Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Stubborn Virtumonde Infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 Nuggget

Nuggget

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 02 January 2008 - 09:52 AM

Hi there,

I have a Virtumonde that i just cant get rid of.

What i have tried:

Followed the Virtumonde Removal guide from this forum right to the end.
Scanned with Ad aware and Spy bot search and Destroy(both up to date)
Installed a new anti virus scanner and ran a deep scan. I went from Nod32 to Bit defender V10.
Tried a Trojan.Vundo removal tool from Symantec.


What the virus does:(from what iv noticed)

So far iv had no pop ups at all, but i have had things being deleted and changed around. Both my Bit defender exe and my DU meter exe have been deleted when iv turned my computer off for the night. Iv logged on next morning to see the exe's have been deleted, Iv had to back up the exes around my computer so i don't have to reinstall the programs. Also occasionally i get a pop up from Bit defender saying the firewall has been turned off. (I turn it straight back on)

I also get pop ups from Bit Defender every 15 seconds saying its found a virus. Very annoying :\.
Iv also noticed my computer runs slow now.

Any help would be appreciated :thumbsup:

My Hijack log With net off and Bit defender shut down.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:54 AM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Crypserv.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\LiscadUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Documents and Settings\Admin\Desktop\DUMeter .exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\awvvv.exe
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {036B154E-E420-45D5-9C5B-2D58B68B0BB0} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2D5796A2-44E0-4E50-A5A0-80BF1EE3EA73} - C:\WINDOWS\system32\fccdaay.dll
O2 - BHO: (no name) - {4E398634-06C6-4F96-986D-AD5AE31DE0E9} - C:\WINDOWS\system32\awvvv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {3037e766-64cb-820b-fce4-594b101fab95} - {59baf101-b495-4ecf-b028-bc46667e7303} - C:\WINDOWS\system32\hngcvsap.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {FEA2416C-846D-477F-BCE8-383C56E27FC9} - C:\WINDOWS\system32\vturs.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\BDMCON~1.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [205577ac] rundll32.exe "C:\WINDOWS\system32\niqbsvrh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\system32\Crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LISCAD Update (LISCADUpdate) - LISTECH Pty. Ltd. - C:\WINDOWS\system32\LiscadUpdate.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

BC AdBot (Login to Remove)

 


#2 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:55 AM

Posted 02 January 2008 - 12:01 PM

Hi, Wellcome to Bleeping Computer Forums!

You might want to save this page on your favorites, so you can find it again when you return.


Please take note of the following:
  • I will be handling your log and helping you, please do not make any system changes yet.
  • The process is not instant. Please continue to review my answers until I tell you that your computer is clean. Be patience.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • If there's anything that you don't understand, please ask your question(s) before proceeding with the fixes.
  • Please reply to this thread. Do not start a new topic.
Please give me some time to look over your log and I will get back to you as soon as possible.

:thumbsup:
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#3 Nuggget

Nuggget
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 02 January 2008 - 08:09 PM

Thanks for helping me.

I turned on my computer this morning to find it slow as hell, and found bit defender not working again :\

I forgot to mention a few more things iv tried to get rid of this virus:
I updated my java to the latest version
I also turned System Restore off

Im not sure if this is why i get no pop ups or not, but i have this add-on for Firefox that blocks Java to all websites i visit unless i allow java through.. Its called NoScript.

Also, just prior to posting my Hijackthis log i run Stinger from McAfee


I will now wait for your advice :thumbsup:

I wont change anything now

Thanks in advance!

Edited by Nuggget, 03 January 2008 - 05:58 AM.


#4 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:55 AM

Posted 03 January 2008 - 04:52 AM

Hi,

Download ComboFix from Here or Here to your Desktop.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist.

Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#5 Nuggget

Nuggget
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 03 January 2008 - 05:08 AM

ComboFix Log

ComboFix 08-01-03.3 - Admin 2008-01-03 21:00:30.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.576 [GMT 11:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\du meter back up\bdagent.exe
C:\du meter back up\bdmcon.exe
C:\Program Files\Softwin\bdagent.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Softwin\BitDefender10\bdmcon .exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\BDMCON~1.EXE
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\awvvv.exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\fccdaay.dll
C:\WINDOWS\system32\hngcvsap.dll
C:\WINDOWS\system32\hrvsbqin.ini
C:\WINDOWS\system32\niqbsvrh.dll
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\vvvwa.ini2

"C:\du meter back up\bdagent .exe" replaces infected copy of "C:\du meter back up\bdagent.exe"
"C:\du meter back up\bdmcon .exe" replaces infected copy of "C:\du meter back up\bdmcon.exe"
"C:\Program Files\Softwin\bdagent .exe" replaces infected copy of "C:\Program Files\Softwin\bdagent.exe"
"C:\Program Files\Softwin\BitDefender10\bdagent .exe" replaces infected copy of "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
"C:\Program Files\Softwin\BitDefender10\bdmcon  .exe" replaces infected copy of "C:\Program Files\Softwin\BitDefender10\bdmcon.exe"
"C:\Program Files\Softwin\BitDefender10\BDMCON~1 .EXE" replaces infected copy of "C:\Program Files\Softwin\BitDefender10\BDMCON~1.EXE"
"C:\WINDOWS\system32\ctfmon .exe" moved to QooBox
.
.
((((((((((((((((((((((((( Files Created from 2007-12-03 to 2008-01-03 )))))))))))))))))))))))))))))))
.

