Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde (i Believe)! Any Help Greatly Appreciated!


  • This topic is locked This topic is locked
6 replies to this topic

#1 Goodspeed742

Goodspeed742

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 29 February 2008 - 03:12 PM

I did all of the suggested steps before posting a HJT log. I'm experiencing lots of popups and my system is running awkwardly. Any suggestions and/or help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:19 PM, on 2/29/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spark\Spark.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bowlingball.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestbuy.msn.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [{59-9A-A4-40-DW}] C:\WINDOWS\SYSTEM32\r2\renabcom4.exe DWram
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [f0a59aef] rundll32.exe "C:\WINDOWS\System32\eptfhqhp.dll",b
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [BMf396a973] Rundll32.exe "C:\WINDOWS\System32\vyancceu.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spark] C:\Program Files\Spark\Spark.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\r2\renabcom4.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {343CE214-9998-4B21-A151-FFE970167297} - http://xscanner.spyshredderscanner.com/setup/webinst.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 3673 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:30 AM

Posted 29 February 2008 - 03:33 PM

Hi,

I want you to perform some things first, because it doesn't make any sense that we try to clean up your system if nothing is preventing your system from malware being installed again.

I see no antivirus installed on your system, and I also see that your windows isn't up to date. :thumbsup:

You don't have even ServicePack1 installed! Remember that your system is extremely vulnerable without the necessary security patches/updates, so malware can get installed automatically while surfing without any problems... and that is the main reason why you are now infected, because, if your windows was up to date, the security patches could have prevented this.

So, what I want you to do right now is, please update your windows to Service Pack 1a.
We'll get SP2 later when your system is clean again. Do not install SP2 while your system is still infected. That's why you should only install SP1 a first.
Visit http://www.microsoft.com/windowsxp/downloa...p1/default.mspx to update.
If you do not have a legitimate copy of Windows or will not be keeping your copy updated and patched; there is little point in cleaning a system that will be re-infected almost immediately.

REBOOT afterwards.

When done, install an antivirus.

Please install Avira,

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.

Edited by miekiemoes, 29 February 2008 - 03:34 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Goodspeed742

Goodspeed742
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 29 February 2008 - 06:25 PM

Hi miekiemoes! I look forward to working with you on the problem I'm having. Thank you for your generosity!

I installed SP1 and Avira. Here's the Avira Report:



AntiVir PersonalEdition Classic
Report file date: Friday, February 29, 2008 17:28

Scanning for 1129035 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 1) [5.1.2600]
Username: SYSTEM
Computer name: PROSHOP

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 20:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 12/14/2007 22:26:53
ANTIVIR2.VDF : 7.0.2.181 1993728 Bytes 2/24/2008 22:26:53
ANTIVIR3.VDF : 7.0.2.215 117248 Bytes 2/29/2008 22:26:53
AVEWIN32.DLL : 7.6.0.73 3334656 Bytes 2/29/2008 22:26:53
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.6.0.3 360488 Bytes 2/29/2008 22:26:54
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, February 29, 2008 17:28

The scan of running processes will be started
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '1' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'guardgui.exe' - '0' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'WkCalRem.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'GWMDMMSG.exe' - '1' Module(s) have been scanned
Scan process 'mHotkey.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'NMSSvc.Exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\WINDOWS\SYSTEM32\vyancceu.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\SYSTEM32\vyancceu.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen

The registry was scanned ( '33' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Airport\Local Settings\Temporary Internet Files\Content.IE5\6SMRSE24\ptch[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Airport\Local Settings\Temporary Internet Files\Content.IE5\CXA9YN65\CASLIPJS.htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16004
[WARNING] The source file could not be found.
C:\Documents and Settings\Airport\Local Settings\Temporary Internet Files\Content.IE5\CXA9YN65\webinst[1].cab
[0] Archive type: CAB (Microsoft)
--> webinst.dll
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[WARNING] The file could not be deleted!
C:\Documents and Settings\Airport\Local Settings\Temporary Internet Files\Content.IE5\DQ72W3DV\CACV4FOJ.htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16004
[WARNING] The source file could not be found.
C:\Documents and Settings\Airport\Local Settings\Temporary Internet Files\Content.IE5\DQ72W3DV\tr[1]
[DETECTION] Is the Trojan horse TR/Vundo.DWB
[INFO] The file was deleted!
C:\Documents and Settings\Airport\Local Settings\Temporary Internet Files\Content.IE5\DQ72W3DV\xpreload[1].ocx
[DETECTION] Is the Trojan horse TR/Dldr.VB.cdq
[INFO] The file was deleted!
C:\Documents and Settings\Airport\Local Settings\Temporary Internet Files\Content.IE5\MTIHSBCT\cmp638[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Airport\Local Settings\Temporary Internet Files\Content.IE5\MTIHSBCT\xpre[1].chm
[0] Archive type: CHM
--> /page.htm
[DETECTION] Contains detection pattern of the HTML script virus HTML/Vebetract
--> /xpreload.ocx
[DETECTION] Is the Trojan horse TR/Dldr.VB.cdq
[WARNING] The file could not be deleted!
C:\Documents and Settings\Airport\Local Settings\Temporary Internet Files\Content.IE5\V4J2G1J9\hctp[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Airport\Local Settings\Temporary Internet Files\Content.IE5\V4J2G1J9\snapsnet[1].exe
[DETECTION] Contains detection pattern of the dropper DR/Dldr.VB.caw.4
[INFO] The file was deleted!
C:\Documents and Settings\Airport\Local Settings\Temporary Internet Files\Content.IE5\XNQHCSOI\CAYFABIT.php
[DETECTION] Contains detection pattern of the HTML script virus HTML/Infected.WebPage.Gen
[INFO] The file was moved to '482188cf.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[INFO] The file was moved to '48368953.qua'!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl2.zip
[DETECTION] Contains suspicious code GEN/PwdZIP
[INFO] The file was moved to '495b8444.qua'!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP13\A0000208.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP14\A0000216.exe
[DETECTION] Contains detection pattern of the dropper DR/PurityScan.GP
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP14\A0000217.exe
[DETECTION] Is the Trojan horse TR/Dldr.Purity.BV.7
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP16\A0000303.exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.caw.6
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP16\A0000305.exe
[DETECTION] Contains detection pattern of the dropper DR/TTC.D
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP16\A0000308.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP16\A0000309.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP16\A0000310.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP16\A0000333.exe
[DETECTION] Contains detection pattern of the dropper DR/PurityScan.GP
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP16\A0000334.exe
[DETECTION] Is the Trojan horse TR/Dldr.Purity.BV.7
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP16\A0000336.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.FJ
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP29\A0000993.vbs
[DETECTION] Is the Trojan horse TR/Small.WY
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP29\A0000996.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP29\A0000997.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP30\A0001048.dll
[DETECTION] Contains detection pattern of the Windows virus W95/Blumblebee.1738
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP30\A0001082.dll
[DETECTION] Is the Trojan horse TR/Vundo.DWB
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP30\A0001105.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP39\A0007182.reg
[DETECTION] Contains detection pattern of the HTML script virus HTML/Exploit.Mhtml
[INFO] The file was deleted!
C:\System Volume Information\_restore{1536FC13-E172-47EA-ABF3-40B443C9C015}\RP40\A0007209.reg
[DETECTION] Contains detection pattern of the HTML script virus HTML/Exploit.Mhtml
[INFO] The file was deleted!
C:\WINDOWS\Downloaded Program Files\xpreload.ocx
[DETECTION] Is the Trojan horse TR/Dldr.VB.cdq
[INFO] The file was deleted!
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\xpreload.ocx
[DETECTION] Is the Trojan horse TR/Dldr.VB.cdq
[INFO] The file was deleted!
C:\WINDOWS\SYSTEM32\aebngcke.dll
[DETECTION] Is the Trojan horse TR/Vundo.DWB
[INFO] The file was deleted!
C:\WINDOWS\SYSTEM32\mljgh.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\SYSTEM32\mqpowvqt.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\WINDOWS\SYSTEM32\vyancceu.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\SYSTEM32\c4\np89104.exe
[DETECTION] Contains detection pattern of the dropper DR/TTC.D
[INFO] The file was deleted!
C:\WINDOWS\SYSTEM32\drivers\symc8xxx.sys
[WARNING] The file could not be opened!
C:\WINDOWS\SYSTEM32\iDlo01\iDlo011065.exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.caw.6
[INFO] The file was deleted!


