Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection (vundofix Cannot Detect!)


  • This topic is locked This topic is locked
8 replies to this topic

#1 dmorison1

dmorison1

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 31 March 2008 - 11:09 AM

Hi, as per topic title and description, I have tried running Adaware, Spybot, AVG, and most recently Vundofix.

Adaware didn't detect it
Spybot detected it, said it had removed it, but didn't
AVG didn't detect it
Vundofx didn't detect it

So, other than Spybot detecting it what makes me so sure I have it? The HijackThis logs match those your help forum for this trojan. Can someone tell me what to fix in HijackThis to get rid of it please?


----- Hijack This log below here -----


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:41:45, on 31/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\aniServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\USBKVM Switcher\USBKVM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Dave\Desktop\Work\Apps\putty.exe
C:\Program Files\TextPad 5\TextPad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dave\Application Data\Juniper Networks\Juniper Terminal Services Client\dsTermServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {3FECA576-7AD2-4E11-A6AD-6B59D4FB5DB9} - C:\WINDOWS\system32\mljkkhg.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E84B9EBA-6CAB-4285-991D-FB9A879A8845} - C:\WINDOWS\system32\mllmn.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [RestoreHostsFile] cscript "C:\Documents and Settings\All Users\Application Data\Juniper Networks\restore.vbs"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8739] command /c del "C:\WINDOWS\system32\mllmn.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9524] cmd /c del "C:\WINDOWS\system32\mllmn.dll_old"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: USBKVM Switcher.lnk = C:\Program Files\USBKVM Switcher\USBKVM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker4 - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200357299725
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - Winlogon Notify: mljkkhg - C:\WINDOWS\SYSTEM32\mljkkhg.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 10349 bytes

Edited by dmorison1, 31 March 2008 - 11:10 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 PM

Posted 31 March 2008 - 12:03 PM

Hello dmorison1,

Welcome to Bleeping Computer :thumbsup:

You do indeed have a Vundo infection, and it looks like Spybot has been trying valiantly to get rid of it.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 dmorison1

dmorison1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 31 March 2008 - 12:46 PM

Hi teacup, and thank you very much for your swift response!

I have to say that I'm sorry but my HJT log may have changed from the last time I posted it. I have since tried to run Spybot again, and also VirtumundoBeGone.exe. Both said they had cleared the infection, but I am fairly sure I still have it, as I still keep getting popups.

Anyway, for this reason, I'll post the HJT log again, with the ComboFix log underneath...

Thanks again for your help.

------ HJT--------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:44:26, on 31/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\aniServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\USBKVM Switcher\USBKVM.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {293E8815-0A71-40E0-8C57-E11E208CEEAF} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E84B9EBA-6CAB-4285-991D-FB9A879A8845} - C:\WINDOWS\system32\mllmn.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: USBKVM Switcher.lnk = C:\Program Files\USBKVM Switcher\USBKVM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker4 - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200357299725
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 9506 bytes





