Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde.dll - Machine One


  • This topic is locked This topic is locked
15 replies to this topic

#1 mike_hudson

mike_hudson

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 28 March 2008 - 02:33 PM

Hi,

I recently scanned a machine with spybot s&d and found virtumonde.dll. I thought I had managed to remove it by removing the offending .dll when in safe mode. Alas it was not as easy as that and the machine is now throwing up spybot warning after warning. It has propogated to another machine in my network, which has been hit far harder.
But I post the output of hijackthis on this machine that I think is the first infected:

Many thanks in advance for your help. I am away over the weekend unfortunately but will check back if I can.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:34:50 PM, on 28/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Apoint\HidFind.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\MSN Messenger\usnsvc.exe
D:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\Techsmith\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM6372aad3] Rundll32.exe "C:\WINDOWS\system32\lvgyieey.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon LBP-800 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8247 bytes

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:04 AM

Posted 28 March 2008 - 02:52 PM

Hello and welcome to BleepingComputer :thumbsup:

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once we're finished.
  • Open Spybot Search & Destroy.
  • In the Mode menu click "Advanced mode" if not already selected.
  • Choose "Yes" at the Warning prompt.
  • Expand the "Tools" menu.
  • Click "Resident".
  • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
  • In the File menu click "Exit" to exit Spybot Search & Destroy.
When disabled, please download ResetTeaTimer.bat.
Double-click ResetTeaTimer.bat to remove all entries set by TeaTimer. This is done so it can be re-enabled without problems after cleaning.

And then..

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a fresh HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Hi there, stranger!

#3 mike_hudson

mike_hudson
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 28 March 2008 - 03:29 PM

thanks for such a prompt reply. will do on monday, for both machines

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:04 AM

Posted 28 March 2008 - 03:46 PM

Np. I'll be around. Sounds like a plan..

Vundofix will do for both machines, however I'd recommend waiting for a reply to your other topic before continuing from there on out. It's still going to get different directions due to small differences with the infections. :thumbsup:

Maybe also edit the original post in that other topic when you post the vundofix log, so it isn't bumped with a reply.
Hi there, stranger!

#5 mike_hudson

mike_hudson
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 31 March 2008 - 04:59 AM

Np. I'll be around. Sounds like a plan..

Vundofix will do for both machines, however I'd recommend waiting for a reply to your other topic before continuing from there on out. It's still going to get different directions due to small differences with the infections. :thumbsup:

Maybe also edit the original post in that other topic when you post the vundofix log, so it isn't bumped with a reply.

ok - strangely vundo didn't find any problems. I rescanned with spybot and it can't find any problems either. Here is a fresh hjthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:04 AM, on 31/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Documents and Settings\Christopher Leonardi\Desktop\VundoFix.exe
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\rundll32.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www1.euro.dell.com/content/default....;l=en&s=gen
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.euro.dell.com/content/default....;l=en&s=gen
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - D:\Program Files\Techsmith\SnagItIEAddin.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [ShowLOMControl] 
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM6372aad3] Rundll32.exe "C:\WINDOWS\system32\lvgyieey.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\RunOnce: [SpybotDeletingB7825] command /c del "C:\WINDOWS\system32\lvgyieey.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6937] cmd /c del "C:\WINDOWS\system32\lvgyieey.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6274] command /c del "C:\WINDOWS\system32\opnklklL.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1276] cmd /c del "C:\WINDOWS\system32\opnklklL.dll_old"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Canon LBP-800 Status Window.LNK = C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Backup Exec Remote Agent for Windows Servers (BackupExecAgentAccelerator) - VERITAS Software Corporation - C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8278 bytes


Many thanks again for your help. I Don't trust that this machine has suddenly cleared up over the weekend.

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:04 AM

Posted 31 March 2008 - 05:50 AM

Hi.

Nope, it definitely hasn't. VundoFix didn't recognize the files.

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#7 mike_hudson

mike_hudson
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 31 March 2008 - 07:07 AM

