that I seem to have lots of attempts to use my network and to give me pop up's.

My current log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:31:47, on 22/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus DX4400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.EXE /FU "C:\WINDOWS\TEMP\E_SAA.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase2895.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 8962 bytes



Thanks, Rob

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 22 October 2007 - 04:10 AM

Welcome :thumbsup:

Sygate informs me that I seem to have lots of attempts to use my network and to give me pop up's.

What exactly are these popups,could you post more info about them.

You should read the following:
Understanding and Using Firewalls
http://www.bleepingcomputer.com/tutorials/understanding-and-using-firewalls/

If you have previously downloaded ComboFix,please delete that version now.
Now download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Posted Image
Posted Image

#3 curlybob

curlybob
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 22 October 2007 - 05:15 AM

HI Richie, I have run the Combi Fix:

ComboFix 07-10-22.5 - Rob 2007-10-22 10:46:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.169 [GMT 1:00]
Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-22 to 2007-10-22 )))))))))))))))))))))))))))))))
.

2007-10-19 09:08 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-15 20:30 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\EPSON
2007-10-15 16:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-15 16:27 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\SUPERAntiSpyware.com
2007-10-15 15:29 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 11:03 14,568 --a------ C:\WINDOWS\system32\drivers\wg6n.sys
2007-10-15 11:03 14,568 --a------ C:\WINDOWS\system32\drivers\wg5n.sys
2007-10-15 11:02 <DIR> d-------- C:\Program Files\Sygate
2007-10-15 11:02 83,096 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-10-15 11:02 60,496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-10-15 11:02 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-10-15 11:02 14,568 --a------ C:\WINDOWS\system32\drivers\wg4n.sys
2007-10-15 11:02 14,568 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-10-14 17:22 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-10-14 15:47 <DIR> d-------- C:\Documents and Settings\Rob\.housecall6.6
2007-10-14 14:39 <DIR> d-------- C:\VundoFix Backups
2007-10-13 19:56 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-13 09:23 <DIR> d-------- C:\WINDOWS\pss
2007-10-12 09:57 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-10-11 22:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-11 22:03 <DIR> d-------- C:\Program Files\Bazooka Scanner
2007-10-11 20:23 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\InstallShield
2007-10-11 20:22 76,800 --a------ C:\WINDOWS\system32\E_FLBCAE.DLL
2007-10-11 20:22 62,976 --a------ C:\WINDOWS\system32\E_FD4BCAE.DLL
2007-10-11 20:22 49,152 --a------ C:\WINDOWS\system32\E_DCINST.DLL
2007-10-11 20:22 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-10-11 20:22 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2007-10-11 20:22 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-10-11 20:22 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-10-11 20:21 <DIR> d-------- C:\Program Files\epson
2007-10-11 20:21 208,896 --a------ C:\WINDOWS\system32\esint7e.dll
2007-10-11 20:21 66,560 --a------ C:\WINDOWS\system32\eswia7e.dll
2007-10-11 20:21 3,584 --a------ C:\WINDOWS\system32\eswiaml.dll
2007-10-04 11:29 <DIR> d-------- C:\Program Files\Championship Manager 2007
2007-10-03 17:17 <DIR> d-------- C:\WINDOWS\Sun
2007-10-03 17:15 <DIR> d-------- C:\Program Files\Java
2007-10-03 17:10 <DIR> d-------- C:\Program Files\Common Files\Java
2007-10-01 16:54 <DIR> d-------- C:\Program Files\iPod
2007-10-01 11:12 <DIR> d-------- C:\Program Files\lycos
2007-10-01 11:11 57,344 --a------ C:\WINDOWS\system32\lyc_language.dll
