Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Known Virtumonde Infection (possibly Others In Addition)


  • This topic is locked This topic is locked
6 replies to this topic

#1 krylon80

krylon80

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 04 November 2007 - 11:02 PM

Tried every detection removal tool listed on the "before you post log" post. Many detect it, nothing removes it. I know for a fact that Virtumonde is present on my system, but I am fairly certain other malware/virus are as well. It will typically lie dormant until I connect to the internet. Then the computer will run slower, the internet will crash altogether and I will receive false security warning balloons and pop ups due to a few different BHOs that are running (invisible to task manager).

I just need to get rid of this thing. Thanks for your help. Much appreciated!!!!!

HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:16 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
C:\Documents and Settings\Marisol Avellaneda\Desktop\Virus Stuff\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boston.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: {a573bfb3-5804-517b-cc74-70fb6f3cba44} - {44abc3f6-bf07-47cc-b715-40853bfb375a} - C:\WINDOWS\system32\uenqvniq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\iavtebmu.dll
O2 - BHO: (no name) - {CCDAB2C1-2EBE-455A-AB92-CA12C5F3D1BA} - C:\WINDOWS\system32\nnnmn.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\iavtebmu.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [SystemManager] C:\WINDOWS\system32\msapp32.exe
O4 - Startup: Notmad Manager.lnk = C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bwhbzbxm - bwhbzbxm.dll (file missing)
O20 - Winlogon Notify: dkaazqpr - dkaazqpr.dll (file missing)
O20 - Winlogon Notify: iavtebmu - C:\WINDOWS\SYSTEM32\iavtebmu.dll
O20 - Winlogon Notify: winyqq32 - winyqq32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\ysqbsahk.exe (file missing)
O23 - Service: F - Sysinternals - www.sysinternals.com - C:\DOCUME~1\MARISO~1\LOCALS~1\Temp\F.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O24 - Desktop Component 0: (no name) - http://www.farnesegallery.com/images/Fireplaces04.jpg

--
End of file - 5807 bytes

LIST OF FOUND SUSPICIOUS FILES:
*vturrqr.dll
*btojdndo.dll
*foxszwd.dll
*hrokknyv.dll
bxayfbey.dll
nnnmn.dll

*ysqbsahk.exe
qpviomnl.dll
uenqvniq.dll
iavtebmu.dll

*{60676966-E9D0-44C8-89AA-5A74A35BDA77}
*{89AD4D75-2429-462e-BD4E-443F233F6033}
*{A95B2816-1D7E-4561-A202-68C0DE02353A}


*removed

VIRTUMONDE BE GONE LOG:


[10/30/2007, 15:12:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Marisol Avellaneda\Desktop\VirtumundoBeGone.exe" )
[10/30/2007, 15:12:38] - Detected System Information:
[10/30/2007, 15:12:39] - Windows Version: 5.1.2600, Service Pack 2
[10/30/2007, 15:12:39] - Current Username: Marisol Avellaneda (Admin)
[10/30/2007, 15:12:39] - Windows is in NORMAL mode.
[10/30/2007, 15:12:39] - Searching for Browser Helper Objects:
[10/30/2007, 15:12:39] - BHO 1: {3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935} ()
[10/30/2007, 15:12:39] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:12:39] - Checking for HKLM\...\Winlogon\Notify\vturrqr
[10/30/2007, 15:12:39] - Found: HKLM\...\Winlogon\Notify\vturrqr - This is probably Virtumundo.
[10/30/2007, 15:12:39] - Assigning {3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935} MSEvents Object
[10/30/2007, 15:12:39] - BHO list has been changed! Starting over...
[10/30/2007, 15:12:39] - BHO 1: {3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935} (MSEvents Object)
[10/30/2007, 15:12:39] - ALERT: Found MSEvents Object!
[10/30/2007, 15:12:40] - BHO 2: {89AD4D75-2429-462e-BD4E-443F233F6033} ()
[10/30/2007, 15:12:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:12:40] - Checking for HKLM\...\Winlogon\Notify\btojdndo
[10/30/2007, 15:12:40] - Key not found: HKLM\...\Winlogon\Notify\btojdndo, continuing.
[10/30/2007, 15:12:40] - BHO 3: {A95B2816-1D7E-4561-A202-68C0DE02353A} ()
[10/30/2007, 15:12:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:12:40] - Checking for HKLM\...\Winlogon\Notify\foxszwud
[10/30/2007, 15:12:40] - Found: HKLM\...\Winlogon\Notify\foxszwud - This is probably Virtumundo.
[10/30/2007, 15:12:40] - Assigning {A95B2816-1D7E-4561-A202-68C0DE02353A} MSEvents Object
[10/30/2007, 15:12:40] - BHO list has been changed! Starting over...
[10/30/2007, 15:12:40] - BHO 1: {3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935} (MSEvents Object)
[10/30/2007, 15:12:40] - ALERT: Found MSEvents Object!
[10/30/2007, 15:12:40] - BHO 2: {89AD4D75-2429-462e-BD4E-443F233F6033} ()
[10/30/2007, 15:12:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:12:40] - Checking for HKLM\...\Winlogon\Notify\btojdndo
[10/30/2007, 15:12:40] - Key not found: HKLM\...\Winlogon\Notify\btojdndo, continuing.
[10/30/2007, 15:12:41] - BHO 3: {A95B2816-1D7E-4561-A202-68C0DE02353A} (MSEvents Object)
[10/30/2007, 15:12:41] - ALERT: Found MSEvents Object!
[10/30/2007, 15:12:41] - BHO 4: {A9B3CD2A-4ED9-4127-BD4A-01994D67A4DA} ()
[10/30/2007, 15:12:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:12:41] - Checking for HKLM\...\Winlogon\Notify\nnnmn
[10/30/2007, 15:12:41] - Key not found: HKLM\...\Winlogon\Notify\nnnmn, continuing.
[10/30/2007, 15:12:41] - Finished Searching Browser Helper Objects
[10/30/2007, 15:12:41] - *** Detected MSEvents Object
[10/30/2007, 15:12:41] - Trying to remove MSEvents Object...
[10/30/2007, 15:12:42] - Terminating Process: IEXPLORE.EXE
[10/30/2007, 15:12:52] - Terminating Process: RUNDLL32.EXE
[10/30/2007, 15:13:02] - Disabling Automatic Shell Restart
[10/30/2007, 15:13:02] - Terminating Process: EXPLORER.EXE
[10/30/2007, 15:13:03] - Suspending the NT Session Manager System Service
[10/30/2007, 15:13:03] - Terminating Windows NT Logon/Logoff Manager
[10/30/2007, 15:13:04] - Re-enabling Automatic Shell Restart
[10/30/2007, 15:13:04] - File to disable: C:\WINDOWS\system32\vturrqr.dll
[10/30/2007, 15:13:04] - Renaming C:\WINDOWS\system32\vturrqr.dll -> C:\WINDOWS\system32\vturrqr.dll.vir
[10/30/2007, 15:13:05] - File successfully renamed!
[10/30/2007, 15:13:05] - Removing HKLM\...\Browser Helper Objects\{3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935}
[10/30/2007, 15:13:05] - Removing HKCR\CLSID\{3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935}
[10/30/2007, 15:13:06] - Adding Kill Bit for ActiveX for GUID: {3E4A0D7B-DD02-4A3F-A04C-0B3FF84AD935}
[10/30/2007, 15:13:07] - Deleting ATLEvents/MSEvents Registry entries
[10/30/2007, 15:13:07] - Removing HKLM\...\Winlogon\Notify\vturrqr
[10/30/2007, 15:13:07] - Searching for Browser Helper Objects:
[10/30/2007, 15:13:07] - BHO 1: {89AD4D75-2429-462e-BD4E-443F233F6033} ()
[10/30/2007, 15:13:07] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:13:07] - Checking for HKLM\...\Winlogon\Notify\btojdndo
[10/30/2007, 15:13:07] - Key not found: HKLM\...\Winlogon\Notify\btojdndo, continuing.
[10/30/2007, 15:13:07] - BHO 2: {A95B2816-1D7E-4561-A202-68C0DE02353A} (MSEvents Object)
[10/30/2007, 15:13:07] - ALERT: Found MSEvents Object!
[10/30/2007, 15:13:07] - BHO 3: {A9B3CD2A-4ED9-4127-BD4A-01994D67A4DA} ()
[10/30/2007, 15:13:07] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:13:08] - Checking for HKLM\...\Winlogon\Notify\nnnmn
[10/30/2007, 15:13:08] - Key not found: HKLM\...\Winlogon\Notify\nnnmn, continuing.
[10/30/2007, 15:13:08] - Finished Searching Browser Helper Objects
[10/30/2007, 15:13:08] - *** Detected MSEvents Object
[10/30/2007, 15:13:08] - Trying to remove MSEvents Object...
[10/30/2007, 15:13:09] - Terminating Process: IEXPLORE.EXE
[10/30/2007, 15:13:09] - Terminating Process: RUNDLL32.EXE
[10/30/2007, 15:13:09] - Disabling Automatic Shell Restart
[10/30/2007, 15:13:09] - Terminating Process: EXPLORER.EXE
[10/30/2007, 15:13:09] - Suspending the NT Session Manager System Service
[10/30/2007, 15:13:10] - Terminating Windows NT Logon/Logoff Manager
[10/30/2007, 15:13:10] - Re-enabling Automatic Shell Restart
[10/30/2007, 15:13:10] - File to disable: C:\WINDOWS\system32\foxszwud.dll
[10/30/2007, 15:13:10] - Renaming C:\WINDOWS\system32\foxszwud.dll -> C:\WINDOWS\system32\foxszwud.dll.vir
[10/30/2007, 15:13:10] - ! File rename was unsucessful.
[10/30/2007, 15:13:10] - Attempting to Deny Access to C:\WINDOWS\system32\foxszwud.dll
[10/30/2007, 15:13:16] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[10/30/2007, 15:13:16] - processed file: C:\WINDOWS\system32\foxszwud.dll

