Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Taken Over! I Was Hijacked And This Really Sucks. =(


  • Please log in to reply
3 replies to this topic

#1 hamlettm

hamlettm

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 31 December 2007 - 02:53 PM

I just did a reformat on my system. I went to view movie online called "The Bucket List" and next thing I know I'm infected (AGAIN). I have NOD32 so no idea how it got passed it.

Last file I tried to delete was gebyaww.dll I also used the VundoFix and VitrumundoBeGone to try to get everything off my CPU but it's STILL there. Spyware Doctor reports Trojan.Virtumonde with 23 infections *sigh*. Still not sure what else to do at this point. Here is my hijack this file. Any other suggestions?

How the hell can I get infected by watching a freaking normal movie?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:45 PM, on 12/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkhhf.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73} - C:\WINDOWS\system32\gebyaww.dll (file missing)
O2 - BHO: (no name) - {6406C224-A620-47F2-8B78-499A8F83410B} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow .exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr .exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198119129312
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe

--
End of file - 6804 bytes

BC AdBot (Login to Remove)

 


#2 hamlettm

hamlettm
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 31 December 2007 - 03:19 PM

ComboFix 07-12-31.4 - Owner 2007-12-31 14:59:59.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1722 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-31 )))))))))))))))))))))))))))))))
.