End of the scan: Friday, February 29, 2008 17:55
Used time: 26:58 min

The scan has been done completely.

1756 Scanning directories
151588 Files were scanned
37 viruses and/or unwanted programs were found
5 Files were classified as suspicious:
31 files were deleted
0 files were repaired
3 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
151551 Files not concerned
6268 Archives were scanned
10 Warnings
1 Notes

And the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:25 PM, on 2/29/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bowlingball.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bestbuy.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestbuy.msn.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [{59-9A-A4-40-DW}] C:\WINDOWS\SYSTEM32\r2\renabcom4.exe DWram
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [f0a59aef] rundll32.exe "C:\WINDOWS\System32\eptfhqhp.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BMf396a973] Rundll32.exe "C:\WINDOWS\System32\vyancceu.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spark] C:\Program Files\Spark\Spark.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [IESet] IExplorer.dll .dbt (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IESet] IExplorer.dll .dbt (User 'Default user')
O4 - Startup: DW_Start.lnk = C:\WINDOWS\SYSTEM32\r2\renabcom4.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {343CE214-9998-4B21-A151-FFE970167297} - http://xscanner.spyshredderscanner.com/setup/webinst.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4282 bytes

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:30 AM

Posted 29 February 2008 - 06:30 PM

Hi,

Now for the next step..

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Goodspeed742

Goodspeed742
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 29 February 2008 - 06:57 PM

ComboFix 08-03-01 - Airport 2008-02-29 18:41:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.288 [GMT -5:00]
Running from: C:\Documents and Settings\Airport\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Airport\My Documents\FNTS~1
C:\Documents and Settings\Airport\Start Menu\Programs\Startup\DW_Start.lnk
C:\Program Files\ComPlus Applications\lipawohop89104.dll
C:\Program Files\racle~1
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\dobe~1
C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M0611NetInstaller.exe
C:\WINDOWS\ssembl~1
C:\WINDOWS\system32\agoskrw.dll
C:\WINDOWS\system32\awtussr.dll
C:\WINDOWS\system32\byxwuro.dll
C:\WINDOWS\system32\c2
C:\WINDOWS\system32\c4
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\symc8xxx.sys
C:\WINDOWS\system32\explorer.exe
C:\WINDOWS\SYSTEM32\hgjlm.ini
C:\WINDOWS\SYSTEM32\hgjlm.ini2
C:\WINDOWS\system32\iexplorer.dll .dbt
C:\WINDOWS\system32\k8
C:\WINDOWS\system32\k8\ravecom3.exe
C:\WINDOWS\system32\khqhugtr.dllbox
C:\WINDOWS\system32\ljjgged.dll
C:\WINDOWS\system32\mljgh.dll
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\SYSTEM32\phqhftpe.ini
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\s7
C:\WINDOWS\system32\s7\gbsu011.exe
C:\WINDOWS\system32\urqpqrp.dll
C:\WINDOWS\system32\x3

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_SYMC8XXX
-------\symc8xxx


((((((((((((((((((((((((( Files Created from 2008-02-01 to 2008-03-01 )))))))))))))))))))))))))))))))
.

