Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud, Vundo, Vitrumundo


  • Please log in to reply
4 replies to this topic

#1 Eaglehorn

Eaglehorn

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 28 April 2008 - 05:49 PM

For the most part I think I've been able to purge the Vundo/Virtumundo from my computer through the use of specific removal tools. I have also used smitrem a number of times, both in normal and safe mode, but I still have that damn lingering windows login picture that states "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer." and ideally I'd like for it and anything else that may be lingering from the above mentioned malwares to be completely purged.




Deckard's System Scanner v20071014.68
Run by Guylaine on 2008-04-28 18:39:41
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Guylaine.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:39:46, on 28/04/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\2933.tmp
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Guylaine.MARBI\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Guylaine.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {ccc4b3be-35ab-41c7-a7b5-e45083fe5e11} - C:\WINDOWS\system32\khfCtspO.dll (file missing)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [444fd731] rundll32.exe "C:\WINDOWS\system32\txmgdihp.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] "C:\Program Files\Windows Media Player\WMPNSCFG.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [kavir] C:\WINDOWS\kavir.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [kavir] C:\WINDOWS\kavir.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = marbi.local
O17 - HKLM\Software\..\Telephony: DomainName = marbi.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = marbi.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = marbi.local
O20 - AppInit_DLLs:
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O21 - SSODL: vadokmxt - {F1CA5145-21A4-4449-972C-FEF79E9A6D90} - C:\WINDOWS\vadokmxt.dll (file missing)
O23 - Service: AdobeActiveFileMonitor - Unknown owner - C:\WINDOWS\TEMP\cmds.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: ccEvtMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: ccPwdSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ccSetMgr - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: clr_optimization_v2.0.50727_32 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Online Services - Unknown owner - C:\DOCUME~1\GUYLAI~1.MAR\LOCALS~1\Temp\1.EXE (file missing)
O23 - Service: IDriverT - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: mnmsrvc - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: PhotoshopElementsDeviceConnect - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe (file missing)
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: RasMan - Unknown owner - C:\WINDOWS\TEMP\cmds.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Restore Service srserviceDhcp (srservicedhcp) - Unknown owner - C:\WINDOWS\
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Distributed Link Tracking Client TrkWksclr_optimization_v2.0.50727_32 (trkwksclr_optimization_v2.0.50727_32) - Unknown owner - C:\Documents and Settings\Guylaine.MARBI\Desktop\swas555.exe (file missing)

--
End of file - 6448 bytes

-- Files created between 2008-03-28 and 2008-04-28 -----------------------------

2008-04-28 18:25:45 0 d-------- C:\Program Files\Trend Micro
2008-04-28 12:36:09 0 d-------- C:\VundoFix Backups
2008-04-28 09:04:38 95296 --a------ C:\WINDOWS\system32\txmgdihp.dll
2008-04-23 13:11:30 1688 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-23 13:10:59 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-23 13:10:59 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-04-23 13:10:59 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-23 13:10:59 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-04-23 13:10:58 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-04-23 13:10:58 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-04-23 13:10:58 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-04-23 13:10:58 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-23 13:02:42 0 --a------ C:\WINDOWS\system32\dllgh8jkd1q8.exe
2008-04-23 12:57:14 0 d-------- C:\Documents and Settings\Administrator.MARBI.000\Application Data\Mozilla
2008-04-23 12:19:30 192512 --a------ C:\Documents and Settings\Guylaine.MARBI\cbOCR.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-04-23 12:12:18 131584 --a------ C:\WINDOWS\kavir.exe
2008-04-23 10:53:53 192512 --a------ C:\WINDOWS\system32\cbOCR.dll <Not Verified; TODO: <Company name>; TODO: <Product name>>
2008-04-23 09:38:00 210027 --ahs---- C:\WINDOWS\system32\OpstCfhk.ini2
2008-04-23 09:34:27 229220 --a------ C:\WINDOWS\system32\swas527.exe
2008-04-23 09:34:18 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-04-23 09:19:26 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2008-04-23 09:00:30 102400 --a------ C:\WINDOWS\olgdqarf.exe
2008-04-23 09:00:16 160256 --a------ C:\WINDOWS\system32\blackster.scr <Not Verified; Peter's Productions; Bugs!>
2008-04-23 02:36:30 4380 --a------ C:\WINDOWS\system32\swas529.exe
2008-04-23 02:35:45 37888 --a------ C:\WINDOWS\system32\swas555.exe
2008-04-22 22:07:00 268660 --a------ C:\WINDOWS\system32\swas550.exe
2008-04-22 15:42:25 48585 --a------ C:\WINDOWS\system32\adsmsexte.sys
2008-04-22 15:42:21 23040 --ahs---- C:\WINDOWS\system32\adptifa.dll
2008-04-22 15:41:05 221 --a-s---- C:\WINDOWS\system32\4257834869.dat
2008-04-22 15:41:02 37888 -rahs---- C:\WINDOWS\system32\appmgmtsg.exe
2008-04-22 14:40:33 9728 --a------ C:\WINDOWS\system32\swas534.exe
2008-04-22 14:40:14 4380 --a------ C:\WINDOWS\system32\swas532.exe
2008-04-22 14:39:46 4380 --a------ C:\WINDOWS\system32\swas463.exe
2008-04-22 14:33:26 46111 --a------ C:\WINDOWS\ctfmon.exe
2008-04-22 14:32:03 2 --a------ C:\1146083230
2008-04-22 14:31:55 30208 --a------ C:\WINDOWS\system32\crypts.dll


