Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection: Virtumonde


  • This topic is locked This topic is locked
2 replies to this topic

#1 annon

annon

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:09:23 PM

Posted 27 May 2008 - 06:02 AM

help.

The log:

ComboFix 08-05-25.5 - Owner 2008-05-27 17:36:49.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1034 [GMT 8:00]
Running from: C:\Users\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ProgramData\Microsoft\Network\Downloader\qmgr0.dat
C:\ProgramData\Microsoft\Network\Downloader\qmgr1.dat
C:\Windows\setup.exe
C:\Windows\system32\ACER.exe
C:\Windows\system32\efcDSJBu.dll
C:\Windows\system32\fcccbxxu.dll
C:\Windows\system32\lccfxbpf.exe
C:\Windows\system32\pmnnMdaa.dll
C:\Windows\System32\uBJSDcfe.ini
C:\Windows\System32\uBJSDcfe.ini2
C:\Windows\system32\uhfyrcgx.exe
C:\Windows\System32\uxxbcccf.ini
C:\Windows\System32\uxxbcccf.ini2
C:\Windows\System32\yxxwayxx.ini
C:\Windows\System32\yxxwayxx.ini2

----- BITS: Possible infected sites -----

hxxp://downloads.networkmagic.com
.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 17:27 . 2008-05-27 17:32 <DIR> d-------- C:\327882R2FWJFW
2008-05-27 06:25 . 2008-05-27 06:25 124,928 --a------ C:\Windows\System32\rhxefvbj.dll
2008-05-26 21:47 . 2008-05-26 21:47 124,928 --a------ C:\Windows\System32\dxywyplu.dll
2008-05-26 20:36 . 2008-05-26 20:36 124,928 --a------ C:\Windows\System32\ujvvvhwn.dll
2008-05-25 17:41 . 2008-05-25 17:41 <DIR> d-------- C:\Users\All Users\WindowsSearch
2008-05-25 17:41 . 2008-05-25 17:41 <DIR> d-------- C:\ProgramData\WindowsSearch
2008-05-25 14:14 . 2008-05-25 18:44 <DIR> d-------- C:\Program Files\Portable Brain Challenge 1.2.5.0
2008-05-25 14:02 . 2008-05-25 14:02 <DIR> d-------- C:\Windows\The Amazing Brain Train
2008-05-25 14:02 . 2008-05-25 19:54 <DIR> d-------- C:\Program Files\The Amazing Brain Train
2008-05-22 17:16 . 2008-05-22 17:16 <DIR> d-------- C:\Windows\System32\1033
2008-05-21 14:06 . 2008-05-21 14:06 <DIR> d-------- C:\Program Files\MSDN
2008-05-21 10:50 . 2008-05-21 10:50 <DIR> d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2008-05-21 10:50 . 2008-05-21 10:50 <DIR> d-------- C:\Program Files\Microsoft Device Emulator
2008-05-21 10:37 . 2008-05-21 10:37 <DIR> d-------- C:\Windows\Symbols
2008-05-21 10:37 . 2008-05-21 10:37 <DIR> d-------- C:\Users\All Users\PreEmptive Solutions
2008-05-21 10:37 . 2008-05-21 10:37 <DIR> d-------- C:\ProgramData\PreEmptive Solutions
2008-05-21 10:37 . 2008-05-21 10:45 <DIR> d-------- C:\Program Files\HTML Help Workshop