[10/30/2007, 15:13:16] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[10/30/2007, 15:13:16] - Removing HKLM\...\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
[10/30/2007, 15:13:16] - Removing HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
[10/30/2007, 15:13:16] - Adding Kill Bit for ActiveX for GUID: {A95B2816-1D7E-4561-A202-68C0DE02353A}
[10/30/2007, 15:13:17] - Deleting ATLEvents/MSEvents Registry entries
[10/30/2007, 15:13:17] - Removing HKLM\...\Winlogon\Notify\foxszwud
[10/30/2007, 15:13:17] - Searching for Browser Helper Objects:
[10/30/2007, 15:13:17] - BHO 1: {89AD4D75-2429-462e-BD4E-443F233F6033} ()
[10/30/2007, 15:13:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:13:17] - Checking for HKLM\...\Winlogon\Notify\btojdndo
[10/30/2007, 15:13:17] - Key not found: HKLM\...\Winlogon\Notify\btojdndo, continuing.
[10/30/2007, 15:13:17] - BHO 2: {A9B3CD2A-4ED9-4127-BD4A-01994D67A4DA} ()
[10/30/2007, 15:13:17] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:13:18] - Checking for HKLM\...\Winlogon\Notify\nnnmn
[10/30/2007, 15:13:18] - Key not found: HKLM\...\Winlogon\Notify\nnnmn, continuing.
[10/30/2007, 15:13:18] - Finished Searching Browser Helper Objects
[10/30/2007, 15:13:18] - Finishing up...
[10/30/2007, 15:13:18] - A restart is needed.
[10/30/2007, 15:13:18] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[10/30/2007, 15:14:06] - Attempting to Restart via STOP error (Blue Screen!)