2008-02-29 17:21 . 2008-02-29 17:21 <DIR> d-------- C:\Program Files\Avira
2008-02-29 17:21 . 2008-02-29 17:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-02-29 16:23 . 2008-02-29 16:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-02-29 16:23 . 2008-02-29 16:23 <DIR> d-------- C:\WINDOWS\ehome
2008-02-29 16:18 . 2002-08-29 05:40 1,180,672 --a------ C:\WINDOWS\SYSTEM32\d3d8.dll
2008-02-29 16:16 . 2004-08-04 00:31 169,984 --a------ C:\WINDOWS\SYSTEM32\sccbase.dll
2008-02-29 16:16 . 2004-07-17 13:34 67,866 --------- C:\WINDOWS\SYSTEM32\drivers\netwlan5.img
2008-02-29 16:16 . 2004-07-17 13:48 66,082 --------- C:\WINDOWS\SYSTEM32\c_28603.nls
2008-02-29 16:16 . 2004-08-04 00:46 42,537 --a------ C:\WINDOWS\SYSTEM32\keyboard.sys
2008-02-29 16:16 . 2004-08-04 00:22 929 --a------ C:\WINDOWS\SYSTEM32\homepage.inf
2008-02-29 15:05 . 2008-02-29 15:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-29 14:20 . 2008-02-29 14:20 <DIR> d-------- C:\Program Files\Sygate
2008-02-29 14:20 . 2004-10-15 18:32 83,096 --a------ C:\WINDOWS\SYSTEM32\SSSensor.dll
2008-02-29 14:20 . 2004-10-15 18:17 60,496 --a------ C:\WINDOWS\SYSTEM32\drivers\Teefer.sys
2008-02-29 14:20 . 2004-10-15 18:18 21,075 --a------ C:\WINDOWS\SYSTEM32\drivers\wpsdrvnt.sys
2008-02-29 14:20 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\SYSTEM32\drivers\wg6n.sys
2008-02-29 14:20 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\SYSTEM32\drivers\wg5n.sys
2008-02-29 14:20 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\SYSTEM32\drivers\wg4n.sys
2008-02-29 14:20 . 2004-10-15 18:32 14,568 --a------ C:\WINDOWS\SYSTEM32\drivers\wg3n.sys
2008-02-29 13:41 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\SYSTEM32\drivers\qlvlthyfavyi.sys
2008-02-29 13:26 . 2008-02-29 13:26 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-02-29 13:26 . 2008-02-29 13:26 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-02-29 13:23 . 2008-02-29 13:23 26,048 --a------ C:\WINDOWS\SYSTEM32\pmnklif.dll
2008-02-29 00:52 . 2008-02-29 17:24 22 --a------ C:\WINDOWS\pskt.ini
2008-02-28 19:45 . 2008-02-29 13:17 405 --a------ C:\WINDOWS\wininit.ini
2008-02-28 19:09 . 2008-02-29 18:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-28 19:09 . 2008-02-29 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 17:25 . 2004-03-10 12:59 593,408 --------- C:\WINDOWS\SYSTEM32\xpsp2res.dll
2008-02-28 17:24 . 2002-09-25 15:18 316,928 --a------ C:\WINDOWS\SYSTEM32\zipfldr.dll
2008-02-28 17:22 . 2003-01-10 14:43 143,872 --a------ C:\WINDOWS\SYSTEM32\itircl.dll
2008-02-28 17:22 . 2003-01-10 14:43 122,368 --a------ C:\WINDOWS\SYSTEM32\itss.dll
2008-02-28 17:22 . 2002-12-03 18:50 68,608 --a------ C:\WINDOWS\SYSTEM32\locator.exe
2008-02-28 17:22 . 2002-12-03 18:50 68,608 --a------ C:\WINDOWS\SYSTEM32\dllcache\locator.exe
2008-02-28 17:22 . 2003-01-10 14:43 37,888 --a------ C:\WINDOWS\SYSTEM32\hhsetup.dll
2008-02-28 17:22 . 2002-12-17 17:43 10,752 --a------ C:\WINDOWS\hh.exe
2008-02-28 17:20 . 2002-11-14 15:50 226,816 --a------ C:\WINDOWS\SYSTEM32\srrstr.dll
2008-02-28 17:19 . 2008-02-28 17:26 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-02-28 17:19 . 2002-09-30 10:58 125,440 --a------ C:\WINDOWS\SYSTEM32\shmedia.dll