2008-05-21 10:37 . 2008-05-22 17:15 <DIR> d-------- C:\Program Files\Common Files\Merge Modules
2008-05-21 10:37 . 2008-05-21 10:39 <DIR> d-------- C:\Program Files\Common Files\Business Objects
2008-05-21 10:37 . 2008-05-21 10:37 <DIR> d-------- C:\Program Files\CE Remote Tools
2008-05-17 21:25 . 2008-05-17 21:25 <DIR> d-------- C:\Users\Owner\AppData\Roaming\SystemRequirementsLab
2008-05-17 00:15 . 2008-05-17 00:15 <DIR> d-------- C:\Program Files\MSECache
2008-05-16 10:55 . 2008-05-16 10:55 <DIR> d-------- C:\Users\Owner\AppData\Roaming\Dexpot
2008-05-16 10:55 . 2008-05-16 10:55 <DIR> d-------- C:\Program Files\Dexpot
2008-05-16 10:53 . 2008-05-16 10:53 <DIR> d-------- C:\Program Files\Simpli Software
2008-05-12 21:10 . 2008-05-12 21:12 <DIR> d-------- C:\Program Files\THINKFST
2008-05-09 20:00 . 2008-05-12 21:32 145 --a------ C:\Windows\thinkfst.ini
2008-05-09 19:58 . 1994-05-06 04:47 398,416 --a------ C:\Windows\system\VBRUN300.DLL
2008-05-09 19:58 . 1998-05-11 20:01 64,432 --a------ C:\Windows\system\THREED.VBX
2008-05-09 19:58 . 1993-04-28 00:00 31,744 --a------ C:\Windows\system\MSAFINX.DLL
2008-05-09 19:58 . 1993-04-28 00:00 22,528 --a------ C:\Windows\system\SPIN.VBX
2008-05-04 06:00 . 2008-05-22 07:22 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-03 22:06 . 2008-05-03 22:06 <DIR> d-------- C:\Program Files\Microsoft Synchronization Services
2008-05-03 22:03 . 2008-05-03 22:05 <DIR> d-------- C:\Program Files\Microsoft SQL Server
2008-05-03 21:58 . 2008-05-03 22:33 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 9.0
2008-05-03 21:52 . 2008-05-03 21:52 <DIR> d-------- C:\Program Files\Microsoft SDKs
2008-05-01 21:34 . 2008-05-01 21:34 <DIR> d-------- C:\Program Files\Pcsx2_0.9.4
2008-05-01 21:12 . 2008-05-01 21:12 <DIR> d-------- C:\Program Files\LibUSB-Win32-0.1.10.1
2008-05-01 21:12 . 2005-03-09 20:50 46,592 --a------ C:\Windows\System32\libusb0.dll
2008-05-01 21:12 . 2005-03-09 20:50 33,792 --a------ C:\Windows\System32\drivers\libusb0.sys
2008-05-01 21:12 . 2005-03-09 20:50 19,456 --a------ C:\Windows\System32\libusbd-9x.exe
2008-05-01 21:12 . 2005-03-09 20:50 18,944 --a------ C:\Windows\System32\libusbd-nt.exe
2008-04-27 19:37 . 2008-04-27 19:37 <DIR> d-------- C:\Program Files\Acoustica Shared Effects
2008-04-27 19:37 . 2008-04-27 19:37 <DIR> d-------- C:\Program Files\Acoustica Beatcraft
2008-04-27 19:35 . 2008-05-09 18:35 122 --a------ C:\Windows\OM.INI
2008-04-27 19:33 . 2008-04-27 19:33 <DIR> d-------- C:\Program Files\Orange Software
2008-04-27 15:52 . 2008-04-27 15:52 <DIR> d-------- C:\Program Files\Crystal Metronome