------- ComboFix.txt ------

ComboFix 08-03-30.3 - Dave 2008-03-31 18:35:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1557 [GMT 1:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\OPTIONS\CABS\_desktop.ini
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\jmllm.ini2
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\nmllm.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-31 16:49 . 2008-03-31 16:49 <DIR> d-------- C:\VundoFix Backups
2008-03-31 14:39 . 2008-03-31 14:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-31 12:46 . 2008-03-31 18:10 147 --a------ C:\WINDOWS\wininit.ini
2008-03-31 02:01 . 2008-03-31 02:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-31 01:48 . 2008-03-31 01:48 <DIR> d-------- C:\Program Files\QuickTime
2008-03-31 01:47 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-03-31 01:47 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-03-31 01:45 . 2008-03-31 01:45 <DIR> d-------- C:\Program Files\Bonjour
2008-03-31 01:33 . 2008-03-31 01:33 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-31 01:28 . 2008-03-31 01:45 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-31 00:18 . 2008-03-31 00:18 38,400 --a------ C:\WINDOWS\system32\mljkkhg.dll.vir
2008-03-29 23:29 . 2008-03-29 23:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-03-29 22:17 . 2008-03-29 22:17 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-03-29 22:04 . 2008-03-29 22:04 <DIR> d-------- C:\Poker
2008-03-29 13:51 . 2008-03-29 22:16 <DIR> d-------- C:\Program Files\Macromedia
2008-03-29 13:51 . 2008-03-29 21:11 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-03-28 11:04 . 2008-03-28 11:05 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-28 11:04 . 2008-03-28 11:05 4,632 --a------ C:\WINDOWS\unins000.dat
2008-03-27 11:11 . 2007-04-09 14:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-27 11:11 . 2008-03-27 11:11 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-27 11:10 . 2008-03-27 11:10 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-27 11:09 . 2008-03-27 11:10 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-27 10:44 . 2008-03-27 10:44 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-27 10:42 . 2008-03-27 10:42 <DIR> dr-h----- C:\MSOCache
2008-03-26 15:59 . 2008-03-26 15:59 <DIR> d-------- C:\Program Files\CoffeeCup Software
2008-03-25 23:36 . 2007-06-07 12:29 52,693 --a------ C:\WINDOWS\system32\drivers\mak810u.sys
2008-03-25 23:36 . 2005-08-18 12:44 49,867 --a------ C:\WINDOWS\system32\drivers\mardp2k.sys
2008-03-25 23:36 . 2005-08-18 12:44 49,484 --a------ C:\WINDOWS\system32\drivers\MARDPNP.SYS
2008-03-25 23:36 . 2005-07-12 18:33 36,586 --a------ C:\WINDOWS\system32\drivers\mavcomm.sys
2008-03-25 23:36 . 2005-05-16 12:17 25,880 --a------ C:\WINDOWS\system32\mavcomm.vxd
2008-03-25 23:36 . 2007-01-16 12:46 25,302 --a------ C:\WINDOWS\system32\drivers\MaVctrl.sys
2008-03-25 23:36 . 2005-06-16 19:13 25,044 --a------ C:\WINDOWS\system32\drivers\mak810m.sys
2008-03-25 23:36 . 2005-06-16 19:11 24,784 --a------ C:\WINDOWS\system32\drivers\mak810c.sys
2008-03-25 23:36 . 2007-01-16 12:44 11,986 --a------ C:\WINDOWS\system32\drivers\MaVc2K.sys
2008-03-25 23:35 . 2008-03-25 23:35 <DIR> d-------- C:\WINDOWS\Application Data
2008-03-25 11:40 . 2008-03-25 11:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-24 11:12 . 2008-03-24 11:12 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Helios
2008-03-24 10:49 . 2008-03-24 10:49 <DIR> d-------- C:\Program Files\TextPad 5
2008-03-24 03:27 . 2008-03-24 03:27 <DIR> d-------- C:\Program Files\Blue Box Network
2008-03-24 03:27 . 2008-03-24 03:27 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Blue Box Network
2008-03-24 03:24 . 2008-03-24 03:25 <DIR> d-------- C:\Program Files\Name The Picture Online Game
2008-03-23 19:21 . 2008-03-23 19:21 <DIR> d-------- C:\Program Files\Neoteris
2008-03-23 19:21 . 2008-03-31 11:14 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Juniper Networks
2008-03-23 19:21 . 2008-03-31 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Juniper Networks
2008-03-19 00:20 . 2005-03-01 20:49 2,516 --a------ C:\WINDOWS\system32\drivers\default.bin
2008-03-19 00:20 . 2005-03-01 20:49 2,516 --a------ C:\WINDOWS\system32\default.bin
2008-03-19 00:19 . 2008-03-19 00:19 <DIR> d-------- C:\Program Files\CheckPoint
2008-03-19 00:19 . 2005-03-01 20:49 2,041,904 --a------ C:\WINDOWS\system32\drivers\fw.sys
2008-03-19 00:19 . 2005-03-01 20:49 670,128 --a------ C:\WINDOWS\system32\drivers\vpn.sys
2008-03-19 00:19 . 2005-03-01 20:49 106,591 --a------ C:\WINDOWS\system32\fwnetcfg.dll
2008-03-19 00:19 . 2005-03-01 20:49 32,866 --a------ C:\WINDOWS\system32\ckpginashim.dll
2008-03-19 00:19 . 2005-03-01 20:49 24,672 --a------ C:\WINDOWS\system32\ckpNotify.dll
2008-03-19 00:19 . 2005-03-01 20:49 17,456 --a------ C:\WINDOWS\system32\drivers\scap.sys
2008-03-19 00:19 . 2005-03-01 20:49 14,924 --a------ C:\WINDOWS\system32\drivers\OMVA.sys
2008-03-19 00:19 . 2005-03-01 20:49 4,133 --a------ C:\WINDOWS\entrust.ini
2008-03-08 21:27 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-08 21:27 . 2004-08-04 01:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-08 21:27 . 2004-08-03 23:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-08 21:27 . 2004-08-03 23:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-03-08 18:30 . 2008-03-08 18:30 <DIR> d-------- C:\Program Files\USBKVM Switcher
2008-03-02 03:39 . 2008-03-02 03:39 <DIR> d-------- C:\Program Files\RealVNC
2008-02-19 20:49 . 2008-02-19 21:29 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\FileZilla
2008-02-19 20:47 . 2008-02-19 20:47 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-02-08 00:44 . 2008-02-08 00:44 <DIR> d-------- C:\Program Files\Neoretix
2008-02-06 01:46 . 2007-08-20 11:29 393,216 --a------ C:\WINDOWS\system32\WPN511FCS.exe
2008-02-06 01:46 . 2007-01-26 11:38 155,745 --a------ C:\WINDOWS\system32\installservice.exe
2008-02-06 01:46 . 2007-02-06 12:23 102,400 --a------ C:\WINDOWS\system32\ASupplicant.dll
2008-02-06 01:46 . 2002-04-12 11:06 73,728 --a------ C:\WINDOWS\system32\AW32n50.dll
2008-02-06 01:46 . 2006-06-02 18:08 17,801 --a------ C:\WINDOWS\system32\AegisP.sys
2008-02-06 01:46 . 2002-04-11 18:43 16,194 --a------ C:\WINDOWS\system32\AWINDIS5.SYS
2008-02-03 19:59 . 2008-02-06 00:31 <DIR> d-------- C:\Program Files\Railroad Tycoon 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 17:00 --------- d-----w C:\Documents and Settings\Dave\Application Data\StumbleUpon
2008-03-31 13:07 --------- d-----w C:\Documents and Settings\Dave\Application Data\AVG7
2008-03-30 23:15 --------- d-----w C:\Program Files\Alcohol Soft
2008-03-30 22:39 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-29 21:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 11:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-25 17:29 --------- d-----w C:\Program Files\PacificPoker4
2008-03-23 16:29 --------- d-----w C:\Program Files\Java
2008-02-11 00:47 --------- d-----w C:\Program Files\SpeedFan
2008-01-14 23:51 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-01-14 23:50 15,600 ----a-w C:\WINDOWS\gdrv.sys
.

