Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde, Trojandropper.agent.dgo, Bho.g - Please Help Me Fix The Infestation And Slow Computer Speed


  • This topic is locked This topic is locked
31 replies to this topic

#1 stricjux

stricjux

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 16 January 2008 - 01:54 PM

Followed the guide to posting, this is my hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:52:59, on 16.1.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper .exe
C:\Program Files\Logitech\QuickCam\Quickcam .exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\wkssvr.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [44c90957] rundll32.exe "C:\WINDOWS\system32\kjsknpho.dll",b
O4 - HKLM\..\Run: [StorageProtector] C:\Program Files\StorageProtector\SysRep.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [MSN] wkssvr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Vremenko] C:\Program Files\Vremenko\vremenko.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype .exe" /nosplash /minimized
O4 - HKCU\..\Run: [slide.exe] c:\program files\slide\slide.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{354BE2EC-79AC-43F6-BD11-65E5D0F9638A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{95309E10-928B-4366-B141-672CA791BBA7}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{354BE2EC-79AC-43F6-BD11-65E5D0F9638A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{354BE2EC-79AC-43F6-BD11-65E5D0F9638A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

Nod32 is reporting virtumonde to be active in memory and even after restarting into safe mode and rescanning the computer a couple of times, I just can't remove the infestation.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:30 AM

Posted 21 January 2008 - 12:30 AM

Hello stricjux,

We will run ComboFix.

You need to disable your Nod32 Antivirus and Spybot Teatimer before running ComboFix, as they will prevent it from running.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.

How to disable TeaTimer during HijackThis Cleanup

To disable NOD32 Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • click it -> click on the Posted Image button.
  • a popup will warn that protection will now be disabled. Click on "Yes" to disable the Antivirus guard.
You succesfully disabled the NOD32 Guard.



Please visit this webpage for instructions for downloading and running ComboFix and installing Recovery Console.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

It is very important you install Recovry Console.

Post the ComboFix log.

Edited by SifuMike, 21 January 2008 - 01:15 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 stricjux

stricjux
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 21 January 2008 - 03:59 AM

Currently @ work, will post reply ASAP.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:30 AM

Posted 21 January 2008 - 01:16 PM

Thats OK. I will be here. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 stricjux

stricjux
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 24 January 2008 - 04:39 AM

Thats OK. I will be here. :thumbsup:


Running combofix for about 16hrs, still deleting files. Should I break the operation?

/jux

#6 stricjux

stricjux
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 24 January 2008 - 07:06 AM

Thats OK. I will be here. :thumbsup:


Still working, now almost 20hrs.... (deleting .tmp files). Should I interrupt the procedure?

Edited by stricjux, 24 January 2008 - 07:08 AM.


#7 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:30 AM

Posted 24 January 2008 - 01:12 PM

Yes, time to kill it. It should not be taking that long to complete.


Did you put ComboFix on your desktop?

Did disable your Nod32 Antivirus and Spybot Teatimer (as well as any other registry protector) before running ComboFix?

Did you install Recovery Console as per the instuctons?

Edited by SifuMike, 24 January 2008 - 01:16 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 stricjux

stricjux
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 25 January 2008 - 02:46 AM

Yes, time to kill it. It should not be taking that long to complete.


Did you put ComboFix on your desktop?

Did disable your Nod32 Antivirus and Spybot Teatimer (as well as any other registry protector) before running ComboFix?

Did you install Recovery Console as per the instuctons?


yes, combo fix is on desktop (with RC installed), nod32 & teatimer killed. Will retry today.

#9 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:30 AM

Posted 25 January 2008 - 01:07 PM

Hi stricjux,

There is a new infection that causes thousands of malware files to be placed on your computer and that is why ComboFix is taking a long time to run.


Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Edited by SifuMike, 25 January 2008 - 01:08 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 stricjux

stricjux
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 25 January 2008 - 04:37 PM

Hi stricjux,

There is a new infection that causes thousands of malware files to be placed on your computer and that is why ComboFix is taking a long time to run.