2008-01-03 20:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 01:10 . 2008-01-03 01:10 91 --a------ C:\WINDOWS\wininit.ini
2008-01-02 22:59 . 2008-01-02 22:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-02 22:59 . 2008-01-02 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-01 16:18 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-01 16:17 . 2008-01-01 16:18 <DIR> d-------- C:\Program Files\Java
2008-01-01 16:17 . 2008-01-01 16:17 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-31 22:39 . 2007-12-31 22:39 12 --a------ C:\WINDOWS\system32\20556522
2007-12-31 14:16 . 2007-12-31 14:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 12:54 . 2008-01-03 21:02 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-12-31 12:27 . 2007-12-31 12:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Bitdefender
2007-12-31 12:24 . 2007-12-31 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-12-29 21:01 . 2007-12-29 21:01 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-29 14:31 . 2007-12-29 14:33 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-12-29 13:37 . 2008-01-01 18:50 <DIR> d-------- C:\VundoFix Backups
2007-12-29 13:25 . 2008-01-03 21:03 <DIR> d-------- C:\du meter back up
2007-12-29 13:20 . 2007-12-29 13:20 <DIR> d-------- C:\Program Files\Sygate
2007-12-29 13:20 . 2005-09-27 12:15 83,592 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-29 13:20 . 2005-09-27 11:43 61,008 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-29 13:20 . 2005-09-27 11:44 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-29 13:20 . 2005-09-27 12:16 14,944 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-12-29 12:12 . 2007-12-29 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-29 00:20 . 2007-12-29 13:23 1,031,379 --ahs---- C:\WINDOWS\system32\dsrsrejk.ini
2007-12-28 11:17 . 2007-12-28 11:17 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-12-05 14:43 . 2007-12-05 14:43 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2007-12-05 14:43 . 2007-12-05 14:43 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\teamspeak2
2007-12-05 14:43 . 2007-12-05 14:43 34,064 --a------ C:\WINDOWS\system32\lhacm.acm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-03 09:56 --------- d-----w C:\Documents and Settings\Admin\Application Data\Azureus
2008-01-02 11:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 03:28 71,040 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2007-12-28 05:29 --------- d-----w C:\Program Files\Azureus
2007-12-15 10:08 --------- d-----w C:\Program Files\World of Warcraft
2007-11-16 12:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 12:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-16 12:32 --------- d-----w C:\Program Files\PowerQuest
2007-11-15 11:41 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-11-14 09:36 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 09:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-11 09:15 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-11 09:15 --------- d-----w C:\Program Files\Bonjour
2007-11-11 09:07 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-31 02:06 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-10-14 05:16 737,280 ----a-w C:\WINDOWS\iun6002.exe
2004-07-02 19:19 40,960 ----a-w C:\WINDOWS\inf\WG311v2\imdinst.exe
2004-06-18 06:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
2004-04-04 20:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
2004-04-04 20:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
2004-02-04 19:53 62,865 ----a-w C:\WINDOWS\inf\WG311v2\odysseyIM3.sys
2004-02-04 19:53 12,739 ----a-w C:\WINDOWS\inf\WG311v2\odNetInstall.dll
.
----a-w		 2,582,288 2007-12-31 11:14:45  C:\Documents and Settings\Admin\Desktop\DUMeter .exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FEA2416C-846D-477F-BCE8-383C56E27FC9}]
C:\WINDOWS\system32\vturs.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"DU Meter"="C:\Documents and Settings\Admin\Desktop\DUMeter.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-21 15:07 7110656]
"nwiz"="nwiz.exe" [2005-07-21 15:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-21 15:07 86016]
"RegistryMechanic"="" []
"BDMCon"="C:\PROGRA~1\Softwin\BITDEF~1\BDMCON~1.EXE" [2008-01-03 20:57 290816]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2008-01-03 20:57 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 23:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-15 06:32:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

R1 bdftdif;BitDefender Firewall TDI Filter;C:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys [2008-01-01 14:27]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-01 14:28]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2007-09-08 16:15]

.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 02:53:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 21:04:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\sockspy.dll
.
Completion time: 2008-01-03 21:05:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-03 10:05:31
.
2007-12-27 16:00:38 --- E O F ---

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:17 PM, on 1/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\LiscadUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Softwin\BITDEF~1\BDMCON~1.EXE
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {FEA2416C-846D-477F-BCE8-383C56E27FC9} - C:\WINDOWS\system32\vturs.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDMCon] C:\PROGRA~1\Softwin\BITDEF~1\BDMCON~1.EXE
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DU Meter] C:\Documents and Settings\Admin\Desktop\DUMeter.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\system32\Crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LISCAD Update (LISCADUpdate) - LISTECH Pty. Ltd. - C:\WINDOWS\system32\LiscadUpdate.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 5807 bytes

#6 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:55 AM

Posted 04 January 2008 - 04:47 AM

Hello,

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as Log.txt (Overwrite the existing one)
  • Change the Save as Type to All Files
  • and Save it on the desktop
C:\Documents and Settings\Admin\Desktop\DUMeter .exe
Posted Image
Refering to the picture above, drag Log.txt into RenV.exe and attach the resulting report to your reply.



Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
http://www.bleepingcomputer.com/forums/index.php?showtopic=123801&st=0&gopid=700989&#entry700989

collect[4]::
C:\WINDOWS\system32\dsrsrejk.ini

File::
C:\WINDOWS\system32\vturs.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FEA2416C-846D-477F-BCE8-383C56E27FC9}]
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save the above as CFScript.txt
  • Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
  • Posted Image
  • This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed, and read it carefully.
  • With the above script, ComboFix will capture a file to submit for analysis.
  • Ensure you are connected to the internet and click OK.
  • A browser will open. Simply follow the instructions to copy/paste/send the requested file.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.
In your next reply, please post:
  • A new HijackThis log
  • The results from RenV
  • The results from ComboFix
  • The results from Kaspersky online scanner.
Regards
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#7 Nuggget

Nuggget
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 05 January 2008 - 12:34 AM

I did everything you said to do, there was some problems though..

I think you forgot to give me the RenV.exe , I googled it and i ended up downloading it from a page from this forum. :thumbsup:

Also when i ran combofix by dropping CFScript.txt over the exe, once it had finished it didn't submit a file. It only produced the report and thats it.

My computer is running a whole lot faster now, but i am still infected with virus's... The virus have infected my bit defender back up exe's now. To get rid of these, should i just delete? Or will the virus just go and infect another file?

Here are the log files:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:31 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\LiscadUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\softwin\bitdefender10\bdmcon.exe
C:\Documents and Settings\Admin\Desktop\DUMeter .exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DU Meter] C:\Documents and Settings\Admin\Desktop\DUMeter.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\system32\Crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LISCAD Update (LISCADUpdate) - LISTECH Pty. Ltd. - C:\WINDOWS\system32\LiscadUpdate.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: WinFastŪ Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6083 bytes


Combofix

ComboFix 08-01-03.3 - Admin 2008-01-05 0:26:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.624 [GMT 11:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt

FILE
C:\WINDOWS\system32\vturs.dll
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 17:49 . 2008-01-04 17:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\vlc
2008-01-04 17:46 . 2008-01-04 17:46 <DIR> d-------- C:\Program Files\VideoLAN
2008-01-03 20:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 01:10 . 2008-01-03 01:10 91 --a------ C:\WINDOWS\wininit.ini
2008-01-02 22:59 . 2008-01-02 22:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-02 22:59 . 2008-01-02 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-01 16:18 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-01 16:17 . 2008-01-01 16:18 <DIR> d-------- C:\Program Files\Java
2008-01-01 16:17 . 2008-01-01 16:17 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-31 22:39 . 2007-12-31 22:39 12 --a------ C:\WINDOWS\system32\20556522
2007-12-31 14:16 . 2007-12-31 14:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 12:54 . 2008-01-05 00:25 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-12-31 12:27 . 2007-12-31 12:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Bitdefender
2007-12-31 12:24 . 2007-12-31 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-12-29 21:01 . 2007-12-29 21:01 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-29 14:31 . 2007-12-29 14:33 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-12-29 13:37 . 2008-01-01 18:50 <DIR> d-------- C:\VundoFix Backups
2007-12-29 13:25 . 2008-01-03 21:03 <DIR> d-------- C:\du meter back up
2007-12-29 13:20 . 2007-12-29 13:20 <DIR> d-------- C:\Program Files\Sygate
2007-12-29 13:20 . 2005-09-27 12:15 83,592 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-29 13:20 . 2005-09-27 11:43 61,008 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-29 13:20 . 2005-09-27 11:44 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-29 13:20 . 2005-09-27 12:16 14,944 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-12-29 12:12 . 2007-12-29 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-29 00:20 . 2007-12-29 13:23 1,031,379 --ahs---- C:\WINDOWS\system32\dsrsrejk.ini
2007-12-28 11:17 . 2007-12-28 11:17 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-12-05 14:43 . 2007-12-05 14:43 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2007-12-05 14:43 . 2007-12-05 14:43 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\teamspeak2
2007-12-05 14:43 . 2007-12-05 14:43 34,064 --a------ C:\WINDOWS\system32\lhacm.acm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 13:25 --------- d-----w C:\Documents and Settings\Admin\Application Data\Azureus
2008-01-02 11:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 03:28 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll
2008-01-01 03:28 71,040 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2007-12-28 05:29 --------- d-----w C:\Program Files\Azureus
2007-12-15 10:08 --------- d-----w C:\Program Files\World of Warcraft
2007-11-16 12:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 12:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-16 12:32 --------- d-----w C:\Program Files\PowerQuest
2007-11-15 11:41 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-11-14 09:36 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 09:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-11 09:15 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-11 09:15 --------- d-----w C:\Program Files\Bonjour
2007-11-11 09:07 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-31 02:06 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 06:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-14 05:16 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-10-08 16:32 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2004-07-02 19:19 40,960 ----a-w C:\WINDOWS\inf\WG311v2\imdinst.exe
2004-06-18 06:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
2004-04-04 20:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
2004-04-04 20:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
2004-02-04 19:53 62,865 ----a-w C:\WINDOWS\inf\WG311v2\odysseyIM3.sys
2004-02-04 19:53 12,739 ----a-w C:\WINDOWS\inf\WG311v2\odNetInstall.dll
.
----a-w		 2,582,288 2007-12-31 11:14:45  C:\Documents and Settings\Admin\Desktop\DUMeter .exe


((((((((((((((((((((((((((((( snapshot@2008-01-03_21.05.19.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-03 23:28:53 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"DU Meter"="C:\Documents and Settings\Admin\Desktop\DUMeter.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-21 15:07 7110656]
"nwiz"="nwiz.exe" [2005-07-21 15:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-21 15:07 86016]
"RegistryMechanic"="" []
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2008-01-03 20:57 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 23:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-15 06:32:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