------- Sigcheck -------

2008-01-16 02:13 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{293E8815-0A71-40E0-8C57-E11E208CEEAF}]
C:\WINDOWS\system32\mllmj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E84B9EBA-6CAB-4285-991D-FB9A879A8845}]
C:\WINDOWS\system32\mllmn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 14:18 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-18 00:39 171448]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-30 18:31 4608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44 36864]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 10:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 13:08 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"PivotSoftware"="C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 13:17 694008]
"DT HPW"="C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 13:36 280064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-18 02:10 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 14:18 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-18 02:09 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
USBKVM Switcher.lnk - C:\Program Files\USBKVM Switcher\USBKVM.exe [2008-03-08 18:30:42 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-03-01 20:49 24672 C:\WINDOWS\system32\ckpNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Railroad Tycoon 2\\RT2.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"C:\\Documents and Settings\\Dave\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 Pivot;Pivot;C:\WINDOWS\system32\drivers\pivot.sys [2007-02-09 13:17]
R2 ANISERVICE;Airgo Networks NIC Service;C:\WINDOWS\System32\aniServ.exe [2004-08-11 13:00]
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys [2005-03-01 20:49]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-03-01 20:49]
R3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2002-04-11 18:43]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-03-01 20:49]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-01-15 00:50]
S3 mak810c;mak810c;C:\WINDOWS\system32\Drivers\mak810c.sys [2005-06-16 19:11]
S3 mak810m;mak810m;C:\WINDOWS\system32\Drivers\mak810m.sys [2005-06-16 19:13]
S3 mak810u;mak810u;C:\WINDOWS\system32\Drivers\mak810u.sys [2007-06-07 12:29]
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2005-03-01 20:49]
S3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\system32\drivers\pivotmou.sys [2007-02-09 13:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e9cf79c-c2ff-11dc-9781-001a4d547696}]
\Shell\AutoRun\command - F:\setup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 18:40:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Portrait Displays\Pivot Software\winphook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-03-31 18:43:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-31 17:42:59
Pre-Run: 140,533,100,544 bytes free
Post-Run: 140,463,783,936 bytes free
.
2008-03-31 15:19:13 --- E O F ---