Run ComboFix using these instructions:

Click the Windows 'Start' button > Select 'Run' - then copy/paste the following bolded text into the run box & click OK.

"%userprofile%\desktop\combofix.exe" /killall

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


I have killed the stalled process (via task manager) yesterday and today restarted combofix... it took another 2 hrs to complete, but it did complete :thumbsup:. This is the shortened version of the log, since I cannot post the whole (I have attached the .zip file with the complete log).

ComboFix 08-01-23.2 - Manca 2008-01-25 20:35:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.142 [GMT 1:00]
Running from: C:\Documents and Settings\Manca\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Starware349
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\findithotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\finditxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Free_Credit_Score0.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Free_Music0.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Horoscopes0.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\logo.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\logoxp.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Reference.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\ReferenceHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\referencehotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\referencexp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Ringtones0.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\Weather.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\WeatherHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\weatherhotxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\weatherxp.png
C:\Documents and Settings\All Users\Application Data\Starware349\contexts\error.xml
C:\Documents and Settings\All Users\Application Data\Starware349\contexts\Related.xml
C:\Documents and Settings\All Users\Application Data\Starware349\contexts\Travel.xml
C:\Documents and Settings\All Users\Application Data\Starware349\images\walertXP.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\ProductMessagingConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\ProductMessagingConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\SimpleUpdateConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\SimpleUpdateConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\TimerManagerConfig.xml
C:\Documents and Settings\All Users\Application Data\Starware349\SimpleUpdate\TimerManagerConfig.xml.backup
C:\Documents and Settings\All Users\Application Data\storageprotector
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\ac
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\em
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\oid
C:\Documents and Settings\All Users\Application Data\storageprotector\Data\user
C:\Documents and Settings\Luka\My Documents\pos1B5D.tmp
C:\Documents and Settings\Luka\My Documents\pos1B5E.tmp
C:\Documents and Settings\Luka\My Documents\pos1B5F.tmp
.......(OMITTED DUE TO LENGTH).....
C:\Documents and Settings\Luka\My Documents\pos232B.tmp
C:\Documents and Settings\Manca\Application Data\Starware349
C:\Documents and Settings\Manca\Application Data\Starware349\BrowserSearch\BrowserSearch.xml
C:\Documents and Settings\Manca\Application Data\Starware349\BrowserSearch\BrowserSearch.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\Configurator\Configurator.xml
C:\Documents and Settings\Manca\Application Data\Starware349\Configurator\Configurator.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\ErrorSearch\ErrorSearchOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\ErrorSearch\ErrorSearchOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\Free_Credit_Score\Free_Credit_ScoreOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\Free_Credit_Score\Free_Credit_ScoreOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\Free_Music\Free_MusicOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\Free_Music\Free_MusicOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\Horoscopes\HoroscopesOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\Horoscopes\HoroscopesOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\Layouts\ToolbarLayout.xml
C:\Documents and Settings\Manca\Application Data\Starware349\Layouts\ToolbarLayout.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\Manager\ManagerOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\Manager\ManagerOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\Reference\ReferenceOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\Reference\ReferenceOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\RelatedSearch\RelatedSearchOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\RelatedSearch\RelatedSearchOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\Ringtones\RingtonesOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\Ringtones\RingtonesOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\Toolbar\TBProductsOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\Toolbar\TBProductsOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\ToolbarLogo\ToolbarLogoOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\ToolbarLogo\ToolbarLogoOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\ToolbarSearch\ToolbarSearchOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\ToolbarSearch\ToolbarSearchOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\TravelSearch\TravelSearchOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\TravelSearch\TravelSearchOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\Starware349\Weather\AlertArchive.xml
C:\Documents and Settings\Manca\Application Data\Starware349\Weather\WeatherOptions.xml
C:\Documents and Settings\Manca\Application Data\Starware349\Weather\WeatherOptions.xml.backup
C:\Documents and Settings\Manca\Application Data\storageprotector
C:\Documents and Settings\Manca\Application Data\storageprotector\Logs\update.log
C:\Documents and Settings\Manca\My Documents\pos1000.tmp
C:\Documents and Settings\Manca\My Documents\pos1001.tmp
C:\Documents and Settings\Manca\My Documents\pos1002.tmp
C:\Documents and Settings\Manca\My Documents\pos1003.tmp
....OMITTED DUE TO LENGTH....
C:\Documents and Settings\Manca\My Documents\posFFD.tmp
C:\Documents and Settings\Manca\My Documents\posFFE.tmp
C:\Documents and Settings\Manca\My Documents\posFFF.tmp
C:\pos1190.tmp
C:\pos15B.tmp
C:\pos1803.tmp
C:\pos1804.tmp
.....OMITTED DUE TO LENGTH....

