Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected By Several Viruses Including Virtumonde


  • Please log in to reply
5 replies to this topic

#1 MiNdWaRp

MiNdWaRp

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 27 November 2007 - 01:03 PM

Hi there!

I've been cursed with infection of several viruses that don't seem to want to go away with any tool I run. I've run all of the antiviruses listed in the walkthrough for posting my HijackThis log and I still get those pop-ups from NOD32. Here's a list of viruses that are mentioned every time I boot by NOD32:

Win32/BHO.G trojan
Win32/Adware.Ezula
Win32/Adware.Virtumonde
Win32/Adware.SecToolbar
Win32/TrojanDownloader.Tiny.ID
BHO - C:\WINDOWS\system32\mllmj.dll

I would very much like some help in removing these as I'm at a total loos at this point.

Here's my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:34 PM, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cstech/support/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\Download Manager\DLM.exe" /windowsstart /startifwork
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'Default user')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ottawa.ad.algonquincollege.com,algonquincollege.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ottawa.ad.algonquincollege.com,algonquincollege.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ottawa.ad.algonquincollege.com,algonquincollege.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 7399 bytes


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:04 PM

Posted 09 December 2007 - 11:06 AM

Hello MiNdWaRp,

Welcome to Bleeping Computer :thumbsup:

Sorry about the delay.:blink: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 MiNdWaRp

MiNdWaRp
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 13 December 2007 - 12:32 PM

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:31:20 PM, on 13/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Boot mode: Normal



Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\SYSTEM32\Ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

C:\Program Files\VMware\VMware Workstation\hqtray.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.exe

C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN

C:\Program Files\SpywareGuard\sgmain.exe

C:\Program Files\SpywareGuard\sgbhp.exe

C:\Program Files\VMware\VMware Workstation\vmware-authd.exe

C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

C:\WINDOWS\system32\vmnat.exe

C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

C:\WINDOWS\system32\vmnetdhcp.exe

C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\HijackThis\HijackThis.exe

C:\WINDOWS\SoftwareDistribution\Download\304c19f1612f37ffa8967147d3cb7464\update\update.exe



R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cstech/support/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: (no name) - {00289E49-5636-4823-A902-5F13B70167E1} - C:\WINDOWS\system32\mllmj.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0CB2A20B-1952-4ABE-B41D-0AEF5C0EE9FC} - (no file)

O2 - BHO: (no name) - {12718615-07E3-41CA-9051-7950EFDB135E} - (no file)

O2 - BHO: (no name) - {34A1B8B4-9210-47E5-B453-6D6F91F901F4} - (no file)

O2 - BHO: (no name) - {46854806-9F33-45B3-A8D1-A4A8A7D5806E} - (no file)

O2 - BHO: (no name) - {49C15E57-B3BD-4B1D-83D3-55485022430C} - (no file)

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)

O2 - BHO: (no name) - {AB99CCDB-260A-40EB-8949-42BEBA30DE6A} - (no file)

O2 - BHO: (no name) - {CF8A1F37-A4D3-4257-A554-C3945303AD7F} - (no file)

O2 - BHO: (no name) - {ECBE7A11-F70C-4A5B-AAF6-2CDBDD17FE8A} - (no file)

O2 - BHO: (no name) - {FF1B1D96-4524-480B-B66A-ECB039F53884} - (no file)

O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [vmware-tray] C:\Program Files\VMware\VMware Workstation\vmware-tray.exe

O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [BitDefender Antiphishing Helper] "C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe"

O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"

O4 - HKLM\..\RunOnce: [DAP Cleanup] "C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\DAPREMOVE.EXE" /CLEANUP /DIR="C:\PROGRA~1\DAP"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [igndlm.exe] "C:\Program Files\Download Manager\DLM.exe" /windowsstart /startifwork

O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide3] cmd.exe /C rundll32 advpack.dll,LaunchINFSection nLite.inf,C (User 'Default user')

O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe

O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ottawa.ad.algonquincollege.com,algonquincollege.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ottawa.ad.algonquincollege.com,algonquincollege.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ottawa.ad.algonquincollege.com,algonquincollege.com

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O20 - Winlogon Notify: iiffedd - iiffedd.dll (file missing)