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 PM

Posted 31 March 2008 - 01:21 PM

Hello,

You're welcome. :thumbsup:

It's okay about the logs in this case. I still see what I needed to see, so it's not a problem. :wacko:

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {293E8815-0A71-40E0-8C57-E11E208CEEAF} - C:\WINDOWS\system32\mllmj.dll (file missing)
O2 - BHO: (no name) - {E84B9EBA-6CAB-4285-991D-FB9A879A8845} - C:\WINDOWS\system32\mllmn.dll (file missing)
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O9 - Extra button: PacificPoker4 - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\mljkkhg.dll.vir
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mllmn.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{293E8815-0A71-40E0-8C57-E11E208CEEAF}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E84B9EBA-6CAB-4285-991D-FB9A879A8845}]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. How is it running now please? :blink:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 dmorison1

dmorison1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 31 March 2008 - 06:25 PM

It seems to be running somewhat smoother.

Many thanks for all your help!! It is bedtime for me just now but I'll give the machine a proper run tomorrow and will then know for sure (though I'm sure you can tell from the logs I posted anyway). If fixed, I shall leave a donation for your time. Thanks.

I'll be trying to figure out how you knew that the Pacific Poker application and MSN Messenger had been affected as well! Unless you can tell me of course... :thumbsup:

Here are my latest logs:

----- HJT -----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:20:24, on 01/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\aniServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.Exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\USBKVM Switcher\USBKVM.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\JMRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: USBKVM Switcher.lnk = C:\Program Files\USBKVM Switcher\USBKVM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: StumbleUpon PhotoBlog It! - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200357299725
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab60231.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Check Point SecuRemote Service (SR_Service) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog (SR_WatchDog) - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 9023 bytes






---- ComboFix -----

ComboFix 08-03-30.3 - Dave 2008-04-01 0:15:04.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1610 [GMT 1:00]
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dave\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\mljkkhg.dll.vir
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mllmn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mljkkhg.dll.vir