2008-02-28 17:19 . 2002-09-30 10:58 125,440 --a------ C:\WINDOWS\SYSTEM32\dllcache\shmedia.dll
2008-02-28 17:19 . 2004-01-10 00:11 26,112 --a------ C:\WINDOWS\SYSTEM32\xpsp1hfm.exe
2008-02-28 17:01 . 2008-02-28 17:01 <DIR> d-------- C:\Documents and Settings\Airport\.housecall6.6
2008-02-28 17:00 . 2008-02-28 17:00 <DIR> d-------- C:\WINDOWS\Sun
2008-02-28 17:00 . 2008-02-28 17:00 <DIR> d-------- C:\Program Files\Java
2008-02-28 17:00 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-02-28 16:59 . 2008-02-28 16:59 <DIR> d-------- C:\Program Files\Common Files\Java
2008-02-28 14:41 . 2008-02-28 14:41 <DIR> d-------- C:\Temp\sanR24
2008-02-28 14:36 . 2008-02-28 18:36 40,960 --a------ C:\WINDOWS\SYSTEM32\f4dgd.exe
2008-02-28 14:36 . 2008-02-28 18:36 40,960 --a------ C:\WINDOWS\fghtuernfg56nvd.exe
2008-02-28 14:36 . 2008-02-29 15:08 20,480 --a------ C:\WINDOWS\quit.exe
2008-02-28 13:14 . 2008-02-28 13:14 <DIR> d---s---- C:\WINDOWS\SYSTEM32\Microsoft
2008-02-28 13:14 . 2008-02-28 13:14 <DIR> d-------- C:\Program Files\Lavasoft
2008-02-28 13:14 . 2008-02-28 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-28 13:13 . 2008-02-28 13:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-28 12:43 . 2008-02-28 17:09 <DIR> d--hs---- C:\WINDOWS\Sm9obiBDb25nZG9u
2008-02-28 12:43 . 2008-02-28 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-28 12:42 . 2008-02-29 17:54 <DIR> d-------- C:\WINDOWS\SYSTEM32\iDlo01
2008-02-28 12:42 . 2008-03-01 18:41 <DIR> d-------- C:\Temp
2008-02-20 13:18 . 2008-02-20 13:18 <DIR> d-------- C:\WINDOWS\SYSTEM32\bits
2008-02-20 12:47 . 2004-07-01 17:08 361,984 --------- C:\WINDOWS\SYSTEM32\dllcache\qmgr.dll
2008-02-20 12:47 . 2004-07-01 17:08 331,776 --a------ C:\WINDOWS\SYSTEM32\winhttp.dll
2008-02-20 12:47 . 2004-06-30 18:59 158,720 --------- C:\WINDOWS\SYSTEM32\xpob2res.dll
2008-02-20 12:47 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\SYSTEM32\qmgrprxy.dll
2008-02-20 12:47 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\SYSTEM32\dllcache\qmgrprxy.dll
2008-02-20 12:47 . 2004-07-01 17:08 7,680 --------- C:\WINDOWS\SYSTEM32\dllcache\bitsprx2.dll
2008-02-20 12:47 . 2004-07-01 17:08 7,680 --------- C:\WINDOWS\SYSTEM32\bitsprx2.dll
2008-02-20 12:47 . 2004-07-01 17:08 7,168 --------- C:\WINDOWS\SYSTEM32\dllcache\bitsprx3.dll
2008-02-20 12:47 . 2004-07-01 17:08 7,168 --------- C:\WINDOWS\SYSTEM32\bitsprx3.dll
2008-02-20 12:44 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll
2008-02-20 12:44 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll
2008-02-20 12:44 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl
2008-02-20 12:44 . 2007-07-30 19:19 203,096 --a------ C:\WINDOWS\SYSTEM32\wuweb.dll
2008-02-20 12:44 . 2004-08-03 14:03 186,136 --a------ C:\WINDOWS\SYSTEM32\wuaueng1.dll
2008-02-20 12:44 . 2004-08-03 14:01 167,704 --a------ C:\WINDOWS\SYSTEM32\wuauclt1.exe
2008-02-20 12:44 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\SYSTEM32\wups.dll
2008-02-20 12:41 . 2008-02-20 12:41 <DIR> d---s---- C:\Documents and Settings\Airport\UserData
2008-02-19 22:53 . 2002-05-28 23:27 <DIR> d-------- C:\Documents and Settings\Airport\WINDOWS
2008-02-19 22:12 . 2002-05-28 23:27 <DIR> d-------- C:\WINDOWS\SYSTEM32\config\systemprofile\WINDOWS
