Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspected Virtumonde Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 zacharyc

zacharyc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 15 May 2008 - 09:12 PM

Hello, I am a poor PC user in distress, and I would be very grateful for any help.

Late last night my IE7 began to pop up ads that were clearly not tied to the pages I was loading, and then eventually kept prompting me to download fake anti-spyware. I usually use Firefox but it began to act oddly too... for example I could load the Google/Yahoo homepage but not complete a search.

I scanned with Symantec and Adaware, both reported a virtumonde infection. I allowed each program to "fix" the infection. They now both show a clean computer, however, opening IE7 now causes a buffer overrun with crashed explorer.exe, but firefox is work much better. IE doesn't itself crash, but it does continue to pop up and redirect me.

I am at my wit's end with this. I have completed the 5 steps so far, and have ran the dss.exe with the newest hijackthis.exe. However it did not give me an extras.txt for some reason. I am posting the main.txt.

I am not sure what to do from here. I would be grafeful for any advice. I have loaded the XP restore software into combofix, and will use it if that is the best solution.

Thank you in advance.

Deckard's System Scanner v20071014.68
Run by Apollo on 2008-05-15 20:58:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Apollo.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:58, on 2008-05-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Documents and Settings\Apollo\My Documents\Downloads\Torrents\yodm3d_v14\Yodm3D.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\Apollo\Desktop\dss.exe
C:\PROGRA~1\HIJACK~1\Apollo.exe

O2 - BHO: (no name) - {6C23AB0C-0244-4B01-8253-BEE724D0D2EC} - C:\WINDOWS\system32\ssqQkLCS.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: {cd9675a1-f594-3cc9-2224-9ae9cbfa639a} - {a936afbc-9ea9-4222-9cc3-495f1a5769dc} - C:\WINDOWS\system32\gxhqiaky.dll
O2 - BHO: (no name) - {D4F4B85E-ED11-4738-9E0E-AC2FAF0E243E} - C:\WINDOWS\system32\opnlihgF.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE
O4 - HKLM\..\Run: [KPDrv4XP] C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yodm3D] C:\Documents and Settings\Apollo\My Documents\Downloads\Torrents\yodm3d_v14\Yodm3D.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1206568423000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ssqQkLCS - C:\WINDOWS\SYSTEM32\ssqQkLCS.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 6549 bytes

