Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo/virtumonde Crashes Explorer


  • Please log in to reply
1 reply to this topic

#1 rento

rento

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:04 PM

Posted 25 February 2008 - 09:21 AM

hi guys,
my problems with vundo/virtumonde started with a vista pop-up telling me that some RunDLL is missing (the dll's name seems to be randomly created). after that pop-up, whenever i wanted to go into windows-explorer it closed itself immediately. also the task-bar was restarted..
after a first run of combofix.exe it all seemed ok (no missing-dll-popup after restart and regained explorer-functionality).
then after an hour or so:
-a internet explorer logo was automatically created on the desktop,
-internet explorer loaded some mysterious malware-killer site,
-the missing RunDLL window was prompted again, asking for a dll with another randomly created name and the win-explorer problem was back
-now offline, after running combofix.exe again, win-explorer's ok again, a windows pop-up asks me if i want to work in offline-mode or retry connecting. as soon i go online my pc will probably be infected again..
what do i have to delete, run, do to get rid of this f*****?
thank you..

ps.: McAfee security center recongnized vundo and probably deleted the randomly named dlls. spybot recogniced virtumonde and removed some registy enties.
all that didn't fix the problem. (system-restore is diabled)

(vista ultimate on dell vostro 1500)


ComboFix 08-02-22.2 - Disko 2008-02-25 14:40:55.7 - NTFSx86
Microsoft® Windows Vistaâ„¢ Ultimate 6.0.6000.0.1252.1.1031.18.2234 [GMT 1:00]
ausgeführt von:: C:\Users\Disko\Desktop\ComboFix.exe
.

((((((((((((((((((((((( Dateien erstellt von 2008-01-25 bis 2008-02-25 ))))))))))))))))))))))))))))))
.