R1 bdftdif;BitDefender Firewall TDI Filter;C:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys [2008-01-01 14:27]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 15:19]
R2 LISCADUpdate;LISCAD Update;C:\WINDOWS\system32\LiscadUpdate.exe [2007-05-19 02:01]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-01 14:28]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2007-09-08 16:15]

.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 02:53:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 00:29:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\sockspy.dll
.
Completion time: 2008-01-05 0:30:05
ComboFix-quarantined-files.txt 2008-01-04 13:30:00
ComboFix2.txt 2008-01-03 10:05:36
.
2007-12-27 16:00:38 --- E O F ---

RenV log

Ran on Fri 01/04/2008 - 23:57:47.84

----a-w		 2,582,288 2007-12-31 11:14:45  C:\Documents and Settings\Admin\Desktop\DUMeter .exe

 Entries:				1  (1)
 Directories:			0  Files:			 1
 Bytes:		  2,582,288  Blocks:		5,044


And the Kaspersky log is the attachment

Attached Files


Edited by Nuggget, 05 January 2008 - 12:40 AM.


#8 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:55 AM

Posted 08 January 2008 - 12:44 PM

hi,

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\VundoFix Backups

File::
C:\WINDOWS\system32\dsrsrejk.ini

RENV::
----a-w 2,582,288 2007-12-31 11:14:45 C:\Documents and Settings\Admin\Desktop\DUMeter .exe

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please do another online scan with Kaspersky WebScanner

In your next reply, please post:
- The results from Combofix
- The results from Kaspersky online scan
- A new HijackThis log
- And please let me know how your computer its running now.
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#9 Nuggget

Nuggget
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 11 January 2008 - 06:58 AM

Combo fix log

ComboFix 08-01-03.3 - Admin 2008-01-05 0:26:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.624 [GMT 11:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt

FILE
C:\WINDOWS\system32\vturs.dll
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((( Files Created from 2007-12-04 to 2008-01-04 )))))))))))))))))))))))))))))))
.

2008-01-04 17:49 . 2008-01-04 17:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\vlc
2008-01-04 17:46 . 2008-01-04 17:46 <DIR> d-------- C:\Program Files\VideoLAN
2008-01-03 20:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 01:10 . 2008-01-03 01:10 91 --a------ C:\WINDOWS\wininit.ini
2008-01-02 22:59 . 2008-01-02 22:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-02 22:59 . 2008-01-02 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-01 16:18 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-01 16:17 . 2008-01-01 16:18 <DIR> d-------- C:\Program Files\Java
2008-01-01 16:17 . 2008-01-01 16:17 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-31 22:39 . 2007-12-31 22:39 12 --a------ C:\WINDOWS\system32\20556522
2007-12-31 14:16 . 2007-12-31 14:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 12:54 . 2008-01-05 00:25 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-12-31 12:27 . 2007-12-31 12:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Bitdefender
2007-12-31 12:24 . 2007-12-31 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-12-29 21:01 . 2007-12-29 21:01 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-29 14:31 . 2007-12-29 14:33 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-12-29 13:37 . 2008-01-01 18:50 <DIR> d-------- C:\VundoFix Backups
2007-12-29 13:25 . 2008-01-03 21:03 <DIR> d-------- C:\du meter back up
2007-12-29 13:20 . 2007-12-29 13:20 <DIR> d-------- C:\Program Files\Sygate
2007-12-29 13:20 . 2005-09-27 12:15 83,592 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-29 13:20 . 2005-09-27 11:43 61,008 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-29 13:20 . 2005-09-27 11:44 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-29 13:20 . 2005-09-27 12:16 14,944 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-12-29 12:12 . 2007-12-29 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-29 00:20 . 2007-12-29 13:23 1,031,379 --ahs---- C:\WINDOWS\system32\dsrsrejk.ini
2007-12-28 11:17 . 2007-12-28 11:17 <DIR> d-------- C:\Program Files\WinAVI Video Converter
2007-12-05 14:43 . 2007-12-05 14:43 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2007-12-05 14:43 . 2007-12-05 14:43 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\teamspeak2
2007-12-05 14:43 . 2007-12-05 14:43 34,064 --a------ C:\WINDOWS\system32\lhacm.acm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-04 13:25 --------- d-----w C:\Documents and Settings\Admin\Application Data\Azureus
2008-01-02 11:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 03:28 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll
2008-01-01 03:28 71,040 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2007-12-28 05:29 --------- d-----w C:\Program Files\Azureus
2007-12-15 10:08 --------- d-----w C:\Program Files\World of Warcraft
2007-11-16 12:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 12:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-16 12:32 --------- d-----w C:\Program Files\PowerQuest
2007-11-15 11:41 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-11-14 09:36 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 09:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-11 09:15 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-11 09:15 --------- d-----w C:\Program Files\Bonjour
2007-11-11 09:07 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-31 02:06 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 06:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-14 05:16 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-10-08 16:32 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2004-07-02 19:19 40,960 ----a-w C:\WINDOWS\inf\WG311v2\imdinst.exe
2004-06-18 06:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
2004-04-04 20:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
2004-04-04 20:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
2004-02-04 19:53 62,865 ----a-w C:\WINDOWS\inf\WG311v2\odysseyIM3.sys
2004-02-04 19:53 12,739 ----a-w C:\WINDOWS\inf\WG311v2\odNetInstall.dll
.
----a-w		 2,582,288 2007-12-31 11:14:45  C:\Documents and Settings\Admin\Desktop\DUMeter .exe