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 09:43 2,417,864 --sha-w C:\Windows\system32\drivers\fidbox.idx
2008-05-27 09:43 193,476,896 --sha-w C:\Windows\system32\drivers\fidbox.dat
2008-05-27 09:21 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-05-27 08:24 55,117 ----a-w C:\Users\Owner\AppData\Roaming\nvModes.dat
2008-05-27 08:22 --------- d-----w C:\Program Files\Warcraft III
2008-05-26 23:09 --------- d-----w C:\Users\Owner\AppData\Roaming\uTorrent
2008-05-24 11:16 --------- d-----w C:\Program Files\eMedia Intermediate Guitar Method
2008-05-23 02:04 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-18 10:24 --------- d-----w C:\Program Files\Electronic Arts
2008-05-15 07:44 --------- d-----w C:\Program Files\Launch Manager
2008-05-14 19:03 --------- d-----w C:\Program Files\Windows Mail
2008-05-03 14:25 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-03 14:06 --------- d-----w C:\Program Files\Microsoft SQL Server Compact Edition
2008-05-03 14:04 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-25 10:59 --------- d-----w C:\Program Files\Azureus
2008-04-25 10:58 --------- d-----w C:\Program Files\Rising Software
2008-04-25 06:54 --------- d-----w C:\Program Files\Google
2008-04-24 02:46 2,829 ----a-w C:\Windows\War3Unin.pif
2008-04-24 02:46 139,264 ----a-w C:\Windows\War3Unin.exe
2008-04-22 13:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-22 13:57 --------- d-----w C:\Program Files\Microsoft Reader
2008-04-21 05:54 --------- d-----w C:\Program Files\Z80 Simulator IDE
2008-04-19 10:54 --------- d-----w C:\Program Files\Java
2008-04-19 10:47 --------- d-----w C:\Program Files\Common Files\Java
2008-04-19 04:11 --------- d-----w C:\Program Files\Counter-Strike 1.6
2008-04-19 03:15 73,216 ----a-w C:\Windows\ST6UNST.EXE
2008-04-19 03:15 249,856 ------w C:\Windows\Setup1.exe
2008-04-18 14:42 --------- d-----w C:\Program Files\Crimsonland
2008-04-18 14:39 --------- d-----w C:\Program Files\ReflexiveArcade
2008-04-17 13:30 96,645 ----a-w C:\Windows\system32\drivers\klin.dat
2008-04-17 13:30 87,941 ----a-w C:\Windows\system32\drivers\klick.dat
2008-04-17 12:31 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-17 12:16 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-17 12:16 --------- d-----w C:\Program Files\Common Files\Real
2008-04-17 05:14 --------- d-----w C:\Program Files\Common Files\Pure Networks Shared
2008-04-17 05:13 --------- d-----w C:\Program Files\Pure Networks
2008-04-17 05:12 --------- d-----w C:\ProgramData\Pure Networks
2008-04-15 06:42 --------- d-----w C:\Program Files\EarMaster Pro 5
2008-04-11 16:41 --------- d-----w C:\Users\Owner\AppData\Roaming\Nokia Multimedia Player
2008-04-09 17:06 --------- d-----w C:\Program Files\Real
2008-04-09 16:34 --------- d-----w C:\Users\Owner\AppData\Roaming\Media Player Classic
2008-04-09 16:30 --------- d-----w C:\Program Files\Windows Live
2008-04-04 15:10 --------- d-----w C:\Program Files\Cheating-Death
2008-04-03 16:03 --------- d-----w C:\Program Files\AGEIA Technologies
2008-04-03 16:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-03 15:08 --------- d-----w C:\Users\Owner\AppData\Roaming\InstallShield Installation Information
2008-04-03 14:40 --------- d-----w C:\Program Files\Unreal Tournament 3
2008-04-01 10:08 --------- d-----w C:\ProgramData\FLEXnet
2008-04-01 10:06 --------- d-----w C:\Program Files\Bonjour
2008-04-01 09:59 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-01 08:02 114,048 ----a-w C:\Windows\system32\drivers\snapman.sys
2008-04-01 08:02 --------- d-----w C:\Program Files\Common Files\Acronis
2008-04-01 08:02 --------- d-----w C:\Program Files\Acronis
2008-03-29 17:31 --------- d-----w C:\Program Files\Network Stumbler
2008-03-29 13:04 --------- d-----w C:\Users\Owner\AppData\Roaming\EarMaster
2008-03-29 12:55 0 ---ha-w C:\Windows\system32\drivers\Msft_User_PCCSWpdDriver_01_05_00.Wdf