thanks again. here is the combofix log:
ComboFix 08-03-30.3 - Christopher Leonardi 2008-03-31 12:49:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1512 [GMT 1:00]
Running from: C:\Documents and Settings\Christopher Leonardi\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM6372aad3.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BHggQqss.ini
C:\WINDOWS\system32\BHggQqss.ini2
C:\WINDOWS\system32\cbXoMfgH.dll
C:\WINDOWS\system32\cbXPfGvS.dll
C:\WINDOWS\system32\cbXRJATL.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\Llklknpo.ini
C:\WINDOWS\system32\Llklknpo.ini2
C:\WINDOWS\system32\LTAJRXbc.ini
C:\WINDOWS\system32\LTAJRXbc.ini2
C:\WINDOWS\system32\qoMcdBtS.dll
C:\WINDOWS\system32\tuvuusRL.dll
C:\WINDOWS\system32\yISrsBeg.ini
C:\WINDOWS\system32\yISrsBeg.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-31 09:35 . 2008-03-31 09:35 <DIR> d-------- C:\VundoFix Backups
2008-03-28 14:44 . 2008-03-28 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-28 14:39 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 08:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-28 13:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-27 12:10 --------- d-----w C:\Program Files\Java
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DE5906B-8A76-4D73-BDF2-78FF1F0F67C0}]
C:\WINDOWS\system32\geBsrSIy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2C14336-B83B-4117-8349-C542F9B18806}]
C:\WINDOWS\system32\ssqQggHB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A70189D3-9170-43E4-965B-9EC2C1B2C35A}]
C:\WINDOWS\system32\opnklklL.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-06 16:28 219136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 06:13 176128]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-22 23:32 7561216]
"nwiz"="nwiz.exe" [2006-03-22 23:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 10:44 839680]
"ShowLOMControl"="1 (0x1)" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-10 15:10 579072]
"NVHotkey"="nvHotkey.dll" [2006-03-22 23:32 73728 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2006-03-22 23:32 86016 C:\WINDOWS\system32\nvmctray.dll]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-21 14:55 185896]
"CAPON"="C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE" [2000-04-19 15:00 22528]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"BM6372aad3"="C:\WINDOWS\system32\lvgyieey.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-06 16:28 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 05:37:56 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Canon LBP-800 Status Window.LNK - C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE [2000-04-19 15:00:00 112640]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-08 08:53:16 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\VERITAS\\Backup Exec\\RANT\\beremote.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\OpenVPN\\bin\\openvpn.exe"=

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 16:46]
R3 tap0901;TAP-Win32 Adapter V9;C:\WINDOWS\system32\DRIVERS\tap0901.sys [2007-02-28 10:39]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 11:59:02 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job"
- D:\PROGRA~1\SMARTD~1\Messages\SDNotify.exeW-PTE -V900 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 12:59:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\VERITAS\Backup Exec\RANT\beremote.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
.
**************************************************************************
.
Completion time: 2008-03-31 13:00:55 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-03-31 12:00:52
Pre-Run: 1,048,846,336 bytes free
Post-Run: 994,144,256 bytes free
.
2008-03-12 14:05:46 --- E O F ---

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:04 AM

Posted 31 March 2008 - 07:15 AM

Hi again, much better. :thumbsup:

Please open notepad and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\system32\opnklklL.dll
C:\WINDOWS\system32\ssqQggHB.dll
C:\WINDOWS\system32\lvgyieey.dll
C:\WINDOWS\system32\geBsrSIy.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DE5906B-8A76-4D73-BDF2-78FF1F0F67C0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A70189D3-9170-43E4-965B-9EC2C1B2C35A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2C14336-B83B-4117-8349-C542F9B18806}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM6372aad3"=-


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#9 mike_hudson

mike_hudson
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 31 March 2008 - 07:37 AM

log follows:

ComboFix 08-03-30.3 - Christopher Leonardi 2008-03-31 13:30:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1552 [GMT 1:00]
Running from: C:\Documents and Settings\Christopher Leonardi\Desktop\ComboFix.exe
Command switches used :: G:\Data\script_cl\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\geBsrSIy.dll
C:\WINDOWS\system32\lvgyieey.dll
C:\WINDOWS\system32\opnklklL.dll
C:\WINDOWS\system32\ssqQggHB.dll
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-31 12:54 . 2008-03-31 12:54 29,864 --a------ C:\catchme2008-03-31_133001.26.zip
2008-03-31 09:35 . 2008-03-31 09:35 <DIR> d-------- C:\VundoFix Backups
2008-03-28 14:44 . 2008-03-28 15:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-28 14:39 . 2008-03-28 14:39 <DIR> d-------- C:\Documents and Settings\Christopher Leonardi\Application Data\Grisoft
2008-03-28 14:39 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-11 11:05 . 2008-03-11 11:05 <DIR> d-------- C:\Documents and Settings\Christopher Leonardi\Application Data\Viewpoint
2008-02-01 11:40 . 2008-02-01 11:40 <DIR> d-------- C:\Documents and Settings\Christopher Leonardi\System
2008-02-01 11:40 . 2008-02-01 11:40 <DIR> d-------- C:\Documents and Settings\Christopher Leonardi\Application Data\SmartDraw