2007-12-31 14:58 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-31 12:10 . 2007-12-31 14:40 <DIR> d-------- C:\VundoFix Backups
2007-12-31 12:01 . 2007-12-31 15:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-31 10:31 . 2007-12-31 10:34 74,240 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-12-31 10:31 . 2007-12-31 10:34 56,832 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-12-31 10:31 . 2007-10-18 00:14 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-12-31 10:31 . 2007-10-18 00:16 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-12-31 10:30 . 2007-12-31 15:00 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-12-31 10:30 . 2007-12-31 10:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PC Tools
2007-12-31 10:30 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-31 10:30 . 2005-07-06 18:13 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-12-31 10:30 . 2005-07-06 18:13 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-12-31 10:14 . 2007-12-31 12:48 348,160 --a------ C:\WINDOWS\system32\jkhhf.exe
2007-12-31 01:11 . 2007-12-31 01:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-31 01:11 . 2007-12-31 01:11 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-31 00:45 . 2007-12-31 00:45 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-31 00:45 . 2007-12-31 00:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-31 00:44 . 2007-12-31 00:44 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-31 00:30 . 2007-12-31 00:35 <DIR> d-------- C:\Program Files\Windows Defender
2007-12-31 00:17 . 2007-12-31 00:17 32,764 --a------ C:\WINDOWS\17PHolmes77.exe
2007-12-31 00:16 . 2007-12-31 14:38 39,936 --a------ C:\WINDOWS\system32\45
2007-12-29 11:38 . 2007-12-31 01:13 69 --a------ C:\WINDOWS\NeroDigital.ini
2007-12-29 03:00 . 2007-12-29 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-12-26 11:58 . 2007-12-26 11:58 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nero
2007-12-26 11:56 . 2007-12-26 11:56 <DIR> d-------- C:\Program Files\Nero
2007-12-26 11:56 . 2007-12-26 11:57 <DIR> d-------- C:\Program Files\Common Files\Nero
2007-12-26 11:56 . 2007-12-26 11:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-12-25 23:06 . 2007-12-26 09:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cabela's Trophy Bucks Saves
2007-12-25 03:00 . 2007-12-25 03:00 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-12-24 11:53 . 2004-08-04 02:56 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-12-24 11:53 . 2004-08-04 02:56 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-12-24 11:53 . 2004-08-04 02:56 20,992 --a------ C:\WINDOWS\system32\dshowext.ax
2007-12-24 11:53 . 2004-08-04 02:56 20,992 --a--c--- C:\WINDOWS\system32\dllcache\dshowext.ax
2007-12-24 11:53 . 2007-12-24 12:16 0 --a------ C:\WINDOWS\system32\drivers\lvuvc.hs
2007-12-24 11:48 . 2007-12-24 11:48 <DIR> d-------- C:\Program Files\Logitech
2007-12-24 11:48 . 2007-12-24 11:53 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2007-12-23 18:09 . 2004-08-04 01:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-12-23 18:09 . 2004-08-04 01:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-12-23 18:05 . 2007-12-23 18:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2007-12-23 18:05 . 2007-12-24 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2007-12-23 02:28 . 2007-12-25 23:02 <DIR> d-------- C:\Program Files\Activision Value
2007-12-22 13:32 . 2007-12-22 13:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-22 13:30 . 2007-12-22 13:30 <DIR> d-------- C:\Program Files\Bonjour
2007-12-22 13:24 . 2007-12-22 13:24 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-12-22 13:24 . 2007-12-23 10:42 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-22 01:24 . 2007-12-22 01:24 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DivX
2007-12-22 01:20 . 2007-12-22 01:20 33,824 --a------ C:\WINDOWS\system32\drivers\oreans32.sys
2007-12-22 00:29 . 2007-12-22 00:29 0 --a------ C:\WINDOWS\system32\kbdro407m.dll
2007-12-22 00:24 . 2007-12-22 00:24 0 --a------ C:\WINDOWS\system32\kbdro877m.dll
2007-12-22 00:01 . 2007-12-22 00:01 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-12-22 00:01 . 2007-12-22 00:01 <DIR> d-------- C:\Program Files\TechSmith
2007-12-22 00:01 . 2007-12-22 00:01 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2007-12-22 00:01 . 2007-08-27 10:53 107,864 --a------ C:\WINDOWS\system32\tsccvid.dll
2007-12-21 23:26 . 2007-12-21 23:26 <DIR> d-------- C:\Program Files\Jasc Software Inc
2007-12-21 18:42 . 2007-12-25 09:03 107,832 --a------ C:\WINDOWS\system32\PnkBstrB.exe
2007-12-21 18:42 . 2007-12-21 19:14 66,872 --a------ C:\WINDOWS\system32\PnkBstrA.exe
2007-12-21 18:42 . 2007-12-25 09:03 22,328 --a------ C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-21 18:42 . 2007-12-21 18:42 22,328 --a------ C:\Documents and Settings\Owner\Application Data\PnkBstrK.sys
2007-12-21 18:26 . 2007-12-21 18:26 <DIR> d-------- C:\Program Files\Activision
2007-12-21 18:25 . 2007-12-21 18:25 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-12-21 01:47 . 2007-12-21 01:47 376 --a------ C:\WINDOWS\ODBC.INI
2007-12-21 01:46 . 2007-12-21 01:46 <DIR> d-------- C:\WINDOWS\ShellNew
2007-12-21 01:46 . 2007-12-21 01:46 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-12-21 00:48 . 2007-12-21 13:20 <DIR> d-------- C:\Program Files\mIRC
2007-12-21 00:48 . 2007-12-22 01:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\mIRC
2007-12-20 23:25 . 2007-12-20 23:25 <DIR> d-------- C:\Program Files\Kayako
2007-12-20 23:02 . 2007-12-20 23:21 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\ICQ
2007-12-20 23:00 . 2007-12-20 23:21 <DIR> d-------- C:\Program Files\ICQ6
2007-12-20 23:00 . 2007-12-20 23:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2007-12-20 19:34 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-20 19:34 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-12-20 19:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-20 11:43 . 2007-12-30 10:34 <DIR> d-------- C:\Program Files\FlashFXP
2007-12-20 11:43 . 2007-12-20 11:43 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\FlashFXP
2007-12-20 10:40 . 2007-07-09 08:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-12-19 23:19 . 2007-12-19 23:19 <DIR> d-------- C:\Program Files\DivX
2007-12-19 23:18 . 2007-12-19 23:18 <DIR> d-------- C:\Program Files\iTunes
2007-12-19 23:18 . 2007-12-19 23:18 <DIR> d-------- C:\Program Files\iPod
2007-12-19 23:18 . 2007-12-19 23:20 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-12-19 23:17 . 2007-12-19 23:17 <DIR> d-------- C:\Program Files\QuickTime
2007-12-19 23:17 . 2007-12-19 23:17 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-19 23:17 . 2007-12-19 23:17 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-19 23:17 . 2007-12-19 23:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-19 23:17 . 2007-12-19 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-19 23:17 . 2007-10-31 14:09 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2007-12-19 23:15 . 2007-12-19 23:15 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-19 23:15 . 2006-10-04 09:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb
2007-12-19 23:15 . 2006-10-04 09:06 764,868 -----c--- C:\WINDOWS\system32\dllcache\apph_sp.sdb
2007-12-19 23:15 . 2006-10-04 09:06 217,118 -----c--- C:\WINDOWS\system32\dllcache\apphelp.sdb
2007-12-19 23:13 . 2007-12-21 18:42 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-12-19 23:13 . 2007-12-19 23:14 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-19 23:09 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-19 23:09 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-19 23:09 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-19 23:03 . 2007-12-20 10:35 <DIR> d-------- C:\Documents and Settings\Owner\Contacts
2007-12-19 22:54 . 2007-12-24 11:40 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-12-19 22:52 . 2007-12-19 22:54 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-12-19 22:51 . 2007-12-19 22:54 <DIR> d-------- C:\Program Files\Windows Live
2007-12-19 22:51 . 2007-12-19 22:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-19 22:41 . 2007-12-19 22:41 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-31 05:25 --------- d-----w C:\Program Files\Digital Media Reader
2007-12-21 23:59 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-20 02:44 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-20 02:34 --------- d-----w C:\Program Files\CyberLink
2007-12-20 02:34 --------- d-----w C:\Program Files\Common Files\Real
2007-12-20 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-20 02:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-12-11 22:34 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-11 22:34 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-11 22:34 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-11 22:34 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-11 22:34 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-11 22:34 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-12-11 22:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 22:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 22:33 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 22:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 22:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 22:33 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 22:33 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 22:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 22:33 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 22:33 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 06:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 06:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 06:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 06:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 06:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 06:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 06:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 06:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 06:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 06:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 06:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 06:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 06:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 06:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 06:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 06:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 06:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 06:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 06:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 06:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 06:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 06:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 06:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 06:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 06:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 06:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 06:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 06:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-22 08:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-21 23:51 323,624 ----a-w C:\WINDOWS\system32\wiaaut.dll
2007-10-18 16:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-10-12 20:14 3,734,536 ----a-w C:\WINDOWS\system32\d3dx9_36.dll
2007-10-12 02:00 490,008 ----a-w C:\WINDOWS\system32\LVUI2.dll
2007-10-12 02:00 465,432 ----a-w C:\WINDOWS\system32\LVUI2RC.dll
2007-10-12 01:57 416,280 ----a-w C:\WINDOWS\system32\LVCodec2.dll
2007-09-14 16:15 50,520 ----a-w C:\WINDOWS\system32\csvidcap.dll
.
----a-w		 1,065,800 2007-12-31 17:46:05  C:\Program Files\Spyware Doctor\SDTrayApp .exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr .exe" [ ]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CHotkey"="zHotkey.exe" [2003-07-29 21:06 515584 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 12:09 36864 C:\WINDOWS\ShowWnd.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" []
"SoundMan"="SOUNDMAN.EXE" [2004-07-01 14:58 73728 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-07-05 21:05 2550272 C:\WINDOWS\ALCWZRD.EXE]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" []
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-12-05 01:41 81920]
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-12-31 13:05 1065800]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-12-31 12:48 916992]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-12-31 12:48 2543616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DT HPW]
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
C:\Program Files\ICQ6\ICQ.exe silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-12-11 12:10 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveResponse.exe]
2005-12-15 16:17 2478080 --a------ C:\Program Files\Kayako\LiveResponse\LiveResponse.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2007-12-22 01:20]
R2 Nero BackItUp Scheduler 3;Nero BackItUp Scheduler 3;C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe [2007-12-03 14:21]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-25 22:37:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-20 01:43:00 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-12-31 19:44:00 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-31 15:04:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-31 15:06:14 - machine was rebooted
C:\qoobox\ComboFix-quarantined-files.txt 2007-12-31 20:06:09
.
2007-12-29 08:00:43 --- E O F ---

#3 hamlettm

hamlettm
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 31 December 2007 - 06:17 PM

Can anyone help?

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:28 AM

Posted 20 January 2008 - 08:53 AM

Hello hamlettm and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users