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-31 16:49 . 2008-03-31 16:49 <DIR> d-------- C:\VundoFix Backups
2008-03-31 14:39 . 2008-03-31 14:39 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-31 12:46 . 2008-03-31 18:10 147 --a------ C:\WINDOWS\wininit.ini
2008-03-31 02:01 . 2008-03-31 02:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-03-31 01:48 . 2008-03-31 01:48 <DIR> d-------- C:\Program Files\QuickTime
2008-03-31 01:47 . 2007-02-20 16:04 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2008-03-31 01:47 . 2007-02-20 16:04 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2008-03-31 01:45 . 2008-03-31 01:45 <DIR> d-------- C:\Program Files\Bonjour
2008-03-31 01:33 . 2008-03-31 01:33 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-03-31 01:28 . 2008-03-31 01:45 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-29 23:29 . 2008-03-29 23:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-03-29 22:17 . 2008-03-29 22:17 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2008-03-29 22:04 . 2008-03-29 22:04 <DIR> d-------- C:\Poker
2008-03-29 13:51 . 2008-03-29 22:16 <DIR> d-------- C:\Program Files\Macromedia
2008-03-29 13:51 . 2008-03-29 21:11 <DIR> d-------- C:\Program Files\Common Files\Macromedia
2008-03-28 11:04 . 2008-03-28 11:05 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-28 11:04 . 2008-03-28 11:05 4,632 --a------ C:\WINDOWS\unins000.dat
2008-03-27 11:11 . 2007-04-09 14:23 28,040 --a------ C:\WINDOWS\system32\mdimon.dll
2008-03-27 11:11 . 2008-03-27 11:11 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-27 11:10 . 2008-03-27 11:10 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-03-27 11:09 . 2008-03-27 11:10 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-03-27 10:44 . 2008-03-27 10:44 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-03-27 10:42 . 2008-03-27 10:42 <DIR> dr-h----- C:\MSOCache
2008-03-26 15:59 . 2008-03-26 15:59 <DIR> d-------- C:\Program Files\CoffeeCup Software
2008-03-25 23:36 . 2007-06-07 12:29 52,693 --a------ C:\WINDOWS\system32\drivers\mak810u.sys
2008-03-25 23:36 . 2005-08-18 12:44 49,867 --a------ C:\WINDOWS\system32\drivers\mardp2k.sys
2008-03-25 23:36 . 2005-08-18 12:44 49,484 --a------ C:\WINDOWS\system32\drivers\MARDPNP.SYS
2008-03-25 23:36 . 2005-07-12 18:33 36,586 --a------ C:\WINDOWS\system32\drivers\mavcomm.sys
2008-03-25 23:36 . 2005-05-16 12:17 25,880 --a------ C:\WINDOWS\system32\mavcomm.vxd
2008-03-25 23:36 . 2007-01-16 12:46 25,302 --a------ C:\WINDOWS\system32\drivers\MaVctrl.sys
2008-03-25 23:36 . 2005-06-16 19:13 25,044 --a------ C:\WINDOWS\system32\drivers\mak810m.sys
2008-03-25 23:36 . 2005-06-16 19:11 24,784 --a------ C:\WINDOWS\system32\drivers\mak810c.sys
2008-03-25 23:36 . 2007-01-16 12:44 11,986 --a------ C:\WINDOWS\system32\drivers\MaVc2K.sys
2008-03-25 23:35 . 2008-03-25 23:35 <DIR> d-------- C:\WINDOWS\Application Data
2008-03-25 11:40 . 2008-03-25 11:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-24 11:12 . 2008-03-24 11:12 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Helios
2008-03-24 10:49 . 2008-03-24 10:49 <DIR> d-------- C:\Program Files\TextPad 5
2008-03-24 03:27 . 2008-03-24 03:27 <DIR> d-------- C:\Program Files\Blue Box Network
2008-03-24 03:27 . 2008-03-24 03:27 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Blue Box Network
2008-03-24 03:24 . 2008-03-24 03:25 <DIR> d-------- C:\Program Files\Name The Picture Online Game
2008-03-23 19:21 . 2008-03-23 19:21 <DIR> d-------- C:\Program Files\Neoteris
2008-03-23 19:21 . 2008-03-31 11:14 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Juniper Networks
2008-03-23 19:21 . 2008-03-31 16:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Juniper Networks