-- Files created between 2008-04-15 and 2008-05-15 -----------------------------

2008-05-15 19:09:20 0 d-------- C:\cmdcons
2008-05-15 19:08:20 68096 --a------ C:\WINDOWS\zip.exe
2008-05-15 19:08:20 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-15 19:08:20 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-15 19:08:20 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-15 19:08:20 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-15 19:08:20 98816 --a------ C:\WINDOWS\sed.exe
2008-05-15 19:08:20 80412 --a------ C:\WINDOWS\grep.exe
2008-05-15 19:08:20 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-15 19:06:51 1916350 --a------ C:\ComboFix.exe
2008-05-15 18:38:49 0 d-------- C:\Documents and Settings\Apollo\Application Data\Opera
2008-05-15 18:38:24 0 d-------- C:\Program Files\Opera
2008-05-15 18:26:48 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-05-15 18:00:17 0 d-------- C:\Program Files\Windows Live Safety Center
2008-05-15 17:06:26 0 d-------- C:\Program Files\Lavasoft
2008-05-15 17:05:17 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-15 15:37:19 133120 --a------ C:\WINDOWS\system32\gxhqiaky.dll
2008-05-15 15:28:19 116736 --a------ C:\WINDOWS\system32\bsjwyakr.dll
2008-05-15 15:25:19 125952 --a------ C:\WINDOWS\system32\luqivebv.dll
2008-05-15 03:56:19 0 d-------- C:\Documents and Settings\Apollo\Application Data\VirtuaWin
2008-05-15 03:22:18 1392679 --ahs---- C:\WINDOWS\system32\Fghilnpo.ini2
2008-05-15 03:22:13 370688 --a------ C:\WINDOWS\system32\opnlihgF.dll
2008-05-15 02:24:52 218716 --a------ C:\WINDOWS\system32\cbXRlmki.dll
2008-05-15 02:17:51 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2008-05-15 02:15:46 57344 --a------ C:\WINDOWS\system32\ssqQkLCS.dll
2008-05-14 23:53:18 7840 --a------ C:\WINDOWS\system32\mcdmsg2.dll
2008-05-14 23:43:52 0 d-------- C:\Program Files\Object Desktop
2008-05-14 23:40:16 0 d-------- C:\Program Files\Common Files\Stardock
2008-05-14 23:33:59 20480 --a------ C:\WINDOWS\system32\wbload.dll
2008-05-14 23:33:58 0 d-------- C:\Program Files\Stardock
2008-05-13 22:17:07 0 d-------- C:\Program Files\Valve
2008-05-13 14:35:37 48 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-13 14:35:37 0 d-------- C:\Documents and Settings\Apollo\Application Data\skypePM
2008-05-13 14:34:37 0 d-------- C:\Documents and Settings\Apollo\Application Data\Skype
2008-05-13 14:34:21 0 d-------- C:\Program Files\Skype
2008-05-13 14:34:21 0 d-------- C:\Program Files\Common Files\Skype
2008-05-13 14:34:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-13 14:06:03 0 d-------- C:\Program Files\Common Files\GTK
2008-05-13 13:54:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Logishrd
2008-05-13 13:54:54 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-05-13 13:54:53 0 d-------- C:\Program Files\Logitech
2008-05-13 13:54:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-05-13 09:52:45 0 d-------- C:\Documents and Settings\Apollo\Application Data\ACASystems
2008-05-13 09:52:45 0 d-------- C:\Documents and Settings\All Users\Application Data\ACASystems
2008-05-13 09:52:42 0 d-------- C:\Program Files\ACASystems
2008-05-13 02:41:40 49152 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-05-13 02:41:26 0 d-------- C:\Program Files\Realtek
2008-05-13 02:41:22 520192 --a------ C:\WINDOWS\RtlExUpd.dll <Not Verified; Realtek Semiconductor Corp.; RtlExUpd Dynamic Link Library>
2008-05-11 18:47:39 0 d-------- C:\Temp
2008-05-11 18:20:01 0 d-------- C:\UnrealTournament
2008-05-06 15:40:28 49536 --a------ C:\WINDOWS\system32\drivers\tiehdusb.sys <Not Verified; Texas Instruments Incorporated; Texas Instruments Incorporated Educational Handheld Device>
2008-05-02 16:56:11 25088 --a------ C:\WINDOWS\system32\Cxf0332c.dll <Not Verified; American Chemical Society; CXF Toolkit>
2008-05-02 16:56:11 271872 --a------ C:\WINDOWS\system32\Cxf0332b.dll <Not Verified; American Chemical Society; CXF Toolkit>
2008-05-02 16:56:11 260096 --a------ C:\WINDOWS\system32\Cxf0332a.dll <Not Verified; American Chemical Society; CXF Toolkit>
2008-05-02 16:56:11 863744 --a------ C:\WINDOWS\system32\Cw3245mt.dll <Not Verified; Inprise Corporation; Borland C++ Builder 4.0>
2008-05-02 16:56:05 118784 --a------ C:\WINDOWS\system32\SciFiSoft.dll <Not Verified; Chemical Abstracts Service; SciFinder>
2008-05-02 16:56:04 0 d-------- C:\SFSCHLR
2008-05-02 12:15:36 33792 --a------ C:\WINDOWS\system32\PWSOCK32.DLL <Not Verified; Digital Equipment Corporation; PATHWORKS for Windows or DOS>
2008-05-02 12:15:35 0 d-------- C:\Program Files\Common Files\MDL Shared
2008-05-01 17:43:16 0 d-------- C:\Documents and Settings\Apollo\Application Data\Hoyle FaceCreator
2008-05-01 17:43:16 0 d-------- C:\Documents and Settings\Apollo\Application Data\Hoyle Casino
2008-05-01 17:42:26 0 dr-h----- C:\Documents and Settings\Apollo\Application Data\SecuROM
2008-04-30 16:44:05 0 d-------- C:\Documents and Settings\Apollo\Application Data\SystemRequirementsLab
2008-04-25 18:58:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-25 16:29:17 0 d-------- C:\Program Files\Symantec
2008-04-25 16:29:11 0 d-------- C:\Program Files\Symantec AntiVirus
2008-04-25 16:29:11 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-20 00:37:15 0 d-------- C:\Program Files\Common Files\NSV
2008-04-18 18:47:07 0 d-------- C:\Program Files\Microsoft Silverlight
2008-04-18 18:29:06 0 d-------- C:\Program Files\Activision
2008-04-18 18:27:41 0 d--hs---- C:\WINDOWS\ftpcache
2008-04-18 01:18:45 0 d-------- C:\Program Files\PhotoFiltre
2008-04-17 17:32:32 0 d-------- C:\WINDOWS\nvidia icons
2008-04-15 16:45:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft


-- Find3M Report ---------------------------------------------------------------

2008-05-15 19:04:24 0 d-------- C:\Program Files\Steam
2008-05-15 19:00:30 0 d-------- C:\Documents and Settings\Apollo\Application Data\uTorrent
2008-05-15 17:05:17 0 d-------- C:\Program Files\Common Files
2008-05-15 16:09:50 0 d-------- C:\Program Files\Trillian
2008-05-15 13:25:36 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-05-15 00:04:16 0 d-------- C:\Program Files\uTorrent
2008-05-14 15:55:23 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-13 19:03:04 0 d-------- C:\Program Files\Bethesda Softworks
2008-05-13 15:05:39 16023 --a------ C:\Documents and Settings\Apollo\Application Data\ekiga.conf
2008-05-13 07:47:48 8 --a------ C:\WINDOWS\system32\nvModes.dat
2008-05-13 03:09:24 0 d-------- C:\Program Files\Winamp
2008-05-13 03:09:24 0 d-------- C:\Documents and Settings\Apollo\Application Data\Winamp
2008-05-11 23:04:28 0 d-------- C:\Program Files\PeerGuardian2
2008-05-03 19:35:46 0 d-------- C:\Program Files\Foxit Software
2008-04-27 20:08:22 0 d-------- C:\Documents and Settings\Apollo\Application Data\dvdcss
2008-04-16 22:55:36 262144 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-04-16 22:55:36 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-04-15 16:44:23 2337865 --a------ C:\WINDOWS\system32\pbsvc.exe
2008-04-14 01:36:07 23 --a------ C:\WINDOWS\popcinfot.dat
2008-04-13 22:14:10 40 --a------ C:\WINDOWS\system32\profile.dat
2008-04-13 20:46:13 0 d-------- C:\Program Files\Micro Innovations
2008-04-13 20:15:57 0 d-------- C:\Documents and Settings\Apollo\Application Data\Apple Computer
2008-04-11 00:07:19 0 d-------- C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor
2008-04-05 20:05:55 0 d-------- C:\Documents and Settings\Apollo\Application Data\WinRAR
2008-04-02 21:54:54 0 d-------- C:\Documents and Settings\Apollo\Application Data\SecondLife
2008-04-02 20:21:08 0 d-------- C:\Program Files\Guild Wars
2008-04-01 19:19:50 4742 --a------ C:\WINDOWS\mozver.dat
2008-03-31 15:29:12 0 d-------- C:\Program Files\Electronic Arts
2008-03-31 15:11:00 5982 --a------ C:\Program Files\install.log
2008-03-30 13:58:50 0 d-------- C:\Program Files\Microsoft ActiveSync
2008-03-30 13:58:38 0 d-------- C:\Program Files\Microsoft.NET
2008-03-30 13:19:42 0 d-------- C:\Program Files\Common Files\InstallShield
2008-03-28 16:56:58 0 d-------- C:\Program Files\MSXML 4.0
2008-03-28 13:58:35 0 d-------- C:\Documents and Settings\Apollo\Application Data\Sun
2008-03-28 13:57:52 0 d-------- C:\Program Files\Java
2008-03-28 13:57:11 0 d-------- C:\Program Files\Common Files\Java
2008-03-28 13:28:44 0 d-------- C:\Program Files\NVIDIA Corporation
2008-03-28 10:59:50 0 d-------- C:\Documents and Settings\Apollo\Application Data\Nero
2008-03-27 02:27:19 0 d-------- C:\Program Files\MSXML 6.0
2008-03-27 02:02:22 0 d-------- C:\Documents and Settings\Apollo\Application Data\Google
2008-03-27 01:54:07 0 d-------- C:\Program Files\Codec Pack - All In 1
2008-03-27 01:53:28 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-03-27 01:48:05 0 d-------- C:\Documents and Settings\Apollo\Application Data\Talkback
2008-03-27 01:48:02 0 d-------- C:\Documents and Settings\Apollo\Application Data\Thunderbird
2008-03-27 01:21:58 0 d-------- C:\Documents and Settings\Apollo\Application Data\Media Player Classic
2008-03-27 01:20:43 0 d-------- C:\Documents and Settings\Apollo\Application Data\vlc
2008-03-27 01:20:11 0 d-------- C:\Program Files\VideoLAN