C:\posFFC.tmp
C:\posFFD.tmp
C:\posFFE.tmp
C:\posFFF.tmp
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper .exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX .exe
C:\Program Files\ESET\nod32kui .exe
C:\Program Files\Gamevance\gamevance32 .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Logitech\QuickCam\Quickcam .exe
C:\Program Files\Macrogaming\SweetIM\SweetIM .exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\XoftSpy\XoftSpy .exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\dhbxucdh.dll
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\gjkmp.ini2
C:\WINDOWS\system32\jmeyhbdi.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pmkjg.exe
C:\WINDOWS\system32\prutv.ini
C:\WINDOWS\system32\prutv.ini2
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10 .exe
C:\WINDOWS\system32\stmeheyu.dll
C:\WINDOWS\system32\utytskmy.ini
C:\WINDOWS\system32\vturp.dll
C:\WINDOWS\system32\vturp.exe
C:\WINDOWS\system32\ymkstytu.dll
D:\Autorun.inf

<pre>
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper .exe ---> QooBox
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX .exe ---> QooBox
C:\Program Files\ESET\nod32kui .exe ---> QooBox
C:\Program Files\Gamevance\gamevance32 .exe ---> QooBox
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe ---> QooBox
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> QooBox
C:\Program Files\Logitech\QuickCam\Quickcam .exe ---> QooBox
C:\Program Files\Macrogaming\SweetIM\SweetIM .exe ---> QooBox
C:\Program Files\XoftSpy\XoftSpy .exe ---> QooBox
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10 .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-24 21:18 . 2008-01-24 21:19 654 --ahs---- C:\WINDOWS\system32\qmrmypcs.ini
2008-01-23 21:17 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-23 21:17 . 2008-01-21 06:24 211 --a------ C:\Boot.bak
2008-01-23 21:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 19:59 . 2008-01-24 21:09 594 --ahs---- C:\WINDOWS\system32\fanvsvkw.ini
2008-01-21 20:00 . 2008-01-23 09:11 414 --ahs---- C:\WINDOWS\system32\rcycvmca.ini
2008-01-20 22:24 . 2008-01-20 22:24 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-20 22:24 . 2008-01-20 22:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 18:39 . 2008-01-22 19:08 <DIR> d-------- C:\VundoFix Backups
2008-01-19 06:32 . 2008-01-19 09:06 1,194 --ahs---- C:\WINDOWS\system32\kiqlejwm.ini
2008-01-18 09:18 . 2008-01-18 09:18 268 --ah----- C:\sqmdata06.sqm
2008-01-18 09:18 . 2008-01-18 09:18 244 --ah----- C:\sqmnoopt06.sqm
2008-01-18 06:27 . 2008-01-18 17:42 1,074 --ahs---- C:\WINDOWS\system32\iqtrnmql.ini
2008-01-17 06:30 . 2008-01-17 10:33 954 --ahs---- C:\WINDOWS\system32\vgrdrvns.ini
2008-01-15 20:10 . 2008-01-15 20:10 190,074 --a------ C:\WINDOWS\IMG_9928.zip
2008-01-15 15:24 . 2008-01-15 15:24 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-15 13:06 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-01-15 06:29 . 2008-01-17 06:29 774 --ahs---- C:\WINDOWS\system32\ohpnksjk.ini
2008-01-14 15:00 . 2008-01-14 15:00 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe.tmp.000
2008-01-13 21:21 . 2008-01-13 21:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-13 21:21 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-13 21:12 . 2008-01-13 21:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-08 17:55 . 2008-01-11 17:57 534 --ahs---- C:\WINDOWS\system32\jupjrkip.ini
2008-01-07 17:56 . 2008-01-07 17:56 834 --ahs---- C:\WINDOWS\system32\ulntooqr.ini
2008-01-06 17:53 . 2008-01-07 17:54 774 --ahs---- C:\WINDOWS\system32\mrhwqyfp.ini