-- Find3M Report ---------------------------------------------------------------

2008-04-28 18:36:59 0 d-------- C:\Program Files\Symantec AntiVirus
2008-04-23 09:52:06 8704 --a------ C:\WINDOWS\system32\netdde.exe
2008-04-23 09:50:55 8704 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2008-04-17 15:34:00 21208 --a------ C:\Documents and Settings\Guylaine.MARBI\Application Data\GDIPFONTCACHEV1.DAT


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ccc4b3be-35ab-41c7-a7b5-e45083fe5e11}]
C:\WINDOWS\system32\khfCtspO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/06/05 10:21]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [23/06/05 20:27]
"444fd731"="C:\WINDOWS\system32\txmgdihp.dll" [28/04/08 09:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/04 08:00]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/06 20:05]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/04 12:24]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"kavir"=C:\WINDOWS\kavir.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [04/10/04 02:12:18]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/05 23:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/01 02:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"NoColorChoice"=0 (0x0)
"NoSizeChoice"=0 (0x0)
"NoDispScrSavPage"=0 (0x0)
"NoDispCPL"=0 (0x0)
"NoVisualStyleChoice"=0 (0x0)
"NoDispSettingsPage"=0 (0x0)
"NoDispAppearancePage"=0 (0x0)
"NoDispBackgroundPage"=0 (0x0)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=0 (0x0)
"NoSaveSettings"=0 (0x0)
"NoThemesTab"=0 (0x0)
"ForceActiveDesktopOn"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vadokmxt"= {F1CA5145-21A4-4449-972C-FEF79E9A6D90} - C:\WINDOWS\vadokmxt.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Userinit"="C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt]
crypts.dll 22/04/08 14:31 30208 C:\WINDOWS\system32\crypts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cpu32.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dxk41.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\egj40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iln28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lqg10.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mwt10.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsd02.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\omt34.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Orl14.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pfr25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rej22.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sxs31.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tvv82.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Umm33.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vvl44.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\who47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xfi55.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yhr16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\444fd731]
rundll32.exe "C:\WINDOWS\system32\nhbsohde.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
c:\48E.tmp/r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
RunDll32 cmicnfg.cpl,CMICtrlWnd

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\delayload]
C:\WINDOWS\TEMP\msprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sis windows keyhook]
C:\WINDOWS\system32\keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sisusbrg]
C:\WINDOWS\SiSUSBrg.exe




-- End of Deckard's System Scanner: finished at 2008-04-28 18:40:14 ------------

BC AdBot (Login to Remove)

 


#2 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:57 PM

Posted 06 May 2008 - 02:12 AM

Hello! Let us get your system cleaned up!