((((((((((((((((((((((((((((( snapshot@2008-01-03_21.05.19.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-03 23:28:53 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"DU Meter"="C:\Documents and Settings\Admin\Desktop\DUMeter.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-21 15:07 7110656]
"nwiz"="nwiz.exe" [2005-07-21 15:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-21 15:07 86016]
"RegistryMechanic"="" []
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2008-01-03 20:57 69632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 23:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-15 06:32:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

R1 bdftdif;BitDefender Firewall TDI Filter;C:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys [2008-01-01 14:27]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 15:19]
R2 LISCADUpdate;LISCAD Update;C:\WINDOWS\system32\LiscadUpdate.exe [2007-05-19 02:01]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-01 14:28]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2007-09-08 16:15]

.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 02:53:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 00:29:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\sockspy.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\sockspy.dll
.
Completion time: 2008-01-05 0:30:05
ComboFix-quarantined-files.txt 2008-01-04 13:30:00
ComboFix2.txt 2008-01-03 10:05:36
.
2007-12-27 16:00:38 --- E O F ---


Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:49:10 PM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\LiscadUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\DUMeter .exe
C:\WINDOWS\System32\svchost.exe
c:\program files\softwin\bitdefender10\bdmcon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DU Meter] C:\Documents and Settings\Admin\Desktop\DUMeter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\system32\Crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LISCAD Update (LISCADUpdate) - LISTECH Pty. Ltd. - C:\WINDOWS\system32\LiscadUpdate.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: WinFastŪ Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8048 bytes

Kaspersky is the attachment

When i was scanning with Kaspersky, bit defender popped up with some Virtumonde virus's under system restore :\
Here they are(well a few, theres about 20 in total :S):

File c:\system volume information\_restore{7df2330f-fd58-4a04-8112-5f48c265edc5}\rp6\a0001225.exe
infected with Trojan.Dropper.Vundo.D

File c:\system volume information\_restore{7df2330f-fd58-4a04-8112-5f48c265edc5}\rp3\a0000028.dll
infected with Trojan.Vundo.DUH

File c:\system volume information\_restore{7df2330f-fd58-4a04-8112-5f48c265edc5}\rp3\a0000020.exe
infected with Trojan.Dropper.Vundo.D

And so on....


My computer is running well atm, i cant even tell iv got virus's except for the virus scan alerts.

Attached Files


Edited by Nuggget, 11 January 2008 - 06:59 AM.


#10 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:55 AM

Posted 11 January 2008 - 02:08 PM

Hello

When i was scanning with Kaspersky, bit defender popped up with some Virtumonde virus's under system restore :\

No problem, that's a good sign ;)
The folder system volume information its related to Windows XP System Restore. So when we delete a file, the file goes to that folder. We will take care about that in the end, dont worry.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\dsrsrejk.ini

RENV::
----a-w 2,582,288 2007-12-31 11:14:45 C:\Documents and Settings\Admin\Desktop\DUMeter .exe

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please post them along with a new HijackThis log adn please let me know how your computer its running now.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#11 Nuggget

Nuggget
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 12 January 2008 - 03:17 AM

ComboFix 08-01-03.3 - Admin 2008-01-12 19:07:14.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.612 [GMT 11:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\dsrsrejk.ini
.
The following files were disabled during the run:
C:\WINDOWS\system32\sockspy.dll


((((((((((((((((((((((((( Files Created from 2007-12-12 to 2008-01-12 )))))))))))))))))))))))))))))))
.

2008-01-10 21:45 . 2008-01-10 21:45 281 --a------ C:\WINDOWS\EReg072.dat
2008-01-10 21:42 . 2008-01-10 21:42 <DIR> d-------- C:\Program Files\Maxis
2008-01-10 21:41 . 2008-01-10 21:41 <DIR> d-------- C:\Documents and Settings\Admin\WINDOWS
2008-01-10 21:41 . 1998-07-30 12:51 305,152 --a------ C:\WINDOWS\IsUninst.exe
2008-01-10 12:06 . 2008-01-10 12:06 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-06 20:41 . 2008-01-06 20:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-06 20:41 . 2008-01-06 20:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-05 13:31 . 2008-01-05 13:31 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Talkback
2008-01-05 00:38 . 2008-01-05 00:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-05 00:38 . 2008-01-05 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-05 00:36 . 2008-01-05 00:36 <DIR> d---s---- C:\Documents and Settings\Admin\UserData
2008-01-04 17:49 . 2008-01-04 17:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\vlc
2008-01-04 17:46 . 2008-01-04 17:46 <DIR> d-------- C:\Program Files\VideoLAN
2008-01-03 20:59 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-03 01:10 . 2008-01-03 01:10 91 --a------ C:\WINDOWS\wininit.ini
2008-01-02 22:59 . 2008-01-02 22:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-02 22:59 . 2008-01-02 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-01 16:18 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-01 16:17 . 2008-01-01 16:18 <DIR> d-------- C:\Program Files\Java
2008-01-01 16:17 . 2008-01-01 16:17 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-31 22:39 . 2007-12-31 22:39 12 --a------ C:\WINDOWS\system32\20556522
2007-12-31 14:16 . 2007-12-31 14:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 12:54 . 2008-01-12 19:06 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-12-31 12:27 . 2007-12-31 12:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Bitdefender
2007-12-31 12:24 . 2007-12-31 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-12-29 21:01 . 2007-12-29 21:01 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-29 14:31 . 2007-12-29 14:33 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-12-29 13:25 . 2008-01-03 21:03 <DIR> d-------- C:\du meter back up
2007-12-29 13:20 . 2007-12-29 13:20 <DIR> d-------- C:\Program Files\Sygate
2007-12-29 13:20 . 2005-09-27 12:15 83,592 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-29 13:20 . 2005-09-27 11:43 61,008 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-29 13:20 . 2005-09-27 11:44 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-29 13:20 . 2005-09-27 12:16 14,944 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-12-29 12:12 . 2007-12-29 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 11:17 . 2007-12-28 11:17 <DIR> d-------- C:\Program Files\WinAVI Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-11 04:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-11 04:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-10 08:20 --------- d-----w C:\Documents and Settings\Admin\Application Data\Azureus
2008-01-08 08:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM
2008-01-02 11:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 03:28 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll
2008-01-01 03:28 71,040 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2007-12-28 05:29 --------- d-----w C:\Program Files\Azureus
2007-12-15 10:08 --------- d-----w C:\Program Files\World of Warcraft
2007-12-05 03:43 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-12-05 03:43 --------- d-----w C:\Documents and Settings\Admin\Application Data\teamspeak2
2007-11-16 12:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 12:40 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-11-16 12:32 --------- d-----w C:\Program Files\PowerQuest
2007-11-15 11:41 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-31 02:06 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 06:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-14 05:16 737,280 ----a-w C:\WINDOWS\iun6002.exe
2004-07-02 19:19 40,960 ----a-w C:\WINDOWS\inf\WG311v2\imdinst.exe
2004-06-18 06:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
2004-04-04 20:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
2004-04-04 20:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
2004-02-04 19:53 62,865 ----a-w C:\WINDOWS\inf\WG311v2\odysseyIM3.sys
2004-02-04 19:53 12,739 ----a-w C:\WINDOWS\inf\WG311v2\odNetInstall.dll
.
----a-w		 2,582,288 2007-12-31 11:14:45  C:\Documents and Settings\Admin\Desktop\DUMeter .exe
----a-w		 2,582,288 2008-01-09 09:47:51  C:\Program Files\DU Meter\DUMeter .exe