2008-02-19 22:12 . 2002-05-28 23:27 <DIR> d-------- C:\Documents and Settings\Default User\WINDOWS
2008-02-19 21:41 . 2004-08-04 00:31 36,224 --a------ C:\WINDOWS\SYSTEM32\drivers\an983.sys
2008-02-19 21:40 . 2008-02-19 21:40 8,192 --a------ C:\WINDOWS\REGLOCS.OLD
2008-02-19 21:35 . 2002-04-03 14:13 13,107,200 --a------ C:\WINDOWS\SYSTEM32\oembios.bin
2008-02-19 21:34 . 2001-08-18 06:00 2,028,032 --a--c--- C:\WINDOWS\SYSTEM32\dllcache\cdosys.dll
2008-02-19 21:33 . 2008-02-19 21:36 <DIR> d-------- C:\WINDOWS\I386
2008-02-19 21:32 . 2008-02-29 16:28 <DIR> dr-hs---- C:\WINDOWS\SYSTEM32\dllcache
2008-02-19 21:32 . 2008-03-01 18:41 <DIR> dr------- C:\Program Files
2008-02-19 21:32 . 2008-02-19 21:33 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-02-19 18:03 . 2001-08-17 22:36 171,008 --a------ C:\WINDOWS\SYSTEM32\LXAESUI.DLL
2008-02-19 18:02 . 2008-02-19 18:02 <DIR> d-------- C:\LXKZ35
2008-02-19 17:57 . 2004-08-03 14:04 185,624 --a------ C:\WINDOWS\SYSTEM32\iuengine.dll
2008-02-19 17:57 . 2004-08-03 14:04 185,624 --a------ C:\WINDOWS\SYSTEM32\dllcache\iuengine.dll
2008-02-19 17:54 . 2002-08-29 03:50 24,960 --a------ C:\WINDOWS\SYSTEM32\drivers\usbprint.sys
2008-02-19 17:54 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\SYSTEM32\drivers\mouhid.sys
2008-02-19 17:54 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\SYSTEM32\dllcache\mouhid.sys
2008-02-19 17:54 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\drivers\hidusb.sys
2008-02-19 17:54 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\SYSTEM32\dllcache\hidusb.sys
2008-02-19 16:52 . 2008-02-19 16:52 <DIR> d-------- C:\Documents and Settings\Airport\.jmf
2008-02-19 16:51 . 2008-02-29 14:05 <DIR> d-------- C:\Program Files\Spark
2008-02-19 16:51 . 2008-02-21 13:39 <DIR> d-------- C:\Documents and Settings\Airport\Spark
2008-02-19 16:26 . 2008-02-28 17:07 1,279 --a------ C:\WINDOWS\mozver.dat
2008-02-19 16:22 . 2008-02-19 16:22 0 --a------ C:\WINDOWS\nsreg.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-28 18:32 --------- d-----w C:\Program Files\BestBuy
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Sm9obiBDb25nZG9u\mA6Cv21GvZcBt36R.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ef3197f6-bd23-4b03-812e-822a10cf02cf}]
C:\WINDOWS\System32\mqpowvqt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 05:41 1511453]
"Spark"="C:\Program Files\Spark\Spark.exe" [2007-11-14 12:52 434176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2002-07-16 21:16 372736 C:\WINDOWS\SYSTEM32\nwiz.exe]
"WorksFUD"="C:\Program Files\Microsoft Works\wkfud.exe" [2000-07-13 22:00 24576]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 22:00 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 22:00 28739]
"CHotkey"="mHotkey.exe" [2002-01-17 14:54 479744 C:\WINDOWS\mHotkey.exe]
"GWMDMMSG"="GWMDMMSG.exe" [2002-03-28 17:55 101611 C:\WINDOWS\GWMDMMSG.exe]
"{59-9A-A4-40-DW}"="C:\WINDOWS\SYSTEM32\r2\renabcom4.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"f0a59aef"="C:\WINDOWS\System32\eptfhqhp.dll" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-29 17:26 249896]
"BMf396a973"="C:\WINDOWS\System32\vyancceu.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 22:00:00 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khqhugtr]
khqhugtr.dll