[10/30/2007, 15:21:58] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Marisol Avellaneda\Desktop\VirtumundoBeGone.exe" )
[10/30/2007, 15:22:02] - Detected System Information:
[10/30/2007, 15:22:02] - Windows Version: 5.1.2600, Service Pack 2
[10/30/2007, 15:22:02] - Current Username: Marisol Avellaneda (Admin)
[10/30/2007, 15:22:02] - Windows is in SAFE mode.
[10/30/2007, 15:22:02] - Searching for Browser Helper Objects:
[10/30/2007, 15:22:02] - BHO 1: {45C2A803-2BF0-4DBA-A496-BDB2B9F0259A} ()
[10/30/2007, 15:22:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:22:02] - Checking for HKLM\...\Winlogon\Notify\nnnmn
[10/30/2007, 15:22:02] - Key not found: HKLM\...\Winlogon\Notify\nnnmn, continuing.
[10/30/2007, 15:22:02] - BHO 2: {89AD4D75-2429-462e-BD4E-443F233F6033} ()
[10/30/2007, 15:22:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:22:02] - Checking for HKLM\...\Winlogon\Notify\btojdndo
[10/30/2007, 15:22:02] - Key not found: HKLM\...\Winlogon\Notify\btojdndo, continuing.
[10/30/2007, 15:22:02] - BHO 3: {A95B2816-1D7E-4561-A202-68C0DE02353A} ()
[10/30/2007, 15:22:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:22:02] - Checking for HKLM\...\Winlogon\Notify\foxszwud
[10/30/2007, 15:22:02] - Found: HKLM\...\Winlogon\Notify\foxszwud - This is probably Virtumundo.
[10/30/2007, 15:22:02] - Assigning {A95B2816-1D7E-4561-A202-68C0DE02353A} MSEvents Object
[10/30/2007, 15:22:02] - BHO list has been changed! Starting over...
[10/30/2007, 15:22:02] - BHO 1: {45C2A803-2BF0-4DBA-A496-BDB2B9F0259A} ()
[10/30/2007, 15:22:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:22:03] - Checking for HKLM\...\Winlogon\Notify\nnnmn
[10/30/2007, 15:22:03] - Key not found: HKLM\...\Winlogon\Notify\nnnmn, continuing.
[10/30/2007, 15:22:03] - BHO 2: {89AD4D75-2429-462e-BD4E-443F233F6033} ()
[10/30/2007, 15:22:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:22:03] - Checking for HKLM\...\Winlogon\Notify\btojdndo
[10/30/2007, 15:22:03] - Key not found: HKLM\...\Winlogon\Notify\btojdndo, continuing.
[10/30/2007, 15:22:03] - BHO 3: {A95B2816-1D7E-4561-A202-68C0DE02353A} (MSEvents Object)
[10/30/2007, 15:22:03] - ALERT: Found MSEvents Object!
[10/30/2007, 15:22:03] - Finished Searching Browser Helper Objects
[10/30/2007, 15:22:03] - *** Detected MSEvents Object
[10/30/2007, 15:22:03] - Trying to remove MSEvents Object...
[10/30/2007, 15:22:04] - Terminating Process: IEXPLORE.EXE
[10/30/2007, 15:22:04] - Terminating Process: RUNDLL32.EXE
[10/30/2007, 15:22:04] - Disabling Automatic Shell Restart
[10/30/2007, 15:22:04] - Terminating Process: EXPLORER.EXE
[10/30/2007, 15:22:04] - Suspending the NT Session Manager System Service
[10/30/2007, 15:22:04] - Terminating Windows NT Logon/Logoff Manager
[10/30/2007, 15:22:05] - Re-enabling Automatic Shell Restart
[10/30/2007, 15:22:05] - File to disable: C:\WINDOWS\system32\foxszwud.dll
[10/30/2007, 15:22:05] - Renaming C:\WINDOWS\system32\foxszwud.dll -> C:\WINDOWS\system32\foxszwud.dll.vir
[10/30/2007, 15:22:05] - ! File rename was unsucessful.
[10/30/2007, 15:22:05] - Attempting to Deny Access to C:\WINDOWS\system32\foxszwud.dll
[10/30/2007, 15:22:05] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[10/30/2007, 15:22:05] - processed file: C:\WINDOWS\system32\foxszwud.dll