2008-03-27 00:55:53 0 d-------- C:\Documents and Settings\Apollo\Application Data\U3
2008-03-26 18:48:34 0 d-------- C:\Documents and Settings\Apollo\Application Data\Macromedia
2008-03-26 18:48:34 0 d-------- C:\Documents and Settings\Apollo\Application Data\Adobe
2008-03-26 18:36:19 0 d-------- C:\Program Files\Alcohol Soft
2008-03-26 17:33:54 0 d-------- C:\Program Files\Messenger
2008-03-26 16:22:00 0 d-------- C:\Program Files\Marvell
2008-03-26 16:21:03 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-03-26 16:20:52 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-26 16:20:50 0 d-------- C:\Documents and Settings\Apollo\Application Data\Mozilla
2008-03-26 16:19:46 0 d-------- C:\Program Files\Intel
2008-03-26 16:02:05 0 d-------- C:\Documents and Settings\Apollo\Application Data\Identities
2008-03-26 15:56:38 0 d-------- C:\Program Files\microsoft frontpage
2008-03-26 15:55:33 0 -rahs---- C:\MSDOS.SYS
2008-03-26 15:55:33 0 -rahs---- C:\IO.SYS
2008-03-26 15:55:33 0 --a------ C:\CONFIG.SYS
2008-03-26 15:55:33 0 --a------ C:\AUTOEXEC.BAT
2008-03-26 15:54:36 0 d--h----- C:\Program Files\WindowsUpdate
2008-03-26 15:53:48 0 d-------- C:\Program Files\Common Files\MSSoap
2008-03-26 15:53:39 0 d-------- C:\Program Files\Movie Maker
2008-03-26 15:52:56 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-03-26 15:52:26 0 d-------- C:\Program Files\MSN Gaming Zone
2008-03-26 15:52:19 0 d-------- C:\Program Files\Windows NT
2008-03-26 09:47:15 0 d-------- C:\Program Files\Common Files\ODBC
2008-03-26 09:47:12 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-03-26 09:46:52 62 --ahs---- C:\Documents and Settings\Apollo\Application Data\desktop.ini
2008-03-24 19:52:00 1626112 --a------ C:\WINDOWS\system32\nwiz.exe
2008-03-24 19:52:00 1019904 --a------ C:\WINDOWS\system32\nvwimg.dll
2008-03-24 19:52:00 1703936 --a------ C:\WINDOWS\system32\nvwdmcpl.dll
2008-03-24 19:52:00 466944 --a------ C:\WINDOWS\system32\nvshell.dll
2008-03-24 19:52:00 286720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2008-03-24 19:52:00 1482752 --a------ C:\WINDOWS\system32\nview.dll
2008-03-24 19:52:00 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2008-03-24 19:52:00 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2008-03-24 19:52:00 425984 --a------ C:\WINDOWS\system32\keystone.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}]
2008-05-15 02:15 57344 --a------ C:\WINDOWS\system32\ssqQkLCS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a936afbc-9ea9-4222-9cc3-495f1a5769dc}]
2008-05-15 15:37 133120 --a------ C:\WINDOWS\system32\gxhqiaky.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4F4B85E-ED11-4738-9E0E-AC2FAF0E243E}]
2008-05-15 03:22 370688 --a------ C:\WINDOWS\system32\opnlihgF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-24 19:52]
"WinSys2"="C:\WINDOWS\system32\winsys2.exe" [2007-10-30 03:37]
"KEMailKb"="C:\PROGRA~1\MICROI~1\INTERN~1\KEMailKb.EXE" [2005-08-09 03:27]
"KPDrv4XP"="C:\PROGRA~1\MICROI~1\INTERN~1\KPDrv4XP.EXE" [2005-02-21 06:15]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-03-24 19:52]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-07 15:39 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 18:43 C:\WINDOWS\Alcmtr.exe]
"nwiz"="nwiz.exe" [2008-03-24 19:52 C:\WINDOWS\system32\nwiz.exe]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"Yodm3D"="C:\Documents and Settings\Apollo\My Documents\Downloads\Torrents\yodm3d_v14\Yodm3D.exe" [2007-06-26 19:26]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25]