((((((((((((((((((((((((((((( snapshot_2008-01-11_17.57.02.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-11 22:50:08 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"DU Meter"="C:\Documents and Settings\Admin\Desktop\DUMeter.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-21 15:07 7110656]
"nwiz"="nwiz.exe" [2005-07-21 15:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-21 15:07 86016]
"RegistryMechanic"="" []
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2008-01-03 20:57 69632]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 23:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-01-11 15:18:36]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50]
NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-15 06:32:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

R1 bdftdif;BitDefender Firewall TDI Filter;C:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys [2008-01-01 14:27]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2008-01-09 20:48]
R2 LISCADUpdate;LISCAD Update;C:\WINDOWS\system32\LiscadUpdate.exe [2007-05-19 02:01]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-01 14:28]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2007-09-08 16:15]

.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 02:53:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-12 19:09:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
Completion time: 2008-01-12 19:10:25
ComboFix-quarantined-files.txt 2008-01-12 08:10:22
ComboFix2.txt 2008-01-11 06:57:32
ComboFix3.txt 2008-01-04 13:30:06
ComboFix4.txt 2008-01-03 10:05:36
.
2008-01-10 01:07:42 --- E O F ---

Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:10 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\LiscadUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Admin\Desktop\DUMeter .exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DU Meter] C:\Documents and Settings\Admin\Desktop\DUMeter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\system32\Crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LISCAD Update (LISCADUpdate) - LISTECH Pty. Ltd. - C:\WINDOWS\system32\LiscadUpdate.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8000 bytes


Computer is running well :thumbsup:

#12 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:55 AM

Posted 14 January 2008 - 12:39 PM

Hi,



Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\EReg072.dat

RenV::
----a-w		 2,582,288 2007-12-31 11:14:45  C:\Documents and Settings\Admin\Desktop\DUMeter .exe
----a-w		 2,582,288 2008-01-09 09:47:51  C:\Program Files\DU Meter\DUMeter .exe
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Post them along with a new HijackThis log.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Edited by __RiP_ChAiN_, 14 January 2008 - 06:55 PM.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#13 Nuggget

Nuggget
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:55 PM

Posted 17 January 2008 - 08:24 AM

ComboFix 08-01-17.5 - Admin 2008-01-17 23:57:58.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.622 [GMT 11:00]
Running from: C:\Documents and Settings\Admin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Admin\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\EReg072.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\EReg072.dat