[10/30/2007, 15:22:05] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[10/30/2007, 15:22:05] - Removing HKLM\...\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
[10/30/2007, 15:22:05] - Removing HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
[10/30/2007, 15:22:05] - Adding Kill Bit for ActiveX for GUID: {A95B2816-1D7E-4561-A202-68C0DE02353A}
[10/30/2007, 15:22:05] - Deleting ATLEvents/MSEvents Registry entries
[10/30/2007, 15:22:05] - Removing HKLM\...\Winlogon\Notify\foxszwud
[10/30/2007, 15:22:05] - Searching for Browser Helper Objects:
[10/30/2007, 15:22:05] - BHO 1: {45C2A803-2BF0-4DBA-A496-BDB2B9F0259A} ()
[10/30/2007, 15:22:05] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:22:06] - Checking for HKLM\...\Winlogon\Notify\nnnmn
[10/30/2007, 15:22:06] - Key not found: HKLM\...\Winlogon\Notify\nnnmn, continuing.
[10/30/2007, 15:22:06] - BHO 2: {89AD4D75-2429-462e-BD4E-443F233F6033} ()
[10/30/2007, 15:22:06] - WARNING: BHO has no default name. Checking for Winlogon reference.
[10/30/2007, 15:22:06] - Checking for HKLM\...\Winlogon\Notify\btojdndo
[10/30/2007, 15:22:06] - Key not found: HKLM\...\Winlogon\Notify\btojdndo, continuing.
[10/30/2007, 15:22:06] - Finished Searching Browser Helper Objects
[10/30/2007, 15:22:06] - Finishing up...
[10/30/2007, 15:22:06] - A restart is needed.
[10/30/2007, 15:22:06] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[10/30/2007, 15:22:13] - Attempting to Restart via STOP error (Blue Screen!)

BC AdBot (Login to Remove)

 


m

#2 krylon80

krylon80
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 05 November 2007 - 11:23 AM

Is there a reason no one has responded to my post, but many who have posted after me have gotten responses already?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:05 PM

Posted 05 November 2007 - 01:23 PM

Hello krylon80,

Welcome to Bleeping Computer :thumbsup:

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#4 krylon80

krylon80
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 05 November 2007 - 01:40 PM

Thanks Tea,

Here is the ComboFix log:

ComboFix 07-11-05.2 - Marisol Avellaneda 2007-11-05 12:29:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.245 [GMT -5:00]
Running from: C:\Documents and Settings\Marisol Avellaneda\Desktop\Virus Stuff\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Marisol Avellaneda\Favorites\Online Security Guide.lnk
C:\WINDOWS\Config\niwpa.bak1
C:\WINDOWS\Config\niwpa.bak2
C:\WINDOWS\Config\niwpa.ini
C:\WINDOWS\Config\niwpa.ini2
C:\WINDOWS\Config\niwpa.tmp
C:\WINDOWS\SYSTEM32\arwcmvad.ini
C:\WINDOWS\system32\bgvqkrid.exe
C:\WINDOWS\system32\bwhbzbxm.dllbox
C:\WINDOWS\system32\davmcwra.dll
C:\WINDOWS\system32\dkaazqpr.dllbox
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\foxszwud.dllbox
C:\WINDOWS\system32\iavtebmu.dllbox
C:\WINDOWS\system32\kikquxrj.exe
C:\WINDOWS\system32\llcyhqen.dll
C:\WINDOWS\SYSTEM32\neqhycll.ini
C:\WINDOWS\system32\nhwmxuan.dll
C:\WINDOWS\SYSTEM32\nmnnn.ini2
C:\WINDOWS\SYSTEM32\nmnnn.tmp
C:\WINDOWS\system32\nnnmn.dll
C:\WINDOWS\system32\pdyemvej.dll
C:\WINDOWS\system32\prvldjug.exe
C:\WINDOWS\system32\uvugenqh.dll
C:\WINDOWS\system32\vwsebqle.exe
C:\WINDOWS\SYSTEM32\vynkkorh.ini
C:\WINDOWS\SYSTEM32\vynkkorh.ini2
C:\WINDOWS\SYSTEM32\vynkkorh.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-05 to 2007-11-05 )))))))))))))))))))))))))))))))
.