2008-03-29 12:55 --------- d-----w C:\Users\Owner\AppData\Roaming\Nokia
2008-03-29 06:39 --------- d-----w C:\ProgramData\EarMaster
2008-03-29 04:41 --------- d-----w C:\Program Files\PBsoft
2008-03-28 08:54 --------- d-----w C:\Users\Owner\AppData\Roaming\Azureus
2008-03-28 08:39 --------- d-----w C:\Program Files\uTorrent
2008-03-27 15:46 --------- d-----w C:\Program Files\QuickTime
2008-03-27 15:45 --------- d-----w C:\ProgramData\QuickTime
2008-03-27 02:48 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-27 02:35 --------- d-----w C:\ProgramData\Azureus
2008-03-27 02:34 --------- d-----w C:\Users\Owner\AppData\Roaming\Windows Live Writer
2008-03-26 15:03 174 --sha-w C:\Program Files\desktop.ini
2008-03-26 14:18 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-26 14:18 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-16 10:06 107,888 ----a-w C:\Windows\System32\CmdLineExt.dll
2008-02-29 15:38 66,872 ----a-w C:\Windows\System32\PnkBstrA.exe
2008-02-29 15:38 103,736 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe
2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 04:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-22 23:21 22,328 ----a-w C:\Users\Owner\AppData\Roaming\PnkBstrK.sys
2008-02-22 15:08 0 ----a-w C:\Users\Owner\SCHDLR.DAT
2007-09-11 07:26 61,647,736 ----a-w C:\Users\Public\directx_aug2007_redist.exe
2007-08-06 05:31 6,211,190 ----a-w C:\Users\Public\Combined-Community-Codec-Pack-2007-07-22.exe
2006-10-23 20:13 23,510,720 ----a-w C:\Users\Public\dotnetfx.exe
2004-12-04 17:47 1,164,112 ----a-w C:\Users\Public\wrar341.exe
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE764F2B-FB0F-4ED4-B9F4-48321520902E}]
C:\Windows\system32\xxyawxxy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 15:33 1233920]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 15:33 125952]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 22:16 171464]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 15:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALaunch"="C:\Acer\ALaunch\AlaunchClient.exe" [ ]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 13:09 865840]
"eDataSecurity Loader"="C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-04-26 07:33 457216]
"eAudio"="C:\Acer\Empowering Technology\eAudio\eAudio.exe" [2007-06-12 05:54 1286144]
"Acer Tour"="" []
"RtHDVCpl"="RtHDVCpl.exe" [2007-09-04 18:39 4702208 C:\Windows\RtHDVCpl.exe]
"PLFSet"="C:\Windows\PLFSet.dll" [2007-04-26 05:47 45056]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2007-07-31 09:36 707080]
"PlayMovie"="C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe" [2007-05-25 05:38 206952]
"eRecoveryService"="" []
"Acer Product Registration"="C:\Program Files\Acer Registration\ACE1.exe" [2007-02-03 03:24 3383296]
"Acer Assist Launcher"="C:\Program Files\Acer Assist\launcher.exe" [2007-02-03 02:05 1261568]
"Acer Tour Reminder"="C:\Acer\AcerTour\Reminder.exe" [2007-08-02 09:30 151552]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 14:37 174872]
"SetPanel"="C:\Acer\APanel\APanel.cmd" [ ]
"SetSpeaker"="C:\Windows\SetSpkDefault.exe" [2007-11-27 18:23 86016]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-01-09 23:46 68640]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-09 23:46 52256]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27 222208]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2008-01-11 02:43 92704]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2008-01-11 02:43 8534560]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2008-01-11 02:43 88608]
"nwiz"="nwiz.exe" []
"nmapp"="C:\Program Files\Pure Networks\Network Magic\nmapp.exe" [2007-03-14 15:42 321088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]
"BMc3215bb6"="C:\Windows\system32\rhxefvbj.dll" [2008-05-27 06:25 124928]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 17:15 1634304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