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 08:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-28 13:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-28 13:20 --------- d-----w C:\Documents and Settings\Christopher Leonardi\Application Data\AVG7
2008-03-28 10:32 --------- d-----w C:\Documents and Settings\Christopher Leonardi\Application Data\AdobeUM
2008-03-27 12:10 --------- d-----w C:\Program Files\Java
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-12-10 06:01 51,716 ----a-w C:\WINDOWS\system32\pdf995mon.dll
2007-12-10 06:01 249,856 ----a-w C:\WINDOWS\system32\pdfmona.dll
2007-12-06 10:05 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 550,912 ------w C:\WINDOWS\system32\dllcache\oleaut32.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-31_13.00.34.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-31 08:37:51 64,262 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-31 12:29:00 64,262 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-31 08:37:51 405,878 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-31 12:29:00 405,878 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 06:13 176128]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-03-22 23:32 7561216]
"nwiz"="nwiz.exe" [2006-03-22 23:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 14:59 385024]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2005-12-15 10:44 839680]
"ShowLOMControl"="1 (0x1)" []
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 16:19 53248]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 01:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 16:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 16:50 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-10 15:10 579072]
"NVHotkey"="nvHotkey.dll" [2006-03-22 23:32 73728 C:\WINDOWS\system32\nvhotkey.dll]
"NvMediaCenter"="NvMCTray.dll" [2006-03-22 23:32 86016 C:\WINDOWS\system32\nvmctray.dll]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-21 14:55 185896]
"CAPON"="C:\WINDOWS\system32\Spool\Drivers\w32x86\3\CAPONN.EXE" [2000-04-19 15:00 22528]
"!AVG Anti-Spyware"="D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-06 16:28 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - D:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 05:37:56 217194]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Canon LBP-800 Status Window.LNK - C:\WINDOWS\system32\spool\drivers\w32x86\3\CAPPSWK.EXE [2000-04-19 15:00:00 112640]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-04-08 08:53:16 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 16:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\VERITAS\\Backup Exec\\RANT\\beremote.exe"=
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"=
"D:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\OpenVPN\\bin\\openvpn.exe"=

R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2005-05-31 16:46]
R3 tap0901;TAP-Win32 Adapter V9;C:\WINDOWS\system32\DRIVERS\tap0901.sys [2007-02-28 10:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d986567c-a848-11dc-b43d-00166f6941a9}]
\Shell\AutoRun\command - Installer.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 12:27:51 C:\WINDOWS\Tasks\SDMsgUpdate (TE).job"
- D:\PROGRA~1\SMARTD~1\Messages\SDNotify.exeW-PTE -V900 -SSDU.ini -A -Mhttp://www.smartdraw.com/msgs/messagecheck.aspx -D0 -T -N -X
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 13:31:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-31 13:32:42
ComboFix-quarantined-files.txt 2008-03-31 12:32:33
ComboFix2.txt 2008-03-31 12:00:56
Pre-Run: 980,480,000 bytes free
Post-Run: 966,537,216 bytes free
.
2008-03-12 14:05:46 --- E O F ---

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:04 AM

Posted 31 March 2008 - 07:46 AM

Much better :thumbsup:

Did you install Viewpoint yourself?

Please download Malwarebytes' Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • The next screen will ask you to select the drives to scan. Leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Hi there, stranger!

#11 mike_hudson

mike_hudson
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 31 March 2008 - 09:09 AM

ok, output of that log is here:

Malwarebytes' Anti-Malware 1.09
Database version: 573

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 128810
Time elapsed: 1 hour(s), 1 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\IE4 Error Log.txt (Malware.Trace) -> Quarantined and deleted successfully.

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:04 AM

Posted 31 March 2008 - 09:12 AM

Go ahead and uninstall Malwarebytes' if you wish. :thumbsup:

Did you install Viewpoint yourself? Is it a app you use?

Click Start -> Run and type in:

ComboFix /u


Hit Enter or click OK. Choose 2 when shown the disclaimer.

Please download OTCleanIt and save it to desktop.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to reboot during the cleanup, select YES.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware:

Detect and Remove Programs:Prevention Programs:
  • Comodo BOClean <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
  • SpywareBlaster <= SpywareBlaster will prevent spyware from being installed. Detailed installation guide provided.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well known adsites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Other necessary Programs:
  • Antivirus Program <= An antivirus program is a must! Whether it is a free version like Avast! or Anti-Vir, or a shareware version like NOD32 this is a must have. (Note to only use 1 at-the-time)
  • Firewall <= A firewall is definitely a must have. Two good free versions are Comodo and Online Armor. (Note to only use 1 at-the-time)
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice:
So how did I get infected in the first place?

Setup guide for Comodo Firewall
Setup guide for Avast! 4 Free
Setup guide for AVG Free Antivirus
Hi there, stranger!

#13 mike_hudson

mike_hudson
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 31 March 2008 - 09:17 AM

The machine owner isn't sure if they put viewpoint there themselves or not. I'll remove it anyway.
Thanks very much for all your help - I take it those logs show a clean bill of health?

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:06:04 AM

Posted 31 March 2008 - 09:19 AM

The machine owner isn't sure if they put viewpoint there themselves or not. I'll remove it anyway.
Thanks very much for all your help - I take it those logs show a clean bill of health?

Posting for your friends?

Ayup, looks good to me. :thumbsup:
Hi there, stranger!

#15 mike_hudson

mike_hudson
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:04 AM

Posted 31 March 2008 - 09:25 AM

soething like that...
kiitos!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users