Please download Malwarebytes' Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • If you have trouble with the update process, please download the latest updates here.
  • Double-click the mbam-rules.exe file on your desktop and let it update the application.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to restart. (see extra note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please copy and paste the entire report in your next reply. :thumbsup:
Extra note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

=============

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image

#3 Eaglehorn

Eaglehorn
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 06 May 2008 - 12:43 PM

Malwarebytes' Anti-Malware 1.12
Database version: 724

Scan type: Quick Scan
Objects scanned: 46008
Time elapsed: 5 minute(s), 43 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 22
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 30

Memory Processes Infected:
c:\WINDOWS\Temp\F34D.tmp (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{d9c28083-e28d-4ab3-b109-82758b1b484c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\clr_optimization_v2.0.50727_32 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\clr_optimization_v2.0.50727_32 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\clr_optimization_v2.0.50727_32 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mnmsrvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\mnmsrvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mnmsrvc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netdde (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\netdde (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netdde (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\netddedsdm (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\netddedsdm (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netddedsdm (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Google Online Services (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kavir (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a6c54318-5ac7-477d-b0a7-49af5189300c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vadokmxt (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Temp\F34D.tmp (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\kavir.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\adptifa.dll (Backdoor.Bifrose) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\alg.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\blackster.scr (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbOCR.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cisvc.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\coco.exe.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ctfmonb.bmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mnmsrvc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\netdde.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\swas463.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\swas532.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\swas550.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\2933.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\50B1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\A5C1.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\CBA4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\E529.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Guylaine.MARBI\Local Settings\Temporary Internet Files\Content.IE5\164HF25J\wssl62_a[1].exe (Trojan.Downloader) -> Delete on reboot.
C:\Documents and Settings\Guylaine.MARBI\cbOCR.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\nivavir.config (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllgh8jkd1q8.exe (Heuristics.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\olgdqarf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vx.tll (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\svchost.t__ (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.
C:\WINDOWS\ctfmon.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

#4 Eaglehorn

Eaglehorn
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:57 AM

Posted 06 May 2008 - 01:07 PM

ComboFix 08-05-01.3 - Guylaine 2008-05-06 13:58:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.627 [GMT -4:00]
Running from: C:\Documents and Settings\Guylaine.MARBI\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\edhosbhn.ini
C:\WINDOWS\system32\hxjsgrvy.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mstfqvdt.ini
C:\WINDOWS\system32\nvapnonp.ini
C:\WINDOWS\system32\OpstCfhk.ini
C:\WINDOWS\system32\OpstCfhk.ini2
C:\WINDOWS\system32\phidgmxt.ini

----- BITS: Possible infected sites -----

hxxp://flyvideonetwork.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_lptrdcsrv