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-17 23:57 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 19:45 . 2008-01-17 19:45 <DIR> d-------- C:\Program Files\EA GAMES
2008-01-16 00:09 . 2008-01-16 00:09 25 --a------ C:\WINDOWS\cdplayer.ini
2008-01-16 00:07 . 2008-01-16 00:07 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-16 00:06 . 2008-01-16 00:06 <DIR> d-------- C:\Program Files\Real
2008-01-16 00:06 . 2008-01-16 00:07 <DIR> d-------- C:\Program Files\Common Files\Real
2008-01-15 22:39 . 2008-01-15 22:39 <DIR> d-------- C:\Program Files\PowerISO
2008-01-15 22:34 . 2008-01-15 22:34 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2008-01-15 22:33 . 2008-01-15 22:33 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro 5.5
2008-01-13 12:52 . 2008-01-13 12:52 <DIR> d-------- C:\VundoFix Backups
2008-01-10 21:42 . 2008-01-10 21:42 <DIR> d-------- C:\Program Files\Maxis
2008-01-10 21:41 . 2008-01-10 21:41 <DIR> d-------- C:\Documents and Settings\Admin\WINDOWS
2008-01-10 21:41 . 1998-07-30 12:51 305,152 --a------ C:\WINDOWS\IsUninst.exe
2008-01-10 12:06 . 2008-01-10 12:06 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-06 20:41 . 2008-01-17 01:04 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-06 20:41 . 2008-01-06 20:41 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-05 13:31 . 2008-01-05 13:31 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Talkback
2008-01-05 00:38 . 2008-01-05 00:38 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-05 00:38 . 2008-01-05 00:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-05 00:36 . 2008-01-05 00:36 <DIR> d---s---- C:\Documents and Settings\Admin\UserData
2008-01-04 17:49 . 2008-01-04 17:49 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\vlc
2008-01-04 17:46 . 2008-01-04 17:46 <DIR> d-------- C:\Program Files\VideoLAN
2008-01-03 01:10 . 2008-01-03 01:10 91 --a------ C:\WINDOWS\wininit.ini
2008-01-02 22:59 . 2008-01-02 22:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-02 22:59 . 2008-01-02 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-01 16:18 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-01 16:17 . 2008-01-01 16:18 <DIR> d-------- C:\Program Files\Java
2008-01-01 16:17 . 2008-01-01 16:17 <DIR> d-------- C:\Program Files\Common Files\Java
2007-12-31 22:39 . 2007-12-31 22:39 12 --a------ C:\WINDOWS\system32\20556522
2007-12-31 14:16 . 2007-12-31 14:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 12:54 . 2008-01-18 00:17 81,984 --a------ C:\WINDOWS\system32\bdod.bin
2007-12-31 12:27 . 2007-12-31 12:27 <DIR> d-------- C:\Documents and Settings\Admin\Application Data\Bitdefender
2007-12-31 12:24 . 2007-12-31 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender
2007-12-29 21:01 . 2007-12-29 21:01 <DIR> d-------- C:\Program Files\Microsoft Games
2007-12-29 14:31 . 2007-12-29 14:33 <DIR> d-------- C:\Documents and Settings\Admin\.housecall6.6
2007-12-29 13:25 . 2008-01-03 21:03 <DIR> d-------- C:\du meter back up
2007-12-29 13:20 . 2007-12-29 13:20 <DIR> d-------- C:\Program Files\Sygate
2007-12-29 13:20 . 2005-09-27 12:15 83,592 --a------ C:\WINDOWS\system32\SSSensor.dll
2007-12-29 13:20 . 2005-09-27 11:43 61,008 --a------ C:\WINDOWS\system32\drivers\Teefer.sys
2007-12-29 13:20 . 2005-09-27 11:44 21,075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2007-12-29 13:20 . 2005-09-27 12:16 14,944 --a------ C:\WINDOWS\system32\drivers\wg3n.sys
2007-12-29 12:12 . 2007-12-29 12:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-28 11:17 . 2007-12-28 11:17 <DIR> d-------- C:\Program Files\WinAVI Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 12:33 --------- d-----w C:\Documents and Settings\Admin\Application Data\Azureus
2008-01-11 04:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-01-11 04:09 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-08 08:48 --------- d-----w C:\Documents and Settings\Admin\Application Data\AdobeUM
2008-01-02 11:59 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-01 03:28 71,040 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2007-12-28 05:29 --------- d-----w C:\Program Files\Azureus
2007-12-15 10:08 --------- d-----w C:\Program Files\World of Warcraft
2007-12-05 03:43 --------- d-----w C:\Program Files\Teamspeak2_RC2
2007-12-05 03:43 --------- d-----w C:\Documents and Settings\Admin\Application Data\teamspeak2
2007-10-31 02:06 60,416 ----a-w C:\WINDOWS\ALCFDRTM.EXE
2004-07-02 19:19 40,960 ----a-w C:\WINDOWS\inf\WG311v2\imdinst.exe
2004-06-18 06:41 386,688 ----a-w C:\WINDOWS\inf\WG311v2\netwg311_XP.sys
2004-04-04 20:07 84,912 ----a-w C:\WINDOWS\inf\WG311v2\FwRad17.bin
2004-04-04 20:07 83,320 ----a-w C:\WINDOWS\inf\WG311v2\FwRad16.bin
2004-02-04 19:53 62,865 ----a-w C:\WINDOWS\inf\WG311v2\odysseyIM3.sys
2004-02-04 19:53 12,739 ----a-w C:\WINDOWS\inf\WG311v2\odNetInstall.dll
.
<pre>
----a-w		12,977,680 2008-01-15 13:03:57  C:\Documents and Settings\Admin\My Documents\Azureus Downloads\Real Player 11 Plus Gold incl crack and vista skin\Real.Player.10.6.GOLD\Real Player 10.6 GOLD .exe
</pre>