2008-02-21 14:51 . 2008-02-21 14:52 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-02-21 14:51 . 2008-02-21 14:52 <DIR> d-------- C:\ProgramData\Lavasoft
2008-02-21 14:51 . 2008-02-21 14:51 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-21 14:50 . 2008-02-21 14:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-21 13:36 . 2008-02-21 14:01 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-02-21 13:36 . 2008-02-21 14:01 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-02-21 13:36 . 2008-02-21 13:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-21 13:00 . 2008-02-21 14:22 <DIR> d-a------ C:\Users\All Users\TEMP
2008-02-21 13:00 . 2008-02-21 14:22 <DIR> d-a------ C:\ProgramData\TEMP
2008-02-20 15:38 . 2008-02-20 15:38 <DIR> d-------- C:\Users\All Users\ESET
2008-02-20 15:38 . 2008-02-20 15:38 <DIR> d-------- C:\ProgramData\ESET
2008-02-20 13:19 . 2008-02-20 13:19 <DIR> d-------- C:\Program Files\CCleaner
2008-02-16 05:12 . 2008-01-10 06:42 1,244,672 --a------ C:\Windows\System32\mcmde.dll
2008-02-13 23:54 . 2008-02-13 23:54 194,560 --a------ C:\Windows\System32\WebClnt.dll
2008-02-13 23:54 . 2008-02-13 23:54 110,080 --a------ C:\Windows\System32\drivers\mrxdav.sys
2008-02-13 23:50 . 2008-02-13 23:50 4,247,552 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-12 13:10 . 2008-02-12 13:10 <DIR> d-------- C:\Users\Disko\AppData\Roaming\Bullzip
2008-02-12 13:07 . 2007-10-13 12:11 200,704 --a------ C:\Windows\System32\bzpdf.dll
2008-02-12 13:06 . 2008-02-12 13:06 <DIR> d-------- C:\Program Files\Bullzip
2008-02-09 17:55 . 2008-02-09 18:07 <DIR> d-------- C:\Windows\lhsp
2008-02-09 16:12 . 2008-02-09 16:13 <DIR> d-------- C:\Program Files\QuickTime
2008-01-31 23:13 . 2008-01-31 23:13 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-01-31 23:13 . 2008-01-31 23:13 57,344 --a------ C:\Windows\System32\QuickTime.qts
2008-01-28 23:25 . 2008-01-28 23:25 <DIR> d-------- C:\Program Files\Cycling '74
2008-01-28 23:25 . 2008-01-28 23:25 78,648 --a------ C:\Windows\System32\drivers\temp.001
2008-01-28 23:20 . 2008-02-16 18:27 <DIR> d-------- C:\Users\Disko\AppData\Roaming\Digidesign
2008-01-28 23:08 . 2008-01-28 23:08 <DIR> d-------- C:\Digidesign Databases
2008-01-28 22:59 . 2007-10-31 00:34 196,608 --a------ C:\Windows\System32\Digi32.dll
2008-01-28 22:56 . 2008-01-28 22:56 <DIR> d-------- C:\Users\Disko\AppData\Roaming\InstallShield
2008-01-28 21:44 . 2008-02-16 16:31 54,156 --ah----- C:\Windows\QTFont.qfn
2008-01-28 21:44 . 2008-01-28 21:44 1,409 --a------ C:\Windows\QTFont.for
2008-01-28 19:05 . 2006-11-30 14:49 233,472 --a------ C:\Users\Disko\AppData\Roaming\REX Shared Library.dll
2008-01-28 19:04 . 2006-11-30 14:49 368,640 --a------ C:\Users\Disko\AppData\Roaming\ReWire.dll
2008-01-28 18:05 . 2008-01-28 18:05 78,648 --a------ C:\Windows\System32\drivers\temp.000
2008-01-28 14:37 . 2008-01-28 14:37 <DIR> d-------- C:\Program Files\Common Files\PACE Anti-Piracy
2008-01-28 14:31 . 2008-01-28 14:31 <DIR> d-------- C:\Program Files\InterLok
2008-01-28 14:24 . 2008-01-28 22:57 <DIR> d-------- C:\Program Files\Digidesign
2008-01-28 14:24 . 2008-01-28 22:57 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2008-01-28 14:24 . 2002-01-05 05:48 974,848 --------- C:\Windows\System32\mfc70.dll
2008-01-28 14:24 . 2007-09-05 11:43 630,784 --------- C:\Windows\System32\ilinet.dll
2008-01-28 14:24 . 2002-01-05 04:40 487,424 --------- C:\Windows\System32\msvcp70.dll
2008-01-28 14:24 . 2002-01-05 04:37 344,064 --------- C:\Windows\System32\msvcr70.dll
2008-01-28 14:24 . 2006-03-29 15:11 233,472 --------- C:\Windows\System32\REX Shared Library.dll
2008-01-28 14:24 . 2001-06-27 10:13 217,088 --------- C:\Windows\System32\qtmlClient.dll
2008-01-28 14:24 . 2007-10-31 02:15 97,808 --a------ C:\Windows\System32\drivers\Dalwdm.sys