2008-01-05 18:59 . 2008-01-16 08:43 <DIR> d-------- C:\Program Files\Bit Che
2008-01-05 18:59 . 2004-03-09 00:00 152,848 --a------ C:\WINDOWS\system32\comdlg32.OCX
2008-01-05 18:59 . 2004-03-09 00:00 124,688 --a------ C:\WINDOWS\system32\mswinsck.ocx
2008-01-05 17:56 . 2008-01-05 17:56 714 --ahs---- C:\WINDOWS\system32\tmjwubdk.ini
2008-01-04 15:14 . 2008-01-05 15:15 654 --ahs---- C:\WINDOWS\system32\thxcaidc.ini
2008-01-02 17:52 . 2008-01-04 15:11 594 --ahs---- C:\WINDOWS\system32\vlvsbphp.ini
2008-01-01 17:55 . 2008-01-01 17:56 414 --ahs---- C:\WINDOWS\system32\irxgmops.ini
2007-12-31 06:28 . 2007-10-12 02:57 195,096 --a------ C:\WINDOWS\system32\lvci1150.dll
2007-12-31 06:27 . 2008-01-03 08:55 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-31 06:27 . 2007-12-31 06:29 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2007-12-31 05:52 . 2008-01-01 01:00 354 --ahs---- C:\WINDOWS\system32\qyailals.ini
2007-12-30 05:56 . 2007-12-30 05:56 294 --ahs---- C:\WINDOWS\system32\nyvokfgr.ini
2007-12-29 14:18 . 2008-01-14 17:46 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2007-12-28 02:16 . 2007-12-28 02:16 294 --ahs---- C:\WINDOWS\system32\tobmawmj.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 20:48 --------- d-----w C:\Program Files\XoftSpy
2008-01-25 20:48 --------- d-----w C:\Program Files\Gamevance
2008-01-22 05:18 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-01-15 16:32 189,952 --sh--r C:\WINDOWS\wkssvr.exe
2007-12-31 05:28 --------- d-----w C:\Program Files\Common Files\Logitech
2007-12-31 05:27 --------- d-----w C:\Program Files\Logitech
2007-12-29 13:18 --------- d-----w C:\Program Files\Xvid
2007-12-29 13:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-29 13:18 --------- d-----w C:\Program Files\Real Alternative
2007-12-29 13:18 --------- d-----w C:\Program Files\QuickTime Alternative
2007-12-29 13:18 --------- d-----w C:\Program Files\BFG
2007-12-28 12:42 --------- d-----w C:\Program Files\Vremenko
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 17:53 --------- d-----w C:\Program Files\Slide
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2001-11-23 11:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.
<pre>
----a-w			39,792 2007-12-26 11:05:33  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   284,184 2007-12-29 13:15:29  C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper .exe
----a-w		   746,520 2007-12-29 13:15:29  C:\Program Files\Logitech\QuickCam10\QuickCam10 .exe
----a-w		 1,694,208 2007-12-26 11:06:05  C:\Program Files\Messenger\msmsgs .exe
----a-w		 1,460,560 2007-12-26 11:05:55  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		 4,426,752 2007-12-26 11:05:46  C:\Program Files\Vremenko\vremenko .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06C663C3-A7C2-46E3-A30F-D01412F90DC3}]
C:\WINDOWS\system32\pmkjg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{328c5736-3cb4-4309-aa2b-95b7a8150de9}]
C:\WINDOWS\system32\bdwesfos.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5068C268-6F1B-4A07-9C75-63E8B8FD7402}]
C:\WINDOWS\system32\vtutq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="~C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"Vremenko"="C:\Program Files\Vremenko\vremenko.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype .exe" [ ]
"slide.exe"="c:\program files\slide\slide.exe" [ ]
"Tronteljcek"="" []
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [ ]
"Cmaudio"="cmicnfg.cpl" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 13:00 15360]