2007-11-05 12:26 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-05 02:58 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-05 01:04 <DIR> d----c--- C:\VundoFix Backups
2007-11-04 05:30 78,912 --a------ C:\WINDOWS\SYSTEM32\uenqvniq.dll
2007-11-04 05:27 86,080 --a------ C:\WINDOWS\SYSTEM32\qpviomnl.dll
2007-11-02 17:28 82,496 --a------ C:\WINDOWS\SYSTEM32\ymuofric.dll
2007-11-02 15:51 82,496 --a------ C:\WINDOWS\SYSTEM32\jvbugtsj.dll
2007-11-01 09:58 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-01 09:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-01 09:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-31 13:07 <DIR> dr-h-c--- C:\MSOCache
2007-10-30 21:45 <DIR> d-------- C:\Documents and Settings\Marisol Avellaneda\Application Data\F-Secure
2007-10-30 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2007-10-30 21:17 <DIR> d-------- C:\Program Files\F-Secure Internet Security
2007-10-30 21:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\fssg
2007-10-30 16:40 5,093,988 --a------ C:\WINDOWS\SYSTEM32\SBSP.dat
2007-10-30 06:52 367 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-10-26 16:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\logs
2007-10-26 14:51 15,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sbhr.sys
2007-10-26 13:26 <DIR> d-------- C:\Documents and Settings\Marisol Avellaneda\Application Data\Sunbelt Software
2007-10-26 13:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-10-26 13:22 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-10-24 12:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision(2)
2007-10-24 11:25 <DIR> d-------- C:\Program Files\E404 Helper
2007-10-24 11:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\fkmdvbtn
2007-10-24 11:23 <DIR> d-------- C:\Program Files\Xitsynfg
2007-10-24 11:23 <DIR> d-------- C:\Program Files\tmlghgnm
2007-10-23 17:45 <DIR> d-------- C:\Documents and Settings\Marisol Avellaneda\Application Data\Sony Setup
2007-10-23 17:44 <DIR> d-------- C:\Program Files\Sony Setup
2007-10-23 17:32 23,176 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\s616nd5.sys
2007-10-23 17:01 100,360 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\s616mgmt.sys
2007-10-23 17:01 99,080 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\s616unic.sys
2007-10-23 17:01 98,568 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\s616obex.sys
2007-10-23 17:01 11,016 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\s616cr.sys
2007-10-23 16:54 <DIR> d-------- C:\Documents and Settings\Marisol Avellaneda\Application Data\Teleca
2007-10-23 16:51 108,680 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\s616mdm.sys
2007-10-23 16:51 83,208 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\s616bus.sys
2007-10-23 16:51 15,112 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\s616mdfl.sys
2007-10-23 16:51 12,424 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\s616whnt.sys
2007-10-23 16:51 12,424 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\s616wh.sys
2007-10-23 16:51 12,424 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\s616cmnt.sys
2007-10-23 16:51 12,424 -ra------ C:\WINDOWS\SYSTEM32\DRIVERS\s616cm.sys
2007-10-23 16:47 <DIR> d-------- C:\Documents and Settings\Marisol Avellaneda\Application Data\Sony Ericsson
2007-10-23 16:46 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-10-17 22:24 <DIR> d-------- C:\Documents and Settings\Marisol Avellaneda\Application Data\SmartFTP
2007-10-17 20:56 <DIR> d-------- C:\Program Files\GoFTP
2007-10-11 20:14 <DIR> d-------- C:\Program Files\Ashampoo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 23:44 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-01 18:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-26 20:15 --------- d-----w C:\Program Files\Olympus
2007-10-26 20:13 --------- d-----w C:\Program Files\MySpace
2007-10-24 18:08 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-16 21:28 --------- d-----w C:\Documents and Settings\Marisol Avellaneda\Application Data\Skype
2007-10-13 02:44 --------- d-----w C:\Program Files\InterActual
2007-10-12 14:08 --------- d-----w C:\Program Files\Winamp
2007-10-12 13:16 --------- d-----w C:\Documents and Settings\Marisol Avellaneda\Application Data\Viewpoint
2007-10-12 13:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-11 21:18 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-11 20:50 --------- d-----w C:\Program Files\Common Files\Ahead
2007-10-11 19:35 --------- d-----w C:\Program Files\Canon
2007-09-07 10:57 --------- d-----w C:\Program Files\iTunes
2007-09-07 10:56 --------- d-----w C:\Program Files\iPod
2007-08-27 15:26 27,120 ----a-w C:\WINDOWS\SYSTEM32\SBBD.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44abc3f6-bf07-47cc-b715-40853bfb375a}]
2007-11-04 05:30 78912 --a------ C:\WINDOWS\system32\uenqvniq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-02 18:21]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-02 18:15]
"VSOCheckTask"="c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-08-27 11:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\Documents and Settings\Marisol Avellaneda\Start Menu\Programs\Startup\
Notmad Manager.lnk - C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe [2005-12-03 18:19:42]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bwhbzbxm]
bwhbzbxm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dkaazqpr]
dkaazqpr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winyqq32]
winyqq32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\nnnmn.dll