2008-03-19 00:20 . 2005-03-01 20:49 2,516 --a------ C:\WINDOWS\system32\drivers\default.bin
2008-03-19 00:20 . 2005-03-01 20:49 2,516 --a------ C:\WINDOWS\system32\default.bin
2008-03-19 00:19 . 2008-03-19 00:19 <DIR> d-------- C:\Program Files\CheckPoint
2008-03-19 00:19 . 2005-03-01 20:49 2,041,904 --a------ C:\WINDOWS\system32\drivers\fw.sys
2008-03-19 00:19 . 2005-03-01 20:49 670,128 --a------ C:\WINDOWS\system32\drivers\vpn.sys
2008-03-19 00:19 . 2005-03-01 20:49 106,591 --a------ C:\WINDOWS\system32\fwnetcfg.dll
2008-03-19 00:19 . 2005-03-01 20:49 32,866 --a------ C:\WINDOWS\system32\ckpginashim.dll
2008-03-19 00:19 . 2005-03-01 20:49 24,672 --a------ C:\WINDOWS\system32\ckpNotify.dll
2008-03-19 00:19 . 2005-03-01 20:49 17,456 --a------ C:\WINDOWS\system32\drivers\scap.sys
2008-03-19 00:19 . 2005-03-01 20:49 14,924 --a------ C:\WINDOWS\system32\drivers\OMVA.sys
2008-03-19 00:19 . 2005-03-01 20:49 4,133 --a------ C:\WINDOWS\entrust.ini
2008-03-08 21:27 . 2004-08-04 01:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-03-08 21:27 . 2004-08-04 01:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-03-08 21:27 . 2004-08-03 23:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-03-08 21:27 . 2004-08-03 23:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-03-08 18:30 . 2008-03-08 18:30 <DIR> d-------- C:\Program Files\USBKVM Switcher
2008-03-02 03:39 . 2008-03-02 03:39 <DIR> d-------- C:\Program Files\RealVNC
2008-02-19 20:49 . 2008-02-19 21:29 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\FileZilla
2008-02-19 20:47 . 2008-02-19 20:47 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-02-08 00:44 . 2008-02-08 00:44 <DIR> d-------- C:\Program Files\Neoretix
2008-02-06 01:46 . 2007-08-20 11:29 393,216 --a------ C:\WINDOWS\system32\WPN511FCS.exe
2008-02-06 01:46 . 2007-01-26 11:38 155,745 --a------ C:\WINDOWS\system32\installservice.exe
2008-02-06 01:46 . 2007-02-06 12:23 102,400 --a------ C:\WINDOWS\system32\ASupplicant.dll
2008-02-06 01:46 . 2002-04-12 11:06 73,728 --a------ C:\WINDOWS\system32\AW32n50.dll
2008-02-06 01:46 . 2006-06-02 18:08 17,801 --a------ C:\WINDOWS\system32\AegisP.sys
2008-02-06 01:46 . 2002-04-11 18:43 16,194 --a------ C:\WINDOWS\system32\AWINDIS5.SYS
2008-02-03 19:59 . 2008-02-06 00:31 <DIR> d-------- C:\Program Files\Railroad Tycoon 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 17:00 --------- d-----w C:\Documents and Settings\Dave\Application Data\StumbleUpon
2008-03-31 13:07 --------- d-----w C:\Documents and Settings\Dave\Application Data\AVG7
2008-03-30 23:15 --------- d-----w C:\Program Files\Alcohol Soft
2008-03-30 22:39 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-29 21:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-29 11:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-28 14:49 155,995 ----a-w C:\WINDOWS\java\Packages\L3R7JNDB.ZIP
2008-03-25 17:29 --------- d-----w C:\Program Files\PacificPoker4
2008-03-23 16:29 --------- d-----w C:\Program Files\Java
2008-02-11 00:47 --------- d-----w C:\Program Files\SpeedFan
2008-01-18 01:09 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-18 01:09 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-01-16 01:13 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-01-16 01:03 133,120 ----a-w C:\WINDOWS\system32\sfc_patch.dll
2008-01-16 01:03 133,120 ----a-w C:\WINDOWS\system32\sfc_os.dll
2008-01-14 23:51 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-01-14 23:50 15,600 ----a-w C:\WINDOWS\gdrv.sys
2007-12-24 13:49 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-05 02:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 02:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
.