C:\Users\Owner\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
PowerReg SchedulerV2.exe [2008-02-19 15:53:47 256000]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-03-30 05:11:50 719664]
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe [2007-08-14 08:06:55 535336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{0541290B-954E-4B9E-B9D0-907944A5F690}"= C:\Windows\system32\pmnnMdaa.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\ACERAR~1\DVWIZA~1\Kernel\Burner\MKDMP3Enc.ACM
"VIDC.ACDV"= ACDV.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Device Detector]


[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B6C4D3B6-D866-4F8A-BD95-3F68EA80CD56}"= C:\Program Files\Acer Arcade Deluxe\Acer Arcade Deluxe\Acer Arcade Deluxe.exe:Acer Arcade Deluxe
"{8451B11E-A98D-4AA1-93C4-2A77CA5275F7}"= C:\Program Files\Acer Arcade Deluxe\VideoMagician\VideoMagician.exe:VideoMagician
"{4327829C-53E2-4708-B1F6-50A583BF5E6F}"= C:\Program Files\Acer Arcade Deluxe\HomeMedia\HomeMedia.exe:HomeMedia
"{CB57721A-FAFE-4224-8FE6-1202ADE9551F}"= C:\Program Files\Acer Arcade Deluxe\DV Wizard\DV Wizard.exe:DV Wizard
"{63FAD5EE-40F9-4F37-8364-B638686E2FB0}"= C:\Program Files\Acer Arcade Deluxe\DVDivine\DVDivine.exe:DVDivine
"{33AC3061-41F2-43BB-A95E-7B4FD5638DF6}"= C:\Program Files\Acer Arcade Deluxe\Play Movie\PlayMovie.exe:Play Movie
"{774D634A-FC17-4EF3-BEFD-07FBA9A4626F}"= C:\Program Files\Acer Arcade Deluxe\Play Movie\PMVService.exe:Play Movie Resident Program
"{54AC1D94-320B-4738-8979-0D86836D9214}"= C:\Program Files\Acer\Acer VCM\VC.exe:Acer VCM
"TCP Query User{C29BE396-8F41-4393-A034-9F438083F123}C:\\program files\\counter-strike 1.6\\hl.exe"= UDP:C:\program files\counter-strike 1.6\hl.exe:Half-Life Launcher
"UDP Query User{49BF3277-D332-4AE7-8D5A-A67829342B86}C:\\program files\\counter-strike 1.6\\hl.exe"= TCP:C:\program files\counter-strike 1.6\hl.exe:Half-Life Launcher
"{65C41BB9-F8A3-40A0-A9BE-817EB9E41B11}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{2C70CD87-0A90-4581-AC69-E316F12CB6F3}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{1B105881-ADA9-46C9-A5BA-831F0AEBB26D}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{02148CE1-2929-442C-8980-FCB72504DEC5}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{32A14FF2-933E-40DB-A50A-9436CC0B7962}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare™
"{13D71ABE-34DF-4FDB-AC2B-342A167C8E53}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty® 4 - Modern Warfare™
"TCP Query User{8667703F-CBD1-48C1-B588-8C320C2BDBB7}C:\\program files\\counter-strike 1.6\\hl.exe"= UDP:C:\program files\counter-strike 1.6\hl.exe:Half-Life Launcher
"UDP Query User{39E914C1-7FCB-4C1B-8BB8-5C6D5F9C42C4}C:\\program files\\counter-strike 1.6\\hl.exe"= TCP:C:\program files\counter-strike 1.6\hl.exe:Half-Life Launcher
"TCP Query User{703C9E2A-4884-46C2-A82F-6F7DC6DE3D19}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{98B2BC5F-712B-424B-876B-396A828EB853}C:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:C:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{EE0DA6F4-8FAF-4AEE-B505-5C1EA61EE757}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{FB8F0DC3-DCA1-404B-9A4B-8B31E9CCFB21}C:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:C:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{ACA20643-8DA7-49F6-A4F1-871A8FB16A1F}C:\\program files\\doom 3\\doom3ded.exe"= UDP:C:\program files\doom 3\doom3ded.exe:DOOM 3
"UDP Query User{3BD4F661-7D4E-4FF3-84CE-2A1F69DEA37C}C:\\program files\\doom 3\\doom3ded.exe"= TCP:C:\program files\doom 3\doom3ded.exe:DOOM 3
"TCP Query User{BAB46CF5-751F-4849-8094-4EB317D16064}C:\\program files\\lucasarts\\swkotor2\\swupdate.exe"= UDP:C:\program files\lucasarts\swkotor2\swupdate.exe:Star Wars: Knights of the Old Republic II: The Sith Lords Update Program