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys
S3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\system32\drivers\A311.sys
S3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\system32\drivers\A310.sys
S3 F;F;C:\DOCUME~1\MARISO~1\LOCALS~1\Temp\F.exe
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSRTNDS.SYS
S3 NaiFiltr;NaiFiltr;C:\WINDOWS\system32\DRIVERS\NaiFiltr.sys
S3 PNDIS5;PNDIS5 NDIS Protocol Driver;\??\D:\PNDIS5.SYS
S3 s616bus;Sony Ericsson Device 616 driver (WDM);C:\WINDOWS\system32\DRIVERS\s616bus.sys
S3 s616mdfl;Sony Ericsson Device 616 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\s616mdfl.sys
S3 s616mdm;Sony Ericsson Device 616 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\s616mdm.sys
S3 s616mgmt;Sony Ericsson Device 616 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\s616mgmt.sys
S3 s616nd5;Sony Ericsson Device 616 USB Ethernet Emulation SEMC616 (NDIS);C:\WINDOWS\system32\DRIVERS\s616nd5.sys
S3 s616obex;Sony Ericsson Device 616 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\s616obex.sys
S3 s616unic;Sony Ericsson Device 616 USB Ethernet Emulation SEMC616 (WDM);C:\WINDOWS\system32\DRIVERS\s616unic.sys
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2007-09-18 14:59:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-05 12:42:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-05 12:43:32 - machine was rebooted
.
--- E O F ---


Here is my most recent HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:28:50 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
C:\Documents and Settings\Marisol Avellaneda\Desktop\Virus Stuff\dss.exe
C:\DOCUME~1\MARISO~1\Desktop\VIRUSS~1\Marisol Avellaneda.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.boston.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: {a573bfb3-5804-517b-cc74-70fb6f3cba44} - {44abc3f6-bf07-47cc-b715-40853bfb375a} - C:\WINDOWS\system32\uenqvniq.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Notmad Manager.lnk = C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bwhbzbxm - bwhbzbxm.dll (file missing)
O20 - Winlogon Notify: dkaazqpr - dkaazqpr.dll (file missing)
O20 - Winlogon Notify: winyqq32 - winyqq32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe (file missing)
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\system32\HPZipm12.exe (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O24 - Desktop Component 0: (no name) - http://www.farnesegallery.com/images/Fireplaces04.jpg

--
End of file - 4589 bytes

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:05 PM

Posted 05 November 2007 - 02:56 PM

Hello,

I'm wondering about your McAfee. I see services running, but nothing in running processes. Is it current?