R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2007-07-17 12:35]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-03-29 10:36]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Documents and Settings\Manca\My Documents\Downloads\Lavalys.EVEREST.Ultimate.Edition.v4.00.976.Multilingual.Incl.Keygen-ViRiLiTY\llvlseve\kerneld.wnt [2007-04-04 23:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 19:32:04 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 22:16:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsnMsgr = ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background?g

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Attached Files



#11 stricjux

stricjux
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 25 January 2008 - 04:39 PM

I have another, possibly unrelated problem (I cant confirm that it was caused by malware) - the sound on my computer is screwed up, everything sounds like I'm in a submarine (lots of echo).

Maybe it helps... I'll try and remedy it by reloading the drivers after we are done with the viruses.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:30 AM

Posted 25 January 2008 - 05:21 PM

Hi stricjux,

ComboFix had a bug and it has just been updated, so delete the version you have on your desktop, and download and run a new version, then post the log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

We should get the complete report this time. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 stricjux

stricjux
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 26 January 2008 - 07:51 AM

Hi stricjux,

ComboFix had a bug and it has just been updated, so delete the version you have on your desktop, and download and run a new version, then post the log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

We should get the complete report this time. :thumbsup:


Attached as a .zip file, still over 600kb long. Shortened version:


ComboFix 08-01-23.1C - Manca 2008-01-26 13:42:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.227 [GMT 1:00]
Running from: C:\Documents and Settings\Manca\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\Application Data\Starware349
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\FindIt.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\FindItHot.bmp
C:\Documents and Settings\All Users\Application Data\Starware349\buttons\findithotxp.png

SHORTENED......

C:\posFFE.tmp
C:\posFFF.tmp
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper .exe
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX .exe
C:\Program Files\ESET\nod32kui .exe
C:\Program Files\Gamevance\gamevance32 .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Logitech\QuickCam\Quickcam .exe
C:\Program Files\Macrogaming\SweetIM\SweetIM .exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\XoftSpy\XoftSpy .exe
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
C:\WINDOWS\system32\awtqnkh.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\dhbxucdh.dll
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\gjkmp.ini2
C:\WINDOWS\system32\jmeyhbdi.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pmkjg.exe
C:\WINDOWS\system32\prutv.ini
C:\WINDOWS\system32\prutv.ini2
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10 .exe
C:\WINDOWS\system32\stmeheyu.dll
C:\WINDOWS\system32\utytskmy.ini
C:\WINDOWS\system32\vturp.dll
C:\WINDOWS\system32\vturp.exe
C:\WINDOWS\system32\ymkstytu.dll
D:\Autorun.inf

<pre>
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper .exe ---> QooBox
C:\Program Files\Common Files\Logitech\LComMgr\LVComSX .exe ---> QooBox
C:\Program Files\ESET\nod32kui .exe ---> QooBox
C:\Program Files\Gamevance\gamevance32 .exe ---> QooBox
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2 .exe ---> QooBox
C:\Program Files\HP\hpcoretech\hpcmpmgr .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> QooBox
C:\Program Files\Logitech\QuickCam\Quickcam .exe ---> QooBox
C:\Program Files\Macrogaming\SweetIM\SweetIM .exe ---> QooBox
C:\Program Files\XoftSpy\XoftSpy .exe ---> QooBox
C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10 .exe ---> QooBox
</pre>
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE




((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-24 21:18 . 2008-01-24 21:19 654 --ahs---- C:\WINDOWS\system32\qmrmypcs.ini
2008-01-23 21:17 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-23 21:17 . 2008-01-21 06:24 211 --a------ C:\Boot.bak
2008-01-23 21:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-23 19:59 . 2008-01-24 21:09 594 --ahs---- C:\WINDOWS\system32\fanvsvkw.ini
2008-01-21 20:00 . 2008-01-23 09:11 414 --ahs---- C:\WINDOWS\system32\rcycvmca.ini
2008-01-20 22:24 . 2008-01-20 22:24 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-20 22:24 . 2008-01-20 22:24 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-20 18:39 . 2008-01-22 19:08 <DIR> d-------- C:\VundoFix Backups
2008-01-19 06:32 . 2008-01-19 09:06 1,194 --ahs---- C:\WINDOWS\system32\kiqlejwm.ini
2008-01-18 09:18 . 2008-01-18 09:18 268 --ah----- C:\sqmdata06.sqm
2008-01-18 09:18 . 2008-01-18 09:18 244 --ah----- C:\sqmnoopt06.sqm
2008-01-18 06:27 . 2008-01-18 17:42 1,074 --ahs---- C:\WINDOWS\system32\iqtrnmql.ini
2008-01-17 06:30 . 2008-01-17 10:33 954 --ahs---- C:\WINDOWS\system32\vgrdrvns.ini
2008-01-15 20:10 . 2008-01-15 20:10 190,074 --a------ C:\WINDOWS\IMG_9928.zip
2008-01-15 15:24 . 2008-01-15 15:24 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-15 13:06 . 2004-10-07 13:39 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2008-01-15 06:29 . 2008-01-17 06:29 774 --ahs---- C:\WINDOWS\system32\ohpnksjk.ini
2008-01-14 15:00 . 2008-01-14 15:00 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe.tmp.000
2008-01-13 21:21 . 2008-01-13 21:23 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-13 21:21 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-01-13 21:12 . 2008-01-13 21:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-08 17:55 . 2008-01-11 17:57 534 --ahs---- C:\WINDOWS\system32\jupjrkip.ini
2008-01-07 17:56 . 2008-01-07 17:56 834 --ahs---- C:\WINDOWS\system32\ulntooqr.ini
2008-01-06 17:53 . 2008-01-07 17:54 774 --ahs---- C:\WINDOWS\system32\mrhwqyfp.ini
2008-01-05 18:59 . 2008-01-16 08:43 <DIR> d-------- C:\Program Files\Bit Che
2008-01-05 18:59 . 2004-03-09 00:00 152,848 --a------ C:\WINDOWS\system32\comdlg32.OCX
2008-01-05 18:59 . 2004-03-09 00:00 124,688 --a------ C:\WINDOWS\system32\mswinsck.ocx
2008-01-05 17:56 . 2008-01-05 17:56 714 --ahs---- C:\WINDOWS\system32\tmjwubdk.ini
2008-01-04 15:14 . 2008-01-05 15:15 654 --ahs---- C:\WINDOWS\system32\thxcaidc.ini
2008-01-02 17:52 . 2008-01-04 15:11 594 --ahs---- C:\WINDOWS\system32\vlvsbphp.ini
2008-01-01 17:55 . 2008-01-01 17:56 414 --ahs---- C:\WINDOWS\system32\irxgmops.ini
2007-12-31 06:28 . 2007-10-12 02:57 195,096 --a------ C:\WINDOWS\system32\lvci1150.dll
2007-12-31 06:27 . 2008-01-03 08:55 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-12-31 06:27 . 2007-12-31 06:29 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2007-12-31 05:52 . 2008-01-01 01:00 354 --ahs---- C:\WINDOWS\system32\qyailals.ini
2007-12-30 05:56 . 2007-12-30 05:56 294 --ahs---- C:\WINDOWS\system32\nyvokfgr.ini
2007-12-29 14:18 . 2008-01-14 17:46 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2007-12-28 02:16 . 2007-12-28 02:16 294 --ahs---- C:\WINDOWS\system32\tobmawmj.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 20:48 --------- d-----w C:\Program Files\XoftSpy
2008-01-25 20:48 --------- d-----w C:\Program Files\Gamevance
2008-01-22 05:18 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
2008-01-15 16:32 189,952 --sh--r C:\WINDOWS\wkssvr.exe
2007-12-31 05:28 --------- d-----w C:\Program Files\Common Files\Logitech
2007-12-31 05:27 --------- d-----w C:\Program Files\Logitech
2007-12-29 13:18 --------- d-----w C:\Program Files\Xvid
2007-12-29 13:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-29 13:18 --------- d-----w C:\Program Files\Real Alternative
2007-12-29 13:18 --------- d-----w C:\Program Files\QuickTime Alternative
2007-12-29 13:18 --------- d-----w C:\Program Files\BFG
2007-12-28 12:42 --------- d-----w C:\Program Files\Vremenko
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-11 17:53 --------- d-----w C:\Program Files\Slide
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 16:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2001-11-23 11:08 712,704 ----a-w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.
<pre>
----a-w			39,792 2007-12-26 11:05:33  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   284,184 2007-12-29 13:15:29  C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper .exe
----a-w		   746,520 2007-12-29 13:15:29  C:\Program Files\Logitech\QuickCam10\QuickCam10 .exe
----a-w		 1,694,208 2007-12-26 11:06:05  C:\Program Files\Messenger\msmsgs .exe
----a-w		 1,460,560 2007-12-26 11:05:55  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		 4,426,752 2007-12-26 11:05:46  C:\Program Files\Vremenko\vremenko .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06C663C3-A7C2-46E3-A30F-D01412F90DC3}]
C:\WINDOWS\system32\pmkjg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{328c5736-3cb4-4309-aa2b-95b7a8150de9}]
C:\WINDOWS\system32\bdwesfos.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5068C268-6F1B-4A07-9C75-63E8B8FD7402}]
C:\WINDOWS\system32\vtutq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="~C:\Program Files\MSN Messenger\MsnMsgr.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"Vremenko"="C:\Program Files\Vremenko\vremenko.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype .exe" [ ]
"slide.exe"="c:\program files\slide\slide.exe" [ ]
"Tronteljcek"="" []
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [ ]
"Cmaudio"="cmicnfg.cpl" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\CTFMON.EXE" [2002-12-31 13:00 15360]