((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 12:42 . 2008-05-06 12:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-06 12:42 . 2008-05-06 12:42 <DIR> d-------- C:\Documents and Settings\Guylaine.MARBI\Application Data\Malwarebytes
2008-05-06 12:42 . 2008-05-06 12:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-06 12:42 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-06 12:42 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-04-28 18:25 . 2008-04-28 18:25 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 18:24 . 2008-04-28 18:24 <DIR> d-------- C:\Deckard
2008-04-28 12:36 . 2008-04-28 12:49 <DIR> d-------- C:\VundoFix Backups
2008-04-23 13:11 . 2008-04-23 13:17 1,688 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-23 13:10 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-04-23 13:10 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-04-23 13:10 . 2008-04-14 19:28 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-04-23 13:10 . 2008-04-23 08:12 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-04-23 13:10 . 2008-04-23 08:12 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-04-23 13:10 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-04-23 13:10 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-04-23 13:10 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-04-23 12:11 . 2008-04-23 12:11 151,552 --a------ C:\51.tmp
2008-04-23 12:11 . 2008-04-23 12:11 9,728 --a------ C:\53.tmp
2008-04-23 12:11 . 2008-04-23 12:11 9,728 --a------ C:\52.tmp
2008-04-23 12:11 . 2008-04-23 12:11 0 --a------ C:\56.tmp
2008-04-23 12:11 . 2008-04-23 12:11 0 --a------ C:\54.tmp
2008-04-23 12:09 . 2008-04-23 12:10 151,552 --a------ C:\3A.tmp
2008-04-23 12:08 . 2008-04-23 12:08 0 --a------ C:\1E.tmp
2008-04-23 12:08 . 2008-04-23 12:08 0 --a------ C:\1D.tmp
2008-04-23 12:08 . 2008-04-23 12:08 0 --a------ C:\1C.tmp
2008-04-23 12:08 . 2008-04-23 12:08 0 --a------ C:\1B.tmp
2008-04-23 12:08 . 2008-04-23 12:08 0 --a------ C:\1A.tmp
2008-04-23 12:08 . 2008-04-23 12:08 0 --a------ C:\19.tmp
2008-04-23 12:08 . 2008-04-23 12:08 0 --a------ C:\18.tmp
2008-04-23 12:07 . 2008-04-23 12:07 0 --a------ C:\F.tmp
2008-04-23 12:07 . 2008-04-23 12:07 0 --a------ C:\E.tmp
2008-04-23 12:07 . 2008-04-23 12:07 0 --a------ C:\D.tmp
2008-04-23 12:07 . 2008-04-23 12:07 0 --a------ C:\C.tmp
2008-04-23 12:07 . 2008-04-23 12:07 0 --a------ C:\16.tmp
2008-04-23 12:07 . 2008-04-23 12:07 0 --a------ C:\15.tmp
2008-04-23 12:07 . 2008-04-23 12:07 0 --a------ C:\14.tmp
2008-04-23 12:07 . 2008-04-23 12:07 0 --a------ C:\13.tmp
2008-04-23 12:07 . 2008-04-23 12:07 0 --a------ C:\12.tmp
2008-04-23 12:07 . 2008-04-23 12:07 0 --a------ C:\10.tmp
2008-04-23 09:34 . 2008-04-23 09:34 229,220 --a------ C:\WINDOWS\system32\swas527.exe
2008-04-23 02:36 . 2008-04-23 09:34 4,380 --a------ C:\WINDOWS\system32\swas529.exe
2008-04-23 02:35 . 2008-04-23 02:35 37,888 --a------ C:\WINDOWS\system32\swas555.exe
2008-04-22 15:42 . 2008-04-22 15:42 48,585 --a------ C:\WINDOWS\system32\adsmsexte.sys
2008-04-22 15:41 . 2008-04-22 15:40 37,888 -rahs---- C:\WINDOWS\system32\appmgmtsg.exe
2008-04-22 15:41 . 2008-04-23 02:36 221 --a-s---- C:\WINDOWS\system32\4257834869.dat
2008-04-22 14:40 . 2008-04-22 14:40 9,728 --a------ C:\WINDOWS\system32\swas534.exe
2008-04-22 14:38 . 2008-04-23 09:00 17 --a------ C:\WINDOWS\system32\verifier32list.cpl
2008-04-22 14:32 . 2008-04-22 14:32 55,296 --a------ C:\48A.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 18:01 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-04-17 19:34 21,208 ----a-w C:\Documents and Settings\Guylaine.MARBI\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2005-05-25 15:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 13:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 12:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 08:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 15:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 22:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 07:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2007-10-30 13:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 13:20 360064 ecf02439fd31bbd0dbc2ec05600cf08a C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ccc4b3be-35ab-41c7-a7b5-e45083fe5e11}]
C:\WINDOWS\system32\khfCtspO.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 10:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 20:27 85696]
"444fd731"="C:\WINDOWS\system32\txmgdihp.dll" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-04 02:12:18 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cpu32.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dxk41.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\egj40.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iln28.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lqg10.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mwt10.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsd02.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\omt34.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Orl14.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pfr25.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rej22.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sxs31.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tvv82.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Umm33.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vvl44.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\who47.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xfi55.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yhr16.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\444fd731]
C:\WINDOWS\system32\nhbsohde.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
c:\48E.tmp/r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
C:\WINDOWS\system32\ctfmona.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\delayload]
C:\WINDOWS\TEMP\msprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ituneshelper]
--a------ 2006-06-14 16:24 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task]
--a------ 2006-07-24 09:34 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sis windows keyhook]
--a------ 2004-02-13 06:46 241664 C:\WINDOWS\system32\keyhook.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sisusbrg]
--a------ 2002-07-12 06:15 106496 C:\WINDOWS\SiSUSBrg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R3 EraserUtilDrv10741;EraserUtilDrv10741;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10741.sys [2008-03-18 04:00]
S0 dxk41;dxk41;C:\WINDOWS\system32\Drivers\Dxk41.sys []
S0 mwt10;mwt10;C:\WINDOWS\system32\Drivers\Mwt10.sys []
S0 nsd02;nsd02;C:\WINDOWS\system32\Drivers\Nsd02.sys []
S0 Orl14;Orl14;C:\WINDOWS\system32\Drivers\Orl14.sys []
S0 tvv82;tvv82;C:\WINDOWS\system32\Drivers\Tvv82.sys []
S0 Umm33;Umm33;C:\WINDOWS\system32\Drivers\Umm33.sys []
S0 vvl44;vvl44;C:\WINDOWS\system32\Drivers\Vvl44.sys []
S0 who47;who47;C:\WINDOWS\system32\Drivers\Who47.sys []
S0 yhr16;yhr16;C:\WINDOWS\system32\Drivers\Yhr16.sys []
S2 AdobeActiveFileMonitor;AdobeActiveFileMonitor;C:\WINDOWS\TEMP\cmds.exe []
S2 PhotoshopElementsDeviceConnect;PhotoshopElementsDeviceConnect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe []
S2 trkwksclr_optimization_v2.0.50727_32;Distributed Link Tracking Client TrkWksclr_optimization_v2.0.50727_32;C:\Documents and Settings\Guylaine.MARBI\Desktop\swas555.exe []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 18:01:21 C:\WINDOWS\Tasks\Guylaine2.job"
- C:\WINDOWS\system32\ntbackup.exeRbackup
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 14:01:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\srservicedhcp]
"ImagePath"="%|x\01\0b srv"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\vssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\msdtc.exe
.
**************************************************************************
.
Completion time: 2008-05-06 14:05:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-06 18:05:47