C:\Documents and Settings\Apollo\Desktop\Startup\
Stardock ObjectDock.lnk - C:\Program Files\Stardock\ObjectDock\ObjectDock.exe [2008-05-15 02:52:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"=1 (0x1)
"AllowUnhashedWebView"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{6C23AB0C-0244-4B01-8253-BEE724D0D2EC}"= C:\WINDOWS\system32\ssqQkLCS.dll [2008-05-15 02:15 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqQkLCS]
ssqQkLCS.dll 2008-05-15 02:15 57344 C:\WINDOWS\system32\ssqQkLCS.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2008-05-15 02:23 210168 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnlihgF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"gusvc"=3 (0x3)
"PnkBstrB"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{68228ad4-fb41-11dc-8b0e-806d6172696f}]
AutoRun\command- J:\LaunchU3.exe -a

*Newly Created Service* - GTNDIS5



-- End of Deckard's System Scanner: finished at 2008-05-15 20:59:25 ------------

BC AdBot (Login to Remove)

 


#2 zacharyc

zacharyc
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:05:57 PM

Posted 16 May 2008 - 02:34 AM

Wow, I totally just pwned Vondu. By hand!

I tried Combofix and it didn't work, neither did Vondufix. Symantec? Spy Doctor? Adaware? Colossal wastes of time.

So, I figured out exactly which DLLs were locked in the system32 because they random names. I put the recently modified DLLS into google's engine and deleted the ones that had absolutely no entries.

Obviously this didn't work- I tried to unlock the DLLs, but on the third reappearance, it inserted itself into nine separate processes including the unbreakable winlogon. So, I wrote them down, and used Windows Recovery console to delete the three DLLs and the two INI files in the System32 directory. Then I booted to the desktop and cleared the registry with the search function and cclear. I also isolated every file that appeared within that two-hour window of infection and deleted every non-essential file.

Presto- clean machine! Now how much of my student fees are paying for the mandatory Symantec antivirus? I am better off burning that money.

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:57 PM

Posted 31 May 2008 - 07:07 PM

Glad you got it fixed. :thumbsup:

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users