.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 13:39 --------- d-----w C:\Users\Disko\AppData\Roaming\skypePM
2008-02-25 13:39 --------- d-----w C:\Users\Disko\AppData\Roaming\Skype
2008-02-20 12:10 --------- d-----w C:\Program Files\McAfee
2008-02-19 23:37 197,687 ----a-w C:\Users\Disko\AppData\Roaming\nvModes.dat
2008-02-19 21:44 --------- d-----w C:\Users\Disko\AppData\Roaming\dvdcss
2008-02-19 10:23 --------- d-----w C:\Users\Disko\AppData\Roaming\OpenOffice.org2
2008-02-17 13:59 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-14 16:07 --------- d-----w C:\ProgramData\Roxio
2008-02-13 22:50 806,400 ----a-w C:\Windows\system32\drivers\tcpip.sys
2008-02-13 22:48 824,832 ----a-w C:\Windows\System32\wininet.dll
2008-02-13 22:48 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-13 22:48 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-13 22:48 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-01-28 21:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-28 13:37 --------- d-----w C:\Users\Disko\AppData\Roaming\PACE Anti-Piracy
2008-01-28 13:37 --------- d-----w C:\ProgramData\PACE Anti-Piracy
2008-01-27 13:59 --------- d-----w C:\Users\Disko\AppData\Roaming\Cycling '74
2008-01-24 15:09 --------- d-----w C:\Program Files\GermaniX Transcoder
2008-01-24 12:05 --------- d-----w C:\Program Files\Google
2008-01-24 11:06 --------- d-----w C:\Users\Disko\AppData\Roaming\Roxio
2008-01-19 16:37 --------- d-----w C:\Users\Disko\AppData\Roaming\NewsBin
2008-01-19 12:45 --------- d-----w C:\ProgramData\NewsBin
2008-01-12 14:50 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-01-11 10:25 --------- d-----w C:\Program Files\Last.fm
2008-01-11 09:04 --------- d-----w C:\ProgramData\NVIDIA
2008-01-09 10:38 --------- d-----w C:\Program Files\Windows Sidebar
2008-01-09 10:38 --------- d-----w C:\Program Files\Windows Mail
2008-01-09 10:30 211,000 ----a-w C:\Windows\system32\drivers\volsnap.sys
2008-01-09 10:30 11,776 ----a-w C:\Windows\System32\sbunattend.exe
2008-01-09 10:30 1,060,920 ----a-w C:\Windows\system32\drivers\ntfs.sys
2008-01-08 23:10 --------- d-----w C:\Program Files\MusicBrainz Picard
2008-01-08 14:20 552 ----a-w C:\Users\Disko\AppData\Roaming\wklnhst.dat
2008-01-08 09:38 --------- d-----w C:\ProgramData\Apple Computer
2008-01-03 15:53 --------- d-----w C:\Users\Disko\AppData\Roaming\JAM Software
2008-01-02 16:13 --------- d-----w C:\Program Files\CrossLoop
2008-01-01 23:13 --------- d-----w C:\Program Files\SigmaTel
2008-01-01 20:51 --------- d-----w C:\Program Files\Spectrogram 15
2008-01-01 18:51 --------- d-----w C:\ProgramData\FLEXnet
2008-01-01 18:40 --------- d-----w C:\Program Files\Bonjour
2008-01-01 18:33 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-30 14:21 --------- d-----w C:\Program Files\Real Alternative
2007-12-29 17:34 --------- d-----w C:\Users\Disko\AppData\Roaming\Apple Computer
2007-12-29 17:32 --------- d-----w C:\Program Files\Common Files\Apple
2007-12-21 18:05 32 ----a-w C:\Users\All Users\ezsid.dat
2007-12-21 18:05 32 ----a-w C:\ProgramData\ezsid.dat
2007-12-21 14:27 53,080 ----a-w C:\Windows\System32\wuauclt.exe
2007-12-21 14:27 43,352 ----a-w C:\Windows\System32\wups2.dll
2007-12-21 14:27 1,712,984 ----a-w C:\Windows\System32\wuaueng.dll
2007-12-21 14:27 1,524,224 ----a-w C:\Windows\System32\wucltux.dll
2007-12-21 14:19 80,896 ----a-w C:\Windows\System32\wudriver.dll
2007-12-21 14:19 549,720 ----a-w C:\Windows\System32\wuapi.dll
2007-12-21 14:19 33,624 ----a-w C:\Windows\System32\wups.dll
2007-12-21 14:18 31,232 ----a-w C:\Windows\System32\wuapp.exe
2007-12-21 14:18 163,000 ----a-w C:\Windows\System32\wuwebv.dll
2007-12-19 22:41 87,040 ----a-w C:\Windows\System32\msoert2.dll
2007-12-19 22:41 750,080 ----a-w C:\Windows\System32\qmgr.dll
2007-12-19 22:41 39,424 ----a-w C:\Windows\System32\ACCTRES.dll
2007-12-19 22:41 229,888 ----a-w C:\Windows\System32\msshsq.dll
2007-12-19 22:41 205,824 ----a-w C:\Windows\System32\msoeacct.dll
2007-12-19 22:41 1,335,296 ----a-w C:\Windows\System32\msxml6.dll
2007-12-19 22:39 8,704 ----a-w C:\Windows\System32\hcrstco.dll
2007-12-19 22:39 8,704 ----a-w C:\Windows\System32\hccoin.dll
2007-12-19 22:39 8,147,968 ----a-w C:\Windows\System32\wmploc.DLL
2007-12-19 22:39 7,680 ----a-w C:\Windows\System32\spwmp.dll
2007-12-19 22:39 4,096 ----a-w C:\Windows\System32\dxmasf.dll
2007-12-19 22:39 374,456 ----a-w C:\Windows\System32\mcupdate_GenuineIntel.dll
2007-12-19 22:39 356,864 ----a-w C:\Windows\System32\MediaMetadataHandler.dll
2007-12-19 22:38 974,336 ----a-w C:\Windows\System32\crypt32.dll
2007-12-19 22:38 788,992 ----a-w C:\Windows\System32\rpcrt4.dll
2007-12-19 22:38 633,856 ----a-w C:\Windows\System32\user32.dll
2007-12-19 22:38 414,208 ----a-w C:\Windows\System32\msscp.dll
2007-12-19 22:35 84,480 ----a-w C:\Windows\System32\INETRES.dll
2007-12-19 22:35 737,792 ----a-w C:\Windows\System32\inetcomm.dll
2007-12-19 22:35 49,664 ----a-w C:\Windows\System32\csrsrv.dll
2007-12-19 22:35 376,320 ----a-w C:\Windows\System32\winsrv.dll
2007-12-19 22:35 1,191,936 ----a-w C:\Windows\System32\msxml3.dll
2007-12-19 22:33 98,304 ----a-w C:\Windows\System32\mssitlb.dll
2007-12-19 22:32 53,760 ----a-w C:\Windows\System32\Mcx2Svc.dll
2007-12-19 22:32 414,208 ----a-w C:\Windows\System32\msdri.dll
2007-12-19 22:32 292,352 ----a-w C:\Windows\System32\psisdecd.dll
2007-12-19 22:32 22,632 ----a-w C:\Windows\System32\streamci.dll
2007-12-19 22:32 160,872 ----a-w C:\Windows\System32\halmacpi.dll
2007-12-19 22:32 134,760 ----a-w C:\Windows\System32\halacpi.dll
2007-12-19 22:32 134,144 ----a-w C:\Windows\System32\rdpdd.dll
2007-12-19 14:49 174 --sha-w C:\Program Files\desktop.ini
2007-12-14 10:32 12,632 ----a-w C:\Windows\System32\lsdelete.exe
.