O20 - Winlogon Notify: izhusttn - izhusttn.dll (file missing)

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\afutfohf.exe (file missing)

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe

O23 - Service: lmab_device - Lexmark International, Inc. - C:\WINDOWS\system32\LMabcoms.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)

O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe

O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe

O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe

O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe

O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe



--

End of file - 10099 bytes


#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:04 PM

Posted 13 December 2007 - 01:00 PM

Hello,

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {00289E49-5636-4823-A902-5F13B70167E1} - C:\WINDOWS\system32\mllmj.dll
O2 - BHO: (no name) - {0CB2A20B-1952-4ABE-B41D-0AEF5C0EE9FC} - (no file)
O2 - BHO: (no name) - {12718615-07E3-41CA-9051-7950EFDB135E} - (no file)
O2 - BHO: (no name) - {34A1B8B4-9210-47E5-B453-6D6F91F901F4} - (no file)
O2 - BHO: (no name) - {46854806-9F33-45B3-A8D1-A4A8A7D5806E} - (no file)
O2 - BHO: (no name) - {49C15E57-B3BD-4B1D-83D3-55485022430C} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)
O2 - BHO: (no name) - {AB99CCDB-260A-40EB-8949-42BEBA30DE6A} - (no file)
O2 - BHO: (no name) - {CF8A1F37-A4D3-4257-A554-C3945303AD7F} - (no file)
O2 - BHO: (no name) - {ECBE7A11-F70C-4A5B-AAF6-2CDBDD17FE8A} - (no file)
O2 - BHO: (no name) - {FF1B1D96-4524-480B-B66A-ECB039F53884} - (no file)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O20 - Winlogon Notify: iiffedd - iiffedd.dll (file missing)
O20 - Winlogon Notify: izhusttn - izhusttn.dll (file missing)
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\afutfohf.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 MiNdWaRp

MiNdWaRp
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:06:04 PM

Posted 13 December 2007 - 01:26 PM

ComboFix 07-12-12.3 - Administrator 2007-12-13 13:18:09.1 - NTFSx86

Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.2396 [GMT -5:00]

Running from: D:\Programs\ComboFix.exe

 * Created a new restore point

.



(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))

.



C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk

C:\WINDOWS\system32\1_exception.nls

C:\WINDOWS\system32\izhusttn.dllbox

C:\WINDOWS\system32\jmllm.ini

C:\WINDOWS\system32\jmllm.ini2

C:\WINDOWS\system32\jmllm.tmp

C:\WINDOWS\system32\kxwplqui.dll

C:\WINDOWS\system32\mrvgnogv.dll

C:\WINDOWS\system32\wtbittgn.dll

C:\WINDOWS\system32\ywjpqadd.dll



.

(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))



.

-------\LEGACY_CORE

-------\LEGACY_DOMAINSERVICE

-------\LEGACY_NTMLSVC

-------\LEGACY_RUNTIME

-------\LEGACY_RUNTIME2

-------\DomainService

-------\NtmlSvc





(((((((((((((((((((((((((   Files Created from 2007-11-13 to 2007-12-13  )))))))))))))))))))))))))))))))

.



2007-11-30 17:31 . 2007-11-30 17:31	<DIR>	d--------	C:\WINDOWS\system32\AT

2007-11-30 15:37 . 2007-11-30 15:50	1,156	--a------	C:\WINDOWS\system32\LexFiles.usr

2007-11-30 15:36 . 2007-11-30 15:36	<DIR>	d--------	C:\Program Files\Lexmark_HostCD

2007-11-30 15:36 . 2007-11-30 15:36	<DIR>	d--------	C:\Program Files\Lexmark

2007-11-30 15:33 . 2007-11-30 15:33	<DIR>	d--------	C:\lexmark

2007-11-30 15:17 . 2007-11-30 15:17	294	--ahs----	C:\WINDOWS\system32\tfxckkfm.ini

2007-11-29 18:45 . 2007-12-13 13:21	121	--a------	C:\WINDOWS\bdagent.INI

2007-11-29 18:32 . 2007-11-29 18:32	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\BitDefender