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: {a573bfb3-5804-517b-cc74-70fb6f3cba44} - {44abc3f6-bf07-47cc-b715-40853bfb375a} - C:\WINDOWS\system32\uenqvniq.dll
O20 - Winlogon Notify: bwhbzbxm - bwhbzbxm.dll (file missing)
O20 - Winlogon Notify: dkaazqpr - dkaazqpr.dll (file missing)
O20 - Winlogon Notify: winyqq32 - winyqq32.dll (file missing)
O24 - Desktop Component 0: (no name) - http://www.farnesegallery.com/images/Fireplaces04.jpg


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Delete the following file:

C:\WINDOWS\system32\uenqvniq.dll

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

Please download and run Bit Defender 8 online scanner
  • Install the program and then follow the prompts to download all available updates.
  • Select Antivirus and then click the Settings button. Click Default. Click Ok.
  • Select Local Drives and click Scan.
  • When the scan is complete save the log and post it back here in your next reply.
Could I please see an uninstall list?

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please also let me know how it's running now.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 krylon80

krylon80
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:05 PM

Posted 05 November 2007 - 11:26 PM

OK, the McAfee files are outdated and more-or-less non-functioning and can be deleted.

I wasn't able to delete C:\WINDOWS\system32\uenqvniq.dll

I ran Bitdefender, here's the log:


//-----------------------------------------------------------------
//
// Product BitDefender Free Edition v10
// Product 10.2
//
// Created on: 05/11/2007 23:42:12
//
//-----------------------------------------------------------------


Virus Statistics

Scan path : C:\
Folders : 5117
Files : 27192
Memory processes scanned : 8
Archives : 7
Runtime packers : 2376
Identified viruses : 0
Infected files : 0
Memory processes infected : 0
Suspect files : 1
Warnings : 0
Disinfected files : 0
Deleted files : 1
Moved files : 0
I/O errors : 7
Scan time : 00:35:21
Scan speed (files/sec) : 12

Spyware Statistics

Registry keys scanned : 1769
Registry keys infected : 1
Cookies scanned : 0
Cookies infected : 0
Spyware files infected : 0
Spyware threats detected : 1


Virus definitions : 553501
Scan plugins : 16
Archive plugins : 41
Unpack plugins : 6
Mail plugins : 6
System plugins : 5

Virus scan options

Detection
[X] Scan boot sectors
[X] Memory Processes
[ ] Scan archives
[X] Scan runtime packers
[X] Scan email

File mask
[X] Programs
[ ] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Move to quarantine
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[X] Move to quarantine
[ ] Prompt user

Virus scan options
[X] Enable warnings
[ ] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Documents and Settings\All Users\Application Data\Bitdefender\Desktop\Profiles\Logs\full_scan\1194324132.log

Spyware scan options

[X] Scan for riskware
[ ] Skip dial and applications from scan
[X] Registry keys
[X] Cookies


Summary:

<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MAGNET Detected: magne3t
<System>=>HKEY_LOCAL_MACHINE\SOFTWARE\MAGNET Deleted
<System> Archive repacking successfully completed (actions successfully applied)


Hijack This Uninstall List:

Ad-Aware 2007
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 7.0.8
Adobe SVG Viewer 3.0
AOL Instant Messenger
Apple Software Update
BCM V.92 56K Modem
Belarc Advisor 7.2
BitDefender Free Edition v10
Broadcom Advanced Control Suite
Canon G.726 WMP-Decoder
Creative Jukebox Driver
Creative NOMAD Jukebox Zen Xtra
Creative System Information
DVDSentry
FileZilla (remove only)
Flickr Uploadr 2.3
HijackThis 2.0.2
Intel® Extreme Graphics Driver
InterActual Player
Internet Explorer Default Page
InterVideo WinDVD
iTunes
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft Office 2000 Premium
Microsoft Office Basic Edition 2003
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
MIMO XR Cardbus Adapter
Modem Helper
Mozilla Firefox (2.0.0.9)
Nero 7 Premium
Notmad Explorer (remove only)
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Skype 3.0
Skype Plugin Manager
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
Yahoo! Messenger

It's running well, but I still have not connected to the internet since I started this process and that is typically when things go wrong anyhow so that's the true test.

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:05 PM

Posted 06 November 2007 - 08:26 AM

You're being helped here : http://gladiator-antivirus.com/forum/index...mp;#entry187730

This wastes our time and can get confusing. :thumbsup:

This thread is closed.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users