R0 avgntmgr;avgntmgr;C:\WINDOWS\System32\DRIVERS\avgntmgr.sys [2007-07-18 14:22]
R0 fasttrak;fasttrak;C:\WINDOWS\System32\DRIVERS\fasttrak.sys [2002-05-12 19:26]
R0 hpt3xx;hpt3xx;C:\WINDOWS\System32\DRIVERS\hpt3xx.sys [2001-08-17 15:52]
R1 avgntdd;avgntdd;C:\WINDOWS\System32\DRIVERS\avgntdd.sys [2007-08-09 13:04]
R2 NMSSvc;Intel® NMS;C:\WINDOWS\System32\NMSSvc.exe [2002-03-04 19:35]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys [2004-08-04 00:31]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINDOWS\System32\drivers\NMSCFG.SYS [2002-03-04 19:35]

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
*Newly Created Service* - NMSCFG
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-01 18:46:38
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2008-03-01 18:47:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-01 23:47:44
.
2008-02-28 23:55:09 --- E O F ---

-----------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:03 PM, on 3/1/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bowlingball.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bestbuy.msn.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {fc20fc01-a228-e218-30b4-32db6f7913fe} - {ef3197f6-bd23-4b03-812e-822a10cf02cf} - C:\WINDOWS\System32\mqpowvqt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [{59-9A-A4-40-DW}] C:\WINDOWS\SYSTEM32\r2\renabcom4.exe DWram
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [f0a59aef] rundll32.exe "C:\WINDOWS\System32\eptfhqhp.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [BMf396a973] Rundll32.exe "C:\WINDOWS\System32\vyancceu.dll",s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spark] C:\Program Files\Spark\Spark.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O14 - IERESET.INF: START_PAGE_URL=http://www.bestbuy.msn.com
O16 - DPF: {343CE214-9998-4B21-A151-FFE970167297} - http://xscanner.spyshredderscanner.com/setup/webinst.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: khqhugtr - khqhugtr.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 4409 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:30 AM

Posted 29 February 2008 - 07:11 PM

Hi,

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

The first step required before you run Combofix is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\SYSTEM32\drivers\qlvlthyfavyi.sys
C:\WINDOWS\SYSTEM32\pmnklif.dll
C:\WINDOWS\pskt.ini
C:\WINDOWS\SYSTEM32\f4dgd.exe
C:\WINDOWS\fghtuernfg56nvd.exe
C:\WINDOWS\quit.exe
Folder::
C:\Temp\sanR24
C:\WINDOWS\Sm9obiBDb25nZG9u
C:\Documents and Settings\All Users\Application Data\Rabio
C:\WINDOWS\SYSTEM32\iDlo01
Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{343CE214-9998-4B21-A151-FFE970167297}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{50BD5CDA-4BA8-4048-8FAA-763F222E41D8}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ef3197f6-bd23-4b03-812e-822a10cf02cf}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{59-9A-A4-40-DW}"=-
"f0a59aef"=-
"BMf396a973"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khqhugtr]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:30 AM

Posted 17 March 2008 - 09:13 AM

Due to the lack of feedback, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users