2007-11-29 18:30 . 2007-11-29 18:30	<DIR>	d--------	C:\Program Files\BitDefender

2007-11-29 18:27 . 2007-11-29 18:30	<DIR>	d--------	C:\Program Files\Common Files\BitDefender

2007-11-29 16:25 . 2007-11-29 16:25	789,659	--ahs----	C:\WINDOWS\system32\uhoqubsi.ini

2007-11-29 15:49 . 2007-11-29 18:28	81,984	--a------	C:\WINDOWS\system32\bdod.bin

2007-11-29 15:46 . 2007-11-29 18:51	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\BitDefender

2007-11-29 15:27 . 2007-11-29 15:27	789,659	--ahs----	C:\WINDOWS\system32\rnxubjiv.ini

2007-11-27 13:48 . 2007-11-27 13:48	<DIR>	d--------	C:\Program Files\Windows Media Connect 2

2007-11-27 13:45 . 2007-11-27 13:58	<DIR>	d--------	C:\WINDOWS\system32\drivers\UMDF

2007-11-27 11:43 . 2007-11-27 11:44	<DIR>	d--------	C:\WINDOWS\BDOSCAN8

2007-11-27 11:11 . 2007-11-27 11:36	<DIR>	d--------	C:\WINDOWS\system32\ActiveScan

2007-11-27 11:11 . 2007-11-27 11:11	30,590	--a------	C:\WINDOWS\system32\pavas.ico

2007-11-27 11:11 . 2007-11-27 11:11	2,550	--a------	C:\WINDOWS\system32\Uninstall.ico

2007-11-27 11:11 . 2007-11-27 11:11	1,406	--a------	C:\WINDOWS\system32\Help.ico

2007-11-26 11:13 . 2007-11-26 11:13	552	--a------	C:\WINDOWS\system32\d3d8caps.dat

2007-11-26 10:57 . 2007-11-27 11:32	<DIR>	d--------	C:\Program Files\SUPERAntiSpyware

2007-11-26 10:57 . 2007-11-26 10:57	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com

2007-11-26 10:57 . 2007-11-26 10:57	<DIR>	d--------	C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com

2007-11-23 14:36 . 2007-11-27 11:08	<DIR>	d--------	C:\Documents and Settings\Administrator\.housecall6.6

2007-11-23 14:36 . 2007-11-23 14:36	102,664	--a------	C:\WINDOWS\system32\drivers\tmcomm.sys

2007-11-15 09:39 . 2007-11-15 09:48	<DIR>	d--------	C:\WINDOWS\system32\NtmsData

2007-11-15 09:33 . 2007-11-15 09:33	671,076	--ahs----	C:\WINDOWS\system32\hvrhtcix.ini



.

((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-12-13 18:23	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\VMware

2007-12-13 18:23	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\OpenOffice.org2

2007-12-13 18:14	---------	d-----w	C:\Documents and Settings\LocalService\Application Data\VMware

2007-12-13 18:14	---------	d-----w	C:\Documents and Settings\All Users\Application Data\VMware

2007-11-29 23:33	87,952	------w	C:\WINDOWS\system32\drivers\bdfndisf.sys

2007-11-29 23:33	77,824	----a-w	C:\WINDOWS\system32\xcomm.dll

2007-11-27 16:32	---------	d-----w	C:\Program Files\SpywareGuard

2007-11-27 16:30	---------	d-----w	C:\Program Files\MSN Messenger

2007-11-27 16:30	---------	d-----w	C:\Program Files\Messenger Plus! Live

2007-11-27 16:28	---------	d-----w	C:\Program Files\Common Files\Stardock

2007-11-26 15:57	---------	d-----w	C:\Program Files\Common Files\Wise Installation Wizard

2007-11-13 10:25	20,480	----a-w	C:\WINDOWS\system32\drivers\secdrv.sys

2007-11-05 12:54	---------	d-----w	C:\Program Files\Java

2007-11-05 12:48	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP

2007-11-01 14:47	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\uTorrent

2007-11-01 13:33	---------	d-----w	C:\Program Files\UnH Solutions

2007-11-01 13:33	---------	d-----w	C:\Documents and Settings\Administrator\Application Data\UnH Solutions

2007-10-30 15:04	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Messenger Plus!