2007-09-28 08:32 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-09-28 08:16 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2007-09-28 08:16 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2007-09-28 08:16 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2007-09-28 08:16 82,432 -ra------ C:\WINDOWS\system32\MSXML4r.dll
2007-09-28 08:16 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2007-09-27 14:54 <DIR> d-------- C:\Program Files\Pccoach3
2007-09-27 13:32 <DIR> d-------- C:\Program Files\HP
2007-09-27 13:32 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-09-27 13:08 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-09-27 13:08 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-09-27 12:26 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-09-27 12:16 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-09-24 22:49 <DIR> d-------- C:\Program Files\PeerGuardian2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-19 11:46 --------- d-----w C:\Program Files\iTunes
2007-10-15 10:47 --------- d-----w C:\Documents and Settings\Rob\Application Data\Lavasoft
2007-10-15 10:46 --------- d-----w C:\Program Files\Lavasoft
2007-10-11 19:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 19:22 --------- d-----w C:\Documents and Settings\Rob\Application Data\uTorrent
2007-09-27 11:23 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-19 10:55 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-17 10:06 --------- d-----w C:\Documents and Settings\Rob\Application Data\Apple Computer
2007-09-10 19:16 639,224 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2007-09-08 19:00 --------- d-----w C:\Program Files\MSN Messenger
2007-09-08 15:27 --------- d-----w C:\Program Files\WinXMedia
2007-09-08 15:22 --------- d-----w C:\Program Files\Microsoft Digital Image 2006
2007-09-08 15:21 --------- d-----w C:\Program Files\Common Files\Nikon
2007-09-08 14:19 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-08 14:19 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-09-08 13:57 --------- d-----w C:\Program Files\avijoin
2007-09-08 13:53 --------- d-----w C:\Program Files\Windows Media Components
2007-09-08 13:48 --------- d-----w C:\Documents and Settings\Rob\Application Data\Ahead
2007-09-08 13:36 --------- d-----w C:\Program Files\Common Files\Ahead
2007-09-08 13:34 --------- d-----w C:\Program Files\Nero
2007-09-08 12:00 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-09-08 09:44 --------- d-----w C:\Program Files\QuickTime
2007-09-08 09:44 --------- d-----w C:\Program Files\Apple Software Update
2007-09-08 09:43 --------- d-----w C:\Program Files\Common Files\Apple
2007-09-08 08:34 --------- d-----w C:\Program Files\MSXML 6.0
2007-09-08 08:26 --------- d-----w C:\Program Files\McAfee
2007-09-08 08:26 --------- d-----w C:\Program Files\Common Files\McAfee
2007-09-08 08:26 --------- d-----w C:\Program Files\Common Files\Cisco Systems
2007-09-08 00:16 --------- d-----w C:\Program Files\MSBuild
2007-09-08 00:13 --------- d-----w C:\Program Files\Reference Assemblies
2007-09-07 23:46 --------- d-----w C:\Program Files\uTorrent
2007-09-07 22:44 12,400 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-09-07 19:22 --------- d-----w C:\Program Files\Xvid
2007-09-07 19:12 --------- d-----w C:\Program Files\AC3Filter
2007-09-07 17:44 --------- d-----w C:\Program Files\Realtek
2007-09-07 17:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-07 12:35 --------- d-----w C:\Documents and Settings\Rob\Application Data\ATI
2007-09-07 12:34 --------- d-----w C:\Program Files\ATI Technologies
2007-09-07 12:30 --------- d-----w C:\Program Files\Common Files\ATI Technologies
2007-09-07 11:05 --------- d-----w C:\Program Files\microsoft frontpage
2007-09-07 11:00 --------- d-----w C:\Program Files\Windows Plus
2007-08-22 08:16 96,384 ----a-w C:\WINDOWS\system32\drivers\Rtnicxp.sys
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-15_15.38.39.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 08:06:08 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 05:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2006-08-24 07:28:54 141,424 ----a-w C:\WINDOWS\Downloaded Program Files\asinst.dll