"UDP Query User{516FB40D-B11C-46A1-91E6-884BC4806375}C:\\program files\\lucasarts\\swkotor2\\swupdate.exe"= TCP:C:\program files\lucasarts\swkotor2\swupdate.exe:Star Wars: Knights of the Old Republic II: The Sith Lords Update Program
"{51906B22-0BEE-43DE-A539-EB3081A4D807}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{F69C8203-92BA-49D9-8BC1-3A64A2B2AAD5}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{B7143FCC-0C93-4914-8C3D-E7FF2C51A164}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{DB9416FC-2588-44D9-A3E6-1726B0D7208D}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{B6B88143-CD15-4C97-B056-66EFAB2EF767}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{41629C54-0578-4C50-AEC0-E9F6DD33C74F}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{A9856CAA-C516-4AA2-9099-481AAA287038}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{8ED54CC1-3F0B-4B56-AAD2-1E5ED9437A58}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{F86CA28D-43C7-4213-A17D-60A674320CD8}"= UDP:C:\Program Files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{4010C0F8-4EEF-4409-8C41-ADA796A738AD}"= TCP:C:\Program Files\Unreal Tournament 3\Binaries\UT3.exe:Unreal Tournament 3
"{8F66D760-D971-422F-B674-049AD21A5B6E}"= UDP:C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\Binaries\MOHA.exe:Medal of Honor Airborne
"{908F764F-0C7E-47DB-B5CE-89BA8F1F3A50}"= TCP:C:\Program Files\Electronic Arts\Medal of Honor Airborne\UnrealEngine3\Binaries\MOHA.exe:Medal of Honor Airborne
"TCP Query User{A9CF2C5E-DA65-4731-9F13-32E325541472}C:\\program files\\valve\\condition zero\\hl.exe"= UDP:C:\program files\valve\condition zero\hl.exe:Half-Life Launcher
"UDP Query User{03E983E0-6050-4C3C-93F1-607F1411BB68}C:\\program files\\valve\\condition zero\\hl.exe"= TCP:C:\program files\valve\condition zero\hl.exe:Half-Life Launcher
"TCP Query User{E3AC06D4-BA89-48E7-B655-DC13FD01556B}C:\\valve\\condition zero\\hl.exe"= UDP:C:\valve\condition zero\hl.exe:Half-Life Launcher
"UDP Query User{C3B98723-11BF-4562-9213-6DD20D23231E}C:\\valve\\condition zero\\hl.exe"= TCP:C:\valve\condition zero\hl.exe:Half-Life Launcher
"{E45B55EF-162D-4587-A885-F32DD51D911C}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{28A250F8-0A98-4172-BA31-6CC6A9E3A6E1}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{2CA34C90-DD5B-4EA1-9940-0F88BD0C81B0}"= TCP:67:DHCP Discovery Service
"{EB8D2610-B5A3-4A5C-8519-648EB89CAE5D}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{26C051ED-DEAE-471F-82DA-32137AE25F1F}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"TCP Query User{5B321763-B180-4E91-8CBC-39AC63D6DCF9}C:\\program files\\warcraft iii\\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{7BBBB66B-9444-4A78-BD62-3516A1073685}C:\\program files\\warcraft iii\\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III
"{027C62EB-F615-4738-86E8-4942215E1DF3}"= TCP:67:DHCP Discovery Service
"TCP Query User{79930AE0-D7DC-428F-863C-F212654D1F84}C:\\program files\\warcraft iii\\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{933A6C1A-3DED-42D5-AEC9-07965CEF46D5}C:\\program files\\warcraft iii\\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III
"TCP Query User{D72E124F-0489-4936-B416-11017B143CC5}C:\\q3ademo\\quake3.exe"= UDP:C:\q3ademo\quake3.exe:quake3
"UDP Query User{13A1D4BC-1E8D-48B8-88D7-5B9EF762F422}C:\\q3ademo\\quake3.exe"= TCP:C:\q3ademo\quake3.exe:quake3
"TCP Query User{1ECD0BED-AB97-4A8A-A0DA-5911DDD0C7F2}C:\\program files\\unreal tournament 3\\binaries\\ut3.exe"= UDP:C:\program files\unreal tournament 3\binaries\ut3.exe:UT3
"UDP Query User{89EC90D4-65F2-498B-AA4C-AE352D083A11}C:\\program files\\unreal tournament 3\\binaries\\ut3.exe"= TCP:C:\program files\unreal tournament 3\binaries\ut3.exe:UT3
"{9883F2F8-E758-4740-844D-CA2C369AF64A}"= UDP:C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service
"{B4E28C47-3024-4106-9376-E04A7C254A54}"= TCP:C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe:Pure Networks Network Magic Service