2007-10-30 15:02	---------	d-----w	C:\Program Files\Windows Live

2007-10-30 14:42	---------	d-----w	C:\Program Files\Lavasoft

2007-10-30 14:42	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Lavasoft

2007-10-29 22:43	1,287,680	----a-w	C:\WINDOWS\system32\quartz.dll

2007-10-29 18:22	---------	d-----w	C:\Program Files\Common Files\Thraex Software

2007-10-29 17:40	---------	d-----w	C:\Program Files\SpywareBlaster

2007-10-29 16:50	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2007-10-29 15:27	304,224	------w	C:\WINDOWS\system32\mllmj.dll

2007-10-29 15:22	---------	d-----w	C:\Program Files\Common Files\SWF Studio

2007-10-29 15:20	---------	d--h--w	C:\Program Files\InstallShield Installation Information

2007-10-29 15:20	---------	d-----w	C:\Program Files\Common Files\Panda Software

2007-10-29 15:17	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Eset

2007-10-27 22:40	222,720	----a-w	C:\WINDOWS\system32\wmasf.dll

2007-10-25 15:26	53,248	----a-w	C:\WINDOWS\bdoscandel.exe

2007-10-22 12:00	---------	d-----w	C:\Program Files\Apple Software Update

2007-10-22 12:00	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Apple

2007-10-03 14:37	103,736	----a-w	C:\WINDOWS\system32\PnkBstrB.exe

2006-06-23 06:48	32,768	-c--a-r	C:\WINDOWS\inf\UpdateUSB.exe

.



(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown 

REGEDIT4



[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E6927DE-72BA-4EEA-AA92-08BA0E99259E}]

2007-10-29 10:27	304224	---------	C:\WINDOWS\system32\mllmj.dll



[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

"igndlm.exe"="C:\Program Files\Download Manager\DLM.exe" [2007-03-05 16:57]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]

"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]



[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"RTHDCPL"="RTHDCPL.EXE" [2006-12-17 11:00 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-15 11:00 C:\WINDOWS\SkyTel.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]

"vmware-tray"="C:\Program Files\VMware\VMware Workstation\vmware-tray.exe" [2007-05-01 21:52]

"VMware hqtray"="C:\Program Files\VMware\VMware Workstation\hqtray.exe" [2007-05-01 21:52]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]

"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]

"BitDefender Antiphishing Helper"="C:\Program Files\BitDefender\BitDefender 2008\IEShow.exe" [2007-10-09 15:46]

"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2007-11-29 18:33]



[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56]



[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"nltide3"="cmd.exe" [2004-08-03 23:56 C:\WINDOWS\system32\cmd.exe]



C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\

OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 18:05:35]



[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 0 (0x0)



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyPictures"= 1 (0x1)



[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSMMyPictures"= 1 (0x1)



[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll



[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]

C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll 2005-01-31 14:13 49152 C:\PROGRA~1\COMMON~1\Stardock\MCPStub.dll



[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages	REG_MULTI_SZ   	msv1_0 C:\WINDOWS\system32\mllmj.dll





[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx	REG_MULTI_SZ   	scan



.

Contents of the 'Scheduled Tasks' folder

"2007-10-22 12:00:29 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

"2007-11-15 14:53:35 C:\WINDOWS\Tasks\Sys32-bkup.job"

- C:\WINDOWS\SYSTEM32\ntbackup.exejbackup 

.

**************************************************************************



catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2007-12-13 13:23:18

Windows 5.1.2600 Service Pack 2 NTFS



scanning hidden processes ... 



scanning hidden autostart entries ...



scanning hidden files ... 



scan completed successfully 

hidden files: 0 



**************************************************************************



[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]

"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

.

--------------------- DLLs Loaded Under Running Processes --------------------- 



PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]

-> C:\WINDOWS\system32\mllmj.dll



PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]

-> C:\WINDOWS\system32\mllmj.dll

.

Completion time: 2007-12-13 13:24:04 - machine was rebooted

.

2007-12-13 17:51:16	--- E O F ---


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:04 PM

Posted 13 December 2007 - 02:34 PM

Hello,

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Please be sure to include a new HijackThis log this time, and let me know how it's running now. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users