((((((((((((((((((((((((((((( snapshot_2008-01-11_17.57.02.70 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-30 21:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-01-17 12:57:25 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 12:57:25 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 12:57:25 1,404,928 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-17 12:57:25 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 12:57:25 5,316,608 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 12:57:25 159,744 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-15 11:34:19 25,214 ----a-r C:\WINDOWS\Installer\{F02CF4B0-05EC-4938-A8D2-F739AF3B4363}\ARPPRODUCTICON.exe
+ 2008-01-15 11:34:19 25,214 ----a-r C:\WINDOWS\Installer\{F02CF4B0-05EC-4938-A8D2-F739AF3B4363}\DS_CPL.exe
+ 2008-01-15 11:34:19 25,214 ----a-r C:\WINDOWS\Installer\{F02CF4B0-05EC-4938-A8D2-F739AF3B4363}\ITP_HCG.exe
+ 2008-01-15 11:34:19 4,846 ----a-r C:\WINDOWS\Installer\{F02CF4B0-05EC-4938-A8D2-F739AF3B4363}\ITP_KeyboardUG.exe
+ 2008-01-15 11:34:19 29,926 ----a-r C:\WINDOWS\Installer\{F02CF4B0-05EC-4938-A8D2-F739AF3B4363}\NewShortcut1_5D5B9E6A344C497695ABABBDC648E5DA.exe
+ 2008-01-15 11:34:19 29,926 ----a-r C:\WINDOWS\Installer\{F02CF4B0-05EC-4938-A8D2-F739AF3B4363}\NewShortcut2_5D5B9E6A344C497695ABABBDC648E5DA.exe
+ 2008-01-15 11:34:19 25,214 ----a-r C:\WINDOWS\Installer\{F02CF4B0-05EC-4938-A8D2-F739AF3B4363}\PGM_CPL.exe
+ 2007-08-07 00:15:07 33,052 ----a-w C:\WINDOWS\system32\drivers\scdemu.sys
- 2003-11-25 22:32:02 123,392 ----a-w C:\WINDOWS\system32\pncrt.dll
+ 2008-01-15 13:06:55 278,528 ----a-w C:\WINDOWS\system32\pncrt.dll
+ 2008-01-15 13:06:56 6,656 ----a-w C:\WINDOWS\system32\pndx5016.dll
+ 2008-01-15 13:06:56 5,632 ----a-w C:\WINDOWS\system32\pndx5032.dll
+ 2008-01-15 13:07:03 185,952 ----a-w C:\WINDOWS\system32\rmoc3260.dll
+ 2006-01-26 08:19:52 73,728 ----a-w C:\WINDOWS\system32\sockspy.dll
+ 2008-01-17 13:01:45 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_200.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 23:00 15360]
"DU Meter"="C:\Documents and Settings\Admin\Desktop\DUMeter.exe" [2007-12-31 22:14 2582288]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 03:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-21 15:07 7110656]
"nwiz"="nwiz.exe" [2005-07-21 15:07 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-07-21 15:07 86016]
"RegistryMechanic"="" []
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2008-01-03 20:57 69632]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 23:24 620152]
"BDMCon"="c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe" [2008-01-03 01:13 290816]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 16:38 437008]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-16 00:06 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 23:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2008-01-11 15:18:36]
Adobe Acrobat Synchronizer.lnk - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-23 00:01:50]
NETGEAR WG311v2 Smart Configuration.lnk - C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe [2004-10-15 06:32:18]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

R1 bdftdif;BitDefender Firewall TDI Filter;C:\Program Files\Common Files\Softwin\BitDefender Firewall\bdftdif.sys [2008-01-01 14:27]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2008-01-09 20:48]
R2 LISCADUpdate;LISCAD Update;C:\WINDOWS\system32\LiscadUpdate.exe [2007-05-19 02:01]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-01-01 14:28]
R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2007-09-08 16:15]

.
Contents of the 'Scheduled Tasks' folder
"2007-10-25 02:53:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 00:20:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\sockspy.dll
.
Completion time: 2008-01-18 0:22:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-17 13:22:39
ComboFix2.txt 2008-01-12 08:10:26
.
2008-01-10 01:07:42 --- E O F ---

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:23:46 AM, on 1/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\WINDOWS\system32\LiscadUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Admin\Desktop\DUMeter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [BDMCon] c:\PROGRA~1\softwin\BITDEF~1\bdmcon.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DU Meter] C:\Documents and Settings\Admin\Desktop\DUMeter.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Acrobat Synchronizer.lnk = C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\system32\Crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LISCAD Update (LISCADUpdate) - LISTECH Pty. Ltd. - C:\WINDOWS\system32\LiscadUpdate.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: WinFast® Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 8371 bytes

#14 lusitano

lusitano

    Portuguese Malware Fighter


  • Members
  • 1,443 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Portugal
  • Local time:07:55 AM

Posted 01 February 2008 - 05:42 AM

Hello, very sorry for the long delay.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
    • C:\WINDOWS\imsins.BAK
  • Click on the submit button
  • Please post the results in your next reply.
Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for his/her Operating System## Important ##
As we do not know the name of the file that's downloaded, you have to save the file as RC.exe to the root of SystemDrive e.g. C:\RC.exe



Please, download the latest copy of ComboFix.exe => http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Now, close any open browsers.
  • Open notepad and copy/paste the text in the quotebox below into it:
RecoveryConsole::
C:\RC.EXE

Folder::
C:\Program Files\Kaspersky Lab

RENV::
C:\Documents and Settings\Admin\My Documents\Azureus Downloads\Real Player 11 Plus Gold incl crack and vista skin\Real.Player.10.6.GOLD\Real Player 10.6 GOLD .exe
IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Save this as CFScript.txt, in the same location as ComboFix.exe
    Posted Image
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\CF-RC.txt. Post that log in your next reply.
Note:Do not mouseclick combofix's window whilst it's running. That may cause it to stall

## Important ##
This is a precautionary measure. Please do not reboot the machine until we have reviewed the log & responded to you.



Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.

Posted Image
Please do not PM me asking for support.
Please be courteous, polite, and say thank you.
Please post the final results, good or bad. We like to know!

#15 don77

don77

    Forum Regular


  • Members
  • 3,212 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Boston Mass
  • Local time:03:55 AM

Posted 08 February 2008 - 11:42 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users