(((((((((((((((((((((((((((( Autostart Punkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Hinweis* leere Eintrage & legitime Standardeintrage werden nicht angezeigt.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{FD8348AB-D74A-4C76-B2FE-926FF6D7CC40}]
@=MacDrive Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2006-11-02 13:34 125440]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-12-07 15:08 21686568]
"GMX SMS-Manager"="C:\Program Files\GMX\GMX SMS-Manager\SMSMngr.exe" [2007-07-19 11:17 3539968]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-09 11:30 1232896]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 13:33 201728]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"cmds"="C:\Users\Disko\AppData\Local\Temp\pmkkl.dll" [2008-02-17 15:22 321536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-12-19 23:34 1006264]
"ECenter"="C:\Dell\E-Center\EULALauncher.exe" [2007-05-25 07:03 17920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-04 06:21 857648]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-08-29 06:54 36864]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-12-19 15:58 77824]
"DELL Webcam Manager"="C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 17:43 118784]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 12:37 81920]
"RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 12:22 221184]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 18:30 152144]
"PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2007-04-16 17:10 184320]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 10:57 179288]
"MDGetStarted.exe"="C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 13:23 139264]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-07 10:23 405504]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 21:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 21:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 21:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 21:24 86016]
"DigidesignMMERefresh"="C:\Program Files\Digidesign\Drivers\MMERefresh.exe" [2007-10-31 00:35 77824]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-31 23:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Users\Disko\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2007-12-21 17:04:35 106496]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 18:55:50 703280]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-12-19 16:02:11 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe

R0 MDFSYSNT;MacDrive file system driver;C:\Windows\system32\drivers\MDFSYSNT.sys [2007-09-05 15:01]
R0 MDPMGRNT;MDPMGRNT;C:\Windows\system32\drivers\MDPMGRNT.sys [2007-02-28 11:15]
R2 AESTFilters;Andrea ST Filters Service;C:\Windows\system32\aestsrv.exe [2007-08-29 13:25]
R2 DigiNet;Digidesign Ethernet Support;C:\Windows\system32\DRIVERS\diginet.sys [2007-10-31 02:16]
R2 MacDriveService;MacDriveService;"C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe" [2007-05-01 14:55]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 10:45]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot []
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2006-11-02 10:45]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-04-29 06:24]
R3 NETw4v32;Intel® Wireless WiFi Link Adaptertreiber für Windows Vista 32 Bit;C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-02-25 15:14]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 17:03]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-08-29 06:55]
S3 btwaudio;Bluetooth-Audiogerät;C:\Windows\system32\drivers\btwaudio.sys [2006-11-07 02:37]
S3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2006-11-07 00:13]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-07 00:13]
S3 dalwdmservice;dal service;C:\Windows\system32\drivers\dalwdm.sys [2007-10-31 02:15]
S3 MBX2DFU;MBX2DFU;C:\Windows\system32\DRIVERS\MBX2DFU.sys [2007-10-31 02:16]
S3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;C:\Windows\system32\drivers\mbx2midk.sys [2007-10-31 02:16]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 08:36]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{159b1c8f-c767-11dc-b692-001dd9eaa753}]
\shell\AutoRun\command - F:\LaunchU3.exe -a

.
Inhalt des "geplante Tasks" Ordners
"2007-12-19 15:19:46 C:\Windows\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-12-19 15:19:46 C:\Windows\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-02-25 13:40:15 C:\Windows\Tasks\User_Feed_Synchronization-{82FF5C63-A132-47C9-90B9-8B47F0FD06B7}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 14:42:57
Windows 6.0.6000 NTFS

Scanne versteckte Prozesse...

Scanne versteckte Autostart Einträge...

Scanne versteckte Dateien...

Scan erfolgreich abgeschlossen
versteckte Dateien: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe [6.00.6000.16549]
-> C:\Users\Disko\AppData\Local\Temp\pmkkl.dll
.
Zeit der Fertigstellung: 2008-02-25 14:43:27
ComboFix2.txt 2008-02-22 10:26:10
ComboFix3.txt 2008-02-21 18:03:35
ComboFix4.txt 2008-02-20 16:13:01
.
2008-02-16 11:34:30 --- E O F ---






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:45:10, on 25.02.2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\McAfee\MSK\mskagent.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Windows\System32\mobsync.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Mail\WinMail.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Windows\system32\conime.exe
C:\Windows\Explorer.exe
C:\Windows\system32\SearchFilterHost.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Windows\system32\msfeedssync.exe
C:\Users\Disko\Downloads\HiJackThis202.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/smallbiz.del...amp;ibd=1071219
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ECenter] C:\Dell\E-Center\EULALauncher.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [GMX SMS-Manager] C:\Program Files\GMX\GMX SMS-Manager\SMSMngr.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\Disko\AppData\Local\Temp\pmkkl.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: Bild an &Bluetooth-Gerät senden... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Seite an &Bluetooth-Gerät senden... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 12166 bytes

Attached Files


Edited by rento, 25 February 2008 - 10:14 AM.


BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:03:04 PM

Posted 15 March 2008 - 06:05 AM

Hello rento and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately. Running ComboFix without guided help is not suggested as you can seriously harm your pc if you use this tool incorrectly.

If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log.

Please also post the problems you are having.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users