R0 viamraid;viamraid;C:\WINDOWS\system32\drivers\viamraid.sys [2007-07-17 12:35]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-03-29 10:36]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Documents and Settings\Manca\My Documents\Downloads\Lavalys.EVEREST.Ultimate.Edition.v4.00.976.Multilingual.Incl.Keygen-ViRiLiTY\llvlseve\kerneld.wnt [2007-04-04 23:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 19:32:04 C:\WINDOWS\Tasks\XoftSpy.job"
- C:\Program Files\XoftSpy\XoftSpy.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 13:43:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
MsnMsgr = ~"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background?g

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-26 13:45:52
ComboFix-quarantined-files.txt 2008-01-26 12:45:47
.
2008-01-14 02:01:29 --- E O F ---

Attached Files

  • Attached File  log.zip   49.23KB   10 downloads


#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:04:30 AM

Posted 26 January 2008 - 01:34 PM

Hi stricjux,

This computer is really infected.

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\Program Files\Vremenko\vremenko.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

c:\program files\slide\slide.exe
C:\WINDOWS\wkssvr.exe


Once scanned, copy and paste the results also in your next reply.

******************************


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

RenV:: 
----a-w            39,792 2007-12-26 11:05:33  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w           284,184 2007-12-29 13:15:29  C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper .exe
----a-w           746,520 2007-12-29 13:15:29  C:\Program Files\Logitech\QuickCam10\QuickCam10 .exe
----a-w         1,694,208 2007-12-26 11:06:05  C:\Program Files\Messenger\msmsgs .exe
----a-w         1,460,560 2007-12-26 11:05:55  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w         4,426,752 2007-12-26 11:05:46  C:\Program Files\Vremenko\vremenko .exe