Pre-Run: 68,060,545,024 bytes free
Post-Run: 68,042,563,584 bytes free

228 --- E O F --- 2008-04-14 21:06:26

#5 Rahina

Rahina

    Security Helper


  • Members
  • 681 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:57 PM

Posted 06 May 2008 - 02:04 PM

Close/disable all anti virus and anti malware programs temporart so they do not interfere with the running of ComboFix.

How to disable realtime protection: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

Open notepad and copy/paste the text in the quotebox below into it: ( Please make sure you copy everything in the code box )

Driver::
dxk41
mwt10
nsd02
Orl14
tvv82
Umm33
vvl44
who47
yhr16

File::
C:\WINDOWS\system32\Drivers\Dxk41.sys
C:\WINDOWS\system32\Drivers\Mwt10.sys
C:\WINDOWS\system32\Drivers\Nsd02.sys
C:\WINDOWS\system32\Drivers\Orl14.sys
C:\WINDOWS\system32\Drivers\Tvv82.sys
C:\WINDOWS\system32\Drivers\Umm33.sys
C:\WINDOWS\system32\Drivers\Vvl44.sys
C:\WINDOWS\system32\Drivers\Who47.sys
C:\WINDOWS\system32\Drivers\Yhr16.sys
C:\WINDOWS\TEMP\msprint.exe
C:\WINDOWS\system32\ctfmona.exe
C:\WINDOWS\system32\nhbsohde.dll
c:\48E.tmp
C:\WINDOWS\system32\khfCtspO.dll
C:\WINDOWS\system32\txmgdihp.dll
C:\WINDOWS\system32\swas527.exe
C:\WINDOWS\system32\swas529.exe
C:\WINDOWS\system32\swas555.exe
C:\WINDOWS\system32\adsmsexte.sys
C:\WINDOWS\system32\swas534.exe
C:\WINDOWS\system32\verifier32list.cpl

Folder::
C:\1E.tmp
C:\1D.tmp
C:\1C.tmp
C:\1B.tmp
C:\1A.tmp
C:\19.tmp
C:\18.tmp
C:\F.tmp
C:\E.tmp
C:\D.tmp
C:\C.tmp
C:\16.tmp
C:\15.tmp
C:\14.tmp
C:\13.tmp
C:\12.tmp
C:\10.tmp
C:\51.tmp
C:\53.tmp
C:\52.tmp
C:\56.tmp
C:\54.tmp
C:\3A.tmp

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\delayload]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmona]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Cpu32.sys
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dxk41.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\egj40.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iln28.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lqg10.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mwt10.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nsd02.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\omt34.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Orl14.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pfr25.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rej22.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sxs31.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tvv82.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Umm33.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vvl44.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\who47.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xfi55.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\yhr16.sys]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\444fd731]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\advap32]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ccc4b3be-35ab-41c7-a7b5-e45083fe5e11}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"444fd731"=-

==========

Please go to www.virustotal.com

Please go Here to see how to show hidden files in windows.

Click "browse" button and search for this file:

C:\WINDOWS\system32\appmgmtsg.exe

Click submit.

Let me know the results good or bad.

In your next reply please add Virustotal results & Combofix logfile, located here C:\Combofix.txt

By the way, remember to turn on your realtime protection after that combofix is ready.

Cheers
[ Antivirus ] [ Firewall ] [ Spywareblaster ] [ Malwarebytes Anti-Malware ] [ Windows update ] [ Firefox ] [ WinPatrol ] [ ATF Cleaner ]

If i have helped you, donate to help me continue helping others. Posted Image
Posted Image Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users