+ 2007-10-15 15:27:12 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-10-15 15:27:12 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-10-15 15:27:12 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-03-29 08:20:50 110,592 ----a-w C:\WINDOWS\system32\ActiveScan\as.dll
+ 2006-10-05 15:15:26 233,472 ----a-w C:\WINDOWS\system32\ActiveScan\ascontrol.dll
+ 2005-06-03 13:03:18 96,256 ----a-w C:\WINDOWS\system32\ActiveScan\asmdat.dll
+ 2003-08-01 10:00:16 36,864 ----a-w C:\WINDOWS\system32\ActiveScan\certdll.dll
+ 2005-05-20 12:42:44 86,016 ----a-w C:\WINDOWS\system32\ActiveScan\instlsp.dll
+ 2006-02-16 17:20:20 4,608 ----a-w C:\WINDOWS\system32\ActiveScan\memvfile.dll
+ 2005-10-25 17:08:32 348,160 ----a-w C:\WINDOWS\system32\ActiveScan\msvcr71.dll
+ 2004-05-04 14:01:02 139,264 ----a-w C:\WINDOWS\system32\ActiveScan\pavaleas.dll
+ 2006-07-14 12:04:10 45,056 ----a-w C:\WINDOWS\system32\ActiveScan\pavdr.exe
+ 2006-04-10 09:50:02 159,832 ----a-w C:\WINDOWS\system32\ActiveScan\pavexcom.dll
+ 2006-02-14 12:05:38 94,208 ----a-w C:\WINDOWS\system32\ActiveScan\pavinas.dll
+ 2006-02-16 17:35:38 180,224 ----a-w C:\WINDOWS\system32\ActiveScan\pavoe.dll
+ 2006-10-05 15:15:38 122,880 ----a-w C:\WINDOWS\system32\ActiveScan\pavpz.dll
+ 2006-06-30 13:13:38 8,704 ----a-w C:\WINDOWS\system32\ActiveScan\pfdnnt.exe
+ 2004-02-04 13:08:42 49,152 ----a-w C:\WINDOWS\system32\ActiveScan\port32.dll
+ 2006-08-01 12:23:10 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pscpu.dll
+ 2006-08-23 12:06:08 1,388,544 ----a-w C:\WINDOWS\system32\ActiveScan\pskahk.dll
+ 2006-08-17 10:38:14 10,752 ----a-w C:\WINDOWS\system32\ActiveScan\pskalloc.dll
+ 2006-09-04 10:49:54 61,440 ----a-w C:\WINDOWS\system32\ActiveScan\pskas.dll
+ 2006-08-18 07:46:18 779,264 ----a-w C:\WINDOWS\system32\ActiveScan\pskavs.dll
+ 2007-03-26 13:25:34 417,792 ----a-w C:\WINDOWS\system32\ActiveScan\pskcmp.dll
+ 2006-08-09 09:42:24 90,112 ----a-w C:\WINDOWS\system32\ActiveScan\pskfss.dll
+ 2006-07-19 09:55:58 208,896 ----a-w C:\WINDOWS\system32\ActiveScan\pskhtml.dll
+ 2006-01-20 15:57:00 9,728 ----a-w C:\WINDOWS\system32\ActiveScan\pskmas.dll
+ 2006-05-17 08:50:12 14,336 ----a-w C:\WINDOWS\system32\ActiveScan\pskmdfs.dll
+ 2006-08-16 09:58:12 33,280 ----a-w C:\WINDOWS\system32\ActiveScan\pskpack.dll
+ 2006-06-30 13:42:36 266,240 ----a-w C:\WINDOWS\system32\ActiveScan\pskscs.dll
+ 2006-08-17 13:33:14 62,976 ----a-w C:\WINDOWS\system32\ActiveScan\pskutil.dll
+ 2006-08-08 12:13:10 13,312 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfile.dll
+ 2006-08-18 07:53:08 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\pskvfs.dll
+ 2006-08-18 07:49:50 167,936 ----a-w C:\WINDOWS\system32\ActiveScan\pskvm.dll
+ 2007-04-18 16:16:04 353,840 ----a-w C:\WINDOWS\system32\ActiveScan\psscan.dll
+ 2007-01-22 13:42:48 35,328 ----a-w C:\WINDOWS\system32\ActiveScan\rawvfile.dll
+ 1997-09-18 05:12:32 9,488 ----a-w C:\WINDOWS\system32\ActiveScan\sporder.dll
+ 2006-02-28 16:23:40 69,632 ----a-w C:\WINDOWS\system32\ActiveScan\tcpvfile.dll
+ 2006-08-02 11:39:06 73,728 ----a-w C:\WINDOWS\system32\asuninst.exe
- 2007-10-05 09:07:31 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-04-02 13:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2003-03-25 17:53:50 11,776 ----a-w C:\WINDOWS\system32\ZPORT4AS.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 09:12]
"RTHDCPL"="RTHDCPL.EXE" [2006-08-14 07:00 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 11:04 C:\WINDOWS\SkyTel.exe]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 08:50]
"McAfeeUpdaterUI"="C:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 13:00]
"EPSON Stylus DX4400 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICAE.exe" [2007-03-01 07:01]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R1 mfetdik;McAfee Inc.;C:\WINDOWS\system32\drivers\mfetdik.sys
R3 mfeapfk;McAfee Inc.;C:\WINDOWS\system32\drivers\mfeapfk.sys
R3 W8335XP;802.11g/b Driver for Windows XP ;C:\WINDOWS\system32\DRIVERS\Mrvw125.sys
S0 rsggsqgc;rsggsqgc;C:\WINDOWS\system32\drivers\vdkblybl.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 13:03:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-22 10:47:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-22 10:48:34
C:\ComboFix2.txt ... 2007-10-15 15:39
.
--- E O F ---