------- Sigcheck -------

2008-01-16 02:13 502272 6225f14b8ce08ccba8b25ad27843c674 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-03-31_18.42.53.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-31 17:34:15 71,512 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-31 23:09:59 71,512 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-31 17:34:15 441,954 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-31 23:09:59 441,954 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 14:18 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-01-18 00:39 171448]
"AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-03-30 18:31 4608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\WINDOWS\JM\JMInsIDE.exe" [2006-10-30 13:44 36864]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 10:33 16132608 C:\WINDOWS\RTHDCPL.exe]
"36X Raid Configurer"="C:\WINDOWS\system32\JMRaidSetup.exe" [2007-02-06 13:08 1953792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"PivotSoftware"="C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe" [2007-02-09 13:17 694008]
"DT HPW"="C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe" [2007-04-25 13:36 280064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-18 02:10 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 14:18 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-18 02:09 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
USBKVM Switcher.lnk - C:\Program Files\USBKVM Switcher\USBKVM.exe [2008-03-08 18:30:42 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ckpNotify]
ckpNotify.dll 2005-03-01 20:49 24672 C:\WINDOWS\system32\ckpNotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\Railroad Tycoon 2\\RT2.EXE"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Service.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_GUI.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\scc.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_SDS.exe"=
"C:\\Program Files\\CheckPoint\\SecuRemote\\bin\\SR_Diagnostics.exe"=
"C:\\Documents and Settings\\Dave\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 Pivot;Pivot;C:\WINDOWS\system32\drivers\pivot.sys [2007-02-09 13:17]
R2 ANISERVICE;Airgo Networks NIC Service;C:\WINDOWS\System32\aniServ.exe [2004-08-11 13:00]
R2 Scap;SecureClient Application Policy Module;C:\WINDOWS\system32\DRIVERS\Scap.sys [2005-03-01 20:49]
R2 VPN-1;VPN-1 Module;C:\WINDOWS\system32\drivers\vpn.sys [2005-03-01 20:49]
R3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2002-04-11 18:43]
R3 FW1;SecuRemote Miniport;C:\WINDOWS\system32\DRIVERS\fw.sys [2005-03-01 20:49]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2008-01-15 00:50]
S3 mak810c;mak810c;C:\WINDOWS\system32\Drivers\mak810c.sys [2005-06-16 19:11]
S3 mak810m;mak810m;C:\WINDOWS\system32\Drivers\mak810m.sys [2005-06-16 19:13]
S3 mak810u;mak810u;C:\WINDOWS\system32\Drivers\mak810u.sys [2007-06-07 12:29]
S3 OMVA;VPN-1 SecureClient Adapter;C:\WINDOWS\system32\DRIVERS\OMVA.sys [2005-03-01 20:49]
S3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\system32\drivers\pivotmou.sys [2007-02-09 13:17]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e9cf79c-c2ff-11dc-9781-001a4d547696}]
\Shell\AutoRun\command - F:\setup.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-01 00:17:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-01 0:17:46
ComboFix-quarantined-files.txt 2008-03-31 23:17:38
ComboFix2.txt 2008-03-31 17:43:02
Pre-Run: 140,608,712,704 bytes free
Post-Run: 140,595,089,408 bytes free
.
2008-03-31 15:19:13 --- E O F ---

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 PM

Posted 31 March 2008 - 06:55 PM

Hello,

Always be wary of any poker programs. This is what you find when you research Pacific Poker, and that specific file : http://www.prevx.com/filenames/12590524110...CPOKER.EXE.html

The messenger isn't deleted. Rather it has been told it cannot pop up when you start your computer. You can start it up any time you wish. :blink:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Your logs look good from this side, and I don't anticipate any troubles when you give it its run tomorrow. :thumbsup: Please do let me know!

Night night!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 dmorison1

dmorison1
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 01 April 2008 - 04:19 AM

Yeah I'm pretty sure Vundo is gone now - Computer running much better - no popups or slowing down etc. I have also done a search with Spybot and it revealed nothing other than tracking cookies, which is a great sign as well.

I must say it is a surprise and disappointment that Pacific Poker is considered spyware. Though I checked the link you gave me and it doesn't seem to be considered to do much worse than 'adding products to the registry' or 'running a process', so I'm not sure how dangerous it actually is... I have a fair bit of money in an account with them just now and I need to run their app just to get it back, so I hope not too dangerous!

Anyway, thanks for your swift, efficient help bud. I left you $10 in your PayPal account, hope that's not an insult, cos I will almost certainly need the help of you or another of your team in the future :-)

Take care.

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 PM

Posted 01 April 2008 - 12:38 PM

Hi there,

Just be careful with the poker stuff. :thumbsup: I'm glad all is better, and thank you so much for the donation. No, it isn't an insult at all! I appreciate it very much. :blink:

http://mvps.org/winhelp2002/unwanted.htm

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 PM

Posted 04 April 2008 - 08:47 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users