R0 PSDFilter;PSDFilter;C:\Windows\system32\DRIVERS\psdfilter.sys [2007-04-26 07:34]
R0 PSDNServ;PSDNSERVER;C:\Windows\system32\drivers\PSDNServ.sys [2007-04-26 07:34]
R0 psdvdisk;psdvdisk;C:\Windows\system32\drivers\psdvdisk.sys [2007-04-26 07:34]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-10-16 11:05]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796};C:\Program Files\Acer Arcade Deluxe\Play Movie\000.fcl [2006-11-03 08:51]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 16:51]
R2 ALaunchService;ALaunch Service;C:\Acer\ALaunch\ALaunchSvc.exe [2007-01-27 05:24]
R2 eDataSecurity Service;eDataSecurity Service;"C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe" [2007-04-26 07:34]
R2 eNet Service;eNet Service;C:\Acer\Empowering Technology\eNet\eNet Service.exe [2007-06-14 07:54]
R2 eSettingsService;eSettings Service;C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-06-29 09:50]
R2 ithsgt;ithsgt;C:\Windows\system32\DRIVERS\ithsgt.sys [2008-03-18 22:12]
R2 lilsgt;lilsgt;C:\Windows\system32\DRIVERS\lilsgt.sys [2008-03-18 22:12]
R2 MobilityService;MobilityService;C:\Acer\Mobility Center\MobilityService.exe [2006-11-25 03:57]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 05:29]
R2 WMIService;ePower Service;C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-06-14 03:23]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-06-26 15:33]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;C:\Windows\system32\drivers\libusb0.sys [2005-03-09 20:50]
R3 Tetris;Tetris driver;C:\Windows\system32\Drivers\Tetris.sys [2008-03-20 19:35]
R3 winbondcir;Winbond IR Transceiver;C:\Windows\system32\DRIVERS\winbondcir.sys [2007-04-19 15:09]
S2 AcronisOSSReinstallSvc;Acronis OS Selector Reinstall Service;"C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall_svc.exe" [2007-02-22 19:53]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;C:\Windows\system32\DRIVERS\b57nd60x.sys [2007-02-08 15:03]
S3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2007-03-30 03:46]
S3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2007-02-27 14:20]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2007-02-27 14:20]
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\Windows\system32\NSNDIS5.SYS [2004-03-24 10:12]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6ed470c2-f650-11dc-a7f2-d6d303039dab}]
\shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe killVBS.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f6b10c4-f4f4-11dc-a22f-001de03086bd}]
\shell\AutoRun\command - E:\vs\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9b2e65fb-ecc7-11dc-9e23-001de03086bd}]
\shell\AutoRun\command - G:\
\shell\explore\Command - WScript.exe .\__.vbs
\shell\open\Command - WScript.exe .\__.vbs

.
Contents of the 'Scheduled Tasks' folder
"2008-05-27 06:59:56 C:\Windows\Tasks\User_Feed_Synchronization-{CC37677D-DB97-4C60-A857-052C8F5211D0}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 17:45:49
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Windows\system32\rhxefvbj.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Windows\System32\libusbd-nt.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\microsoft shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\System32\conime.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Users\Owner\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Windows\ehome\ehmsas.exe
C:\Acer\Empowering Technology\eNet\eNMTray.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2008-05-27 18:08:34 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-05-27 10:06:46

Pre-Run: 50,449,707,008 bytes free
Post-Run: 50,715,717,632 bytes free

386 --- E O F --- 2008-05-23 07:33:19


---

please help :thumbsup:

BC AdBot (Login to Remove)

 


m

#2 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:23 AM

Posted 27 June 2008 - 07:39 AM

Hello annon

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post.

Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


Ken

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days


#3 ken545

ken545

    Malware Response Team


  • Malware Response Team
  • 1,685 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:08:23 AM

Posted 07 July 2008 - 03:52 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014



donate.gif Please consider a donation to help me keep up my fight against malware.

 

Just a reminder that threads will be closed if no response in 3 days





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users