I am reading over the firewall blerb and will spend the next hour getting up to speed on what all the messages I recieve from it are telling me.

In regards to the pop up's I will write down the details when it attempts to open the pages, or access the network, this may take a while to gather but I will post as a reply once I have more info.

Regards,

Rob

#4 curlybob

curlybob
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 22 October 2007 - 05:26 AM

Hi, here is my first request since the last post:

NDIS user mode I/O driver (ndisuio.sys) mode has recieved a packet from the remote machine. Do you want to allow this protocol driver to access the network?

I am still reading up on the firewallbut thought I would post to you as I go.

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 22 October 2007 - 05:49 AM

Enable the viewing of hidden files and folders,reverse the process when you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

* Run HijackThis.
* Click on Open the Misc Tools section.
* Click Delete a file on reboot.
* Find and select this file if present:
C:\WINDOWS\system32\drivers\vdkblybl.sys
* Click Open.
* You will be asked if you want to restart your computer, click Yes.
* Your computer will be restarted.

I now need you to do the following if you will:

Go here:http://virusscan.jotti.org/
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\E_FLBCAE.DLL
Then press the 'Submit' button.
Wait while the file is scanned.
Post the results into your next reply.

If Jotti's too busy,try here:
http://www.virustotal.com/en/virustotalf.html
Click on the 'Analysis' tab.
Using the 'Browse' button,browse to:
C:\WINDOWS\system32\E_FLBCAE.DLL
Then click on 'Send File'.
Post the results into your next reply.

Then do exactly the same with the following files:
C:\WINDOWS\system32\E_FD4BCAE.DLL
C:\WINDOWS\system32\E_DCINST.DLL

Post all three sets of results into your next reply please.
Posted Image
Posted Image

#6 curlybob

curlybob
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 22 October 2007 - 08:14 AM

on re-boot after HJT tool i recieved these 2 messages:

NDIS user mode I/O driver (ndisuio.sys) mode has recieved a broadcast packet from the remote machine. (192.168.1.159) Do you want this program to access the machine?

Generic Host Process for Win 32 Services (svchost.exe) is trying to connect to 192.168.1.1) using remote port 49152. Do you want this program to access the network?


I have used Virus total as Jetti was too busy:

C:\WINDOWS\system32\E_FLBCAE.DLL:

File E_FLBCAE.DLL received on 10.22.2007 14:51:30 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 2.
Estimated start time is between 43 and 62 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.10.22.0 2007.10.22 -
AntiVir 7.6.0.27 2007.10.22 -
Authentium 4.93.8 2007.10.22 -
Avast 4.7.1051.0 2007.10.21 -
AVG 7.5.0.488 2007.10.22 -
BitDefender 7.2 2007.10.22 -
CAT-QuickHeal 9.00 2007.10.20 -
ClamAV 0.91.2 2007.10.22 -
DrWeb 4.44.0.09170 2007.10.22 -
eSafe 7.0.15.0 2007.10.21 -
eTrust-Vet 31.2.5230 2007.10.22 -
Ewido 4.0 2007.10.21 -
FileAdvisor 1 2007.10.22 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.22 -
F-Secure 6.70.13030.0 2007.10.22 -
Ikarus T3.1.1.12 2007.10.22 -
Kaspersky 7.0.0.125 2007.10.22 -
McAfee 5145 2007.10.19 -
Microsoft 1.2908 2007.10.22 -
NOD32v2 2606 2007.10.22 -
Norman 5.80.02 2007.10.22 -
Panda 9.0.0.4 2007.10.21 -
Prevx1 V2 2007.10.22 -
Rising 19.46.02.00 2007.10.22 -
Sophos 4.22.0 2007.10.22 -
Sunbelt 2.2.907.0 2007.10.20 -
Symantec 10 2007.10.22 -
TheHacker 6.2.9.104 2007.10.22 -
VBA32 3.12.2.4 2007.10.22 -
VirusBuster 4.3.26:9 2007.10.21 -
Webwasher-Gateway 6.0.1 2007.10.22 -
Additional information
File size: 76800 bytes
MD5: a4ec6b9766e2a7faa77283697bc5c307
SHA1: 828547648c7682008ffaf8225bdbeac68f2be5e4


C:\WINDOWS\system32\E_FD4BCAE.DLL:


File E_FD4BCAE.DLL received on 10.22.2007 14:58:18 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 39 and 56 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.10.22.0 2007.10.22 -
AntiVir 7.6.0.27 2007.10.22 -
Authentium 4.93.8 2007.10.22 -
Avast 4.7.1051.0 2007.10.21 -
AVG 7.5.0.488 2007.10.22 -
BitDefender 7.2 2007.10.22 -
CAT-QuickHeal 9.00 2007.10.20 -
ClamAV 0.91.2 2007.10.22 -
DrWeb 4.44.0.09170 2007.10.22 -
eSafe 7.0.15.0 2007.10.21 -
eTrust-Vet 31.2.5230 2007.10.22 -
Ewido 4.0 2007.10.22 -
FileAdvisor 1 2007.10.22 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.22 -
F-Secure 6.70.13030.0 2007.10.22 -
Ikarus T3.1.1.12 2007.10.22 -
Kaspersky 7.0.0.125 2007.10.22 -
McAfee 5145 2007.10.19 -
Microsoft 1.2908 2007.10.22 -
NOD32v2 2606 2007.10.22 -
Norman 5.80.02 2007.10.22 -
Panda 9.0.0.4 2007.10.21 -
Prevx1 V2 2007.10.22 -
Rising 19.46.02.00 2007.10.22 -
Sophos 4.22.0 2007.10.22 -
Sunbelt 2.2.907.0 2007.10.18 -
Symantec 10 2007.10.22 -
TheHacker 6.2.9.104 2007.10.22 -
VBA32 3.12.2.4 2007.10.22 -
VirusBuster 4.3.26:9 2007.10.21 -
Webwasher-Gateway 6.0.1 2007.10.22 -
Additional information
File size: 62976 bytes
MD5: 8eb50eb111d161708b899a6af6a8f860
SHA1: d6ef7294f3145e24bc68731515ba3055a9d8388e



C:\WINDOWS\system32\E_DCINST.DLL

File E_DCINST.DLL received on 10.22.2007 15:04:25 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/31 (0%)
Loading server information...
Your file is queued in position: 4.
Estimated start time is between 52 and 75 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.10.22.0 2007.10.22 -
AntiVir 7.6.0.27 2007.10.22 -
Authentium 4.93.8 2007.10.22 -
Avast 4.7.1051.0 2007.10.21 -
AVG 7.5.0.488 2007.10.22 -
BitDefender 7.2 2007.10.22 -
CAT-QuickHeal 9.00 2007.10.20 -
ClamAV 0.91.2 2007.10.22 -
DrWeb 4.44.0.09170 2007.10.22 -
eSafe 7.0.15.0 2007.10.21 -
eTrust-Vet 31.2.5230 2007.10.22 -
Ewido 4.0 2007.10.22 -
FileAdvisor 1 2007.10.22 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.22 -
F-Secure 6.70.13030.0 2007.10.22 -
Ikarus T3.1.1.12 2007.10.22 -
Kaspersky 7.0.0.125 2007.10.22 -
McAfee 5145 2007.10.19 -
Microsoft 1.2908 2007.10.22 -
NOD32v2 2606 2007.10.22 -
Norman 5.80.02 2007.10.22 -
Panda 9.0.0.4 2007.10.21 -
Rising 19.46.02.00 2007.10.22 -
Sophos 4.22.0 2007.10.22 -
Sunbelt 2.2.907.0 2007.10.20 -
Symantec 10 2007.10.22 -
TheHacker 6.2.9.104 2007.10.22 -
VBA32 3.12.2.4 2007.10.22 -
VirusBuster 4.3.26:9 2007.10.21 -
Webwasher-Gateway 6.0.1 2007.10.22 -
Additional information
File size: 49152 bytes
MD5: 1129871724a26b1dd6678de88b7fe941
SHA1: c3a70fc2397c3ea365f734b4ab946884147f709d

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:09:46 AM

Posted 22 October 2007 - 10:29 AM

NDIS user mode I/O driver (ndisuio.sys) mode has recieved a broadcast packet from the remote machine. (192.168.1.159) Do you want this program to access the machine?

Unblock/allow it to access the machine.

Generic Host Process for Win 32 Services (svchost.exe) is trying to connect to 192.168.1.1) using remote port 49152. Do you want this program to access the network?

Unblock/allow that program to access the network.

I suggest you uninstall Sygate and go with ZoneAlarm Free 7.0.408.0,it'll be far easier to use:
http://filehippo.com/download_zonealarm_free/

ZoneAlarm Free:
Automatic Program Configuration provides safety and simplicity by automatically configuring programs.
Automatically decides whether to allow or deny Internet access to individual programs.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users