File:: 
C:\WINDOWS\system32\fanvsvkw.ini
C:\WINDOWS\system32\rcycvmca.ini
C:\WINDOWS\system32\kiqlejwm.ini
C:\WINDOWS\system32\iqtrnmql.ini
C:\WINDOWS\system32\vgrdrvns.ini
C:\WINDOWS\system32\ohpnksjk.ini
C:\WINDOWS\system32\ctfmon.exe.tmp.000
C:\WINDOWS\system32\jupjrkip.ini
C:\WINDOWS\system32\ulntooqr.ini
C:\WINDOWS\system32\mrhwqyfp.ini
C:\WINDOWS\system32\tmjwubdk.ini
C:\WINDOWS\system32\thxcaidc.ini
C:\WINDOWS\system32\vlvsbphp.ini
C:\WINDOWS\system32\irxgmops.ini
C:\WINDOWS\system32\qyailals.ini
C:\WINDOWS\system32\nyvokfgr.ini
C:\WINDOWS\system32\tobmawmj.ini
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\bdwesfos.dll
C:\WINDOWS\system32\vtutq.dll


Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06C663C3-A7C2-46E3-A30F-D01412F90DC3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{328c5736-3cb4-4309-aa2b-95b7a8150de9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5068C268-6F1B-4A07-9C75-63E8B8FD7402}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tronteljcek"=-


Name the Notepad file CFScript.txt and Save it to your desktop.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 stricjux

stricjux
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 26 January 2008 - 02:28 PM

Hi stricjux,

This computer is really infected.

You have some suspicious files we need to check.

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\Program Files\Vremenko\vremenko.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

c:\program files\slide\slide.exe
C:\WINDOWS\wkssvr.exe


Once scanned, copy and paste the results also in your next reply.

******************************


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

KILLALL:: 

RenV:: 
----a-w			39,792 2007-12-26 11:05:33  C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w		   284,184 2007-12-29 13:15:29  C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper .exe
----a-w		   746,520 2007-12-29 13:15:29  C:\Program Files\Logitech\QuickCam10\QuickCam10 .exe
----a-w		 1,694,208 2007-12-26 11:06:05  C:\Program Files\Messenger\msmsgs .exe
----a-w		 1,460,560 2007-12-26 11:05:55  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		 4,426,752 2007-12-26 11:05:46  C:\Program Files\Vremenko\vremenko .exe

File:: 
C:\WINDOWS\system32\fanvsvkw.ini
C:\WINDOWS\system32\rcycvmca.ini
C:\WINDOWS\system32\kiqlejwm.ini
C:\WINDOWS\system32\iqtrnmql.ini
C:\WINDOWS\system32\vgrdrvns.ini
C:\WINDOWS\system32\ohpnksjk.ini
C:\WINDOWS\system32\ctfmon.exe.tmp.000
C:\WINDOWS\system32\jupjrkip.ini
C:\WINDOWS\system32\ulntooqr.ini
C:\WINDOWS\system32\mrhwqyfp.ini
C:\WINDOWS\system32\tmjwubdk.ini
C:\WINDOWS\system32\thxcaidc.ini
C:\WINDOWS\system32\vlvsbphp.ini
C:\WINDOWS\system32\irxgmops.ini
C:\WINDOWS\system32\qyailals.ini
C:\WINDOWS\system32\nyvokfgr.ini
C:\WINDOWS\system32\tobmawmj.ini
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\bdwesfos.dll
C:\WINDOWS\system32\vtutq.dll


Folder:: 
C:\VundoFix Backups

Registry:: 
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06C663C3-A7C2-46E3-A30F-D01412F90DC3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{328c5736-3cb4-4309-aa2b-95b7a8150de9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5068C268-6F1B-4A07-9C75-63E8B8FD7402}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tronteljcek"=-


Name the Notepad file CFScript.txt and Save it to your desktop.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Currently waiting for files to be scanned. Prior to infection, vremenko.exe was (or maybe still is :thumbsup:) a weather application for our region. Slide.exe was a picture slideshow screen saver. I should notify you, that vremenko.exe does not exist anymore, only "vremenko .exe", which was submitted for inspection.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users