Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help I Seem To Have Trojan Virtumonde


  • This topic is locked This topic is locked
12 replies to this topic

#1 LUKEB_82

LUKEB_82

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 29 May 2008 - 11:52 AM

Hello my name is Luke

I am new to the whole blog thing, but now i've joined i could really appreciate somebodys help regarding Malware. I have this Virus that seems to be attcking and freezing me out of my control panel. I have a small Windows Securty Alert shield keeping popping up in my system tray. I turned my windows firewall off as i have Bullguard firewall in use, however when i go to my control panel and click the security shield icon it states its turned on?? Bizarre. i also have constant pop-ups when i am using IE and Bullgaurd constantly tells me TROJAN_VIRTUMONDE or TROJON_Generic is trying to attack. i've tried combo fix and god knows how many system scans, it just won't go away. i have recently created a log with Hi Jack This..... please could somebody help me with my problem.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:43:52, on 29/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\spm\spmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\apps\Powercinema\PCMService.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\APPS\SMP\SmpSys.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\IEEE 802.11g Wireless LAN Utility\WlanUtl.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Luke\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\xlbsvffj.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Vade Retro Outlook Express] "C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [PCMService] "c:\apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [\\USER-8B2A3BCE77\EPSON Stylus C46 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P50 "\\USER-8B2A3BCE77\EPSON Stylus C46 Series (Copy 1)" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [SDFix] C:\SDFIX\RunThis.bat /second
O4 - HKCU\..\Run: [SmpcSys] C:\APPS\SMP\SmpSys.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\apps\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10999 bytes

Attached Files


Edited by LUKEB_82, 29 May 2008 - 11:56 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 29 May 2008 - 12:14 PM

Hello LUKEB_82,

Welcome to Bleeping Computer :thumbsup:

Please delete the ComboFix you have now and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\xlbsvffj.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [SDFix] C:\SDFIX\RunThis.bat /second
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
<-----it's never good to have P2P running on startup.

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 LUKEB_82

LUKEB_82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 29 May 2008 - 12:19 PM

thank you very much from replying i will do that right away.

might be a while as my computer is running slow.

Cheers


Luke

#4 LUKEB_82

LUKEB_82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 29 May 2008 - 12:59 PM

Here is the ComboFix log... whilst this was working..... my Bullgaurd kept popping up with Virus threats but blocking them!


ComboFix 08-05-29.1 - Luke 2008-05-29 18:54:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.491 [GMT 1:00]
Running from: D:\Documents and Settings\Luke\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 16:56 . 2008-05-29 16:56 92,160 --a------ C:\WINDOWS\system32\ywgfffrj.dll.vir
2008-05-29 16:56 . 2008-05-29 16:56 92,160 --a------ C:\WINDOWS\system32\yfirwtgu.dll.vir
2008-05-29 16:56 . 2008-05-29 16:56 92,160 --a------ C:\WINDOWS\system32\xlbsvffj.dll.vir
2008-05-29 16:56 . 2008-05-29 16:56 92,160 --a------ C:\WINDOWS\system32\tpxyalmq.dll.vir
2008-05-29 16:56 . 2008-05-29 16:56 92,160 --a------ C:\WINDOWS\system32\hspvrkag.dll.vir
2008-05-29 11:16 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-05-29 11:16 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-05-29 11:16 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-05-29 11:16 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-05-29 11:16 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-05-29 11:15 . 2008-05-29 11:16 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\Simply Super Software
2008-05-29 11:15 . 2008-05-29 11:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-05-28 18:36 . 2008-05-28 18:36 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\Talkback
2008-05-28 17:57 . 2008-05-28 18:57 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-28 17:42 . 2008-05-28 17:42 <DIR> d--hs---- D:\Documents and Settings\NetworkService.NT AUTHORITY.001
2008-05-28 17:42 . 2008-05-28 17:42 <DIR> d--hs---- D:\Documents and Settings\LocalService.NT AUTHORITY.001
2008-05-28 17:36 . 2008-05-28 17:40 <DIR> d--hs---- C:\RECYCLER(2)
2008-05-28 14:10 . 2008-05-28 14:10 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\Malwarebytes
2008-05-28 14:10 . 2008-05-28 14:10 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-28 14:10 . 2008-05-28 14:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-28 14:10 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 14:10 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 13:52 . 2008-05-28 13:52 2,560 --a------ C:\WINDOWS\system32\yodmwwtj.exe
2008-05-28 13:46 . 2008-05-28 13:46 92,160 --a------ C:\WINDOWS\system32\xlbsvffj.dll
2008-05-28 13:12 . 2008-05-28 13:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 12:51 . 2008-05-28 12:51 2,560 --a------ C:\WINDOWS\system32\lrcymxwh.exe
2008-05-27 12:03 . 2008-05-27 12:03 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\BullGuard
2008-05-27 12:00 . 2006-07-05 00:01 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-05-27 12:00 . 2008-05-28 17:41 <DIR> d-------- D:\Documents and Settings\Administrator
2008-05-27 00:22 . 2008-05-27 00:22 2,560 --a------ C:\WINDOWS\system32\rjtoafbn.exe
2008-05-27 00:12 . 2008-05-27 00:12 92,160 --a------ C:\WINDOWS\system32\tpxyalmq.dll
2008-05-25 16:28 . 2008-05-27 00:10 894 ---hs---- C:\WINDOWS\system32\usqipmks.ini
2008-05-25 16:22 . 2008-05-25 16:22 2,560 --a------ C:\WINDOWS\system32\ffbjlfdr.exe
2008-05-25 16:20 . 2008-05-25 16:20 92,160 --a------ C:\WINDOWS\system32\ywgfffrj.dll
2008-05-25 15:08 . 2008-05-29 00:15 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\BullGuard
2008-05-25 15:08 . 2008-05-29 18:52 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\BullGuard
2008-05-25 15:08 . 2008-05-25 15:24 50,896 --a------ C:\WINDOWS\system32\drivers\BdFileSpy.sys
2008-05-25 15:07 . 2008-05-25 15:07 <DIR> d-------- C:\Program Files\BullGuard Software
2008-05-25 13:29 . 2008-05-25 13:29 2,560 --a------ C:\WINDOWS\system32\jqvqedhr.exe
2008-05-25 13:23 . 2008-05-25 15:18 594 ---hs---- C:\WINDOWS\system32\uyehqpke.ini
2008-05-24 13:28 . 2008-05-24 13:28 2,560 --a------ C:\WINDOWS\system32\pemeoeqd.exe
2008-05-24 13:13 . 2008-05-24 13:13 92,160 --a------ C:\WINDOWS\system32\yfirwtgu.dll
2008-05-24 13:13 . 2008-05-25 13:18 414 ---hs---- C:\WINDOWS\system32\ylncgpgy.ini
2008-05-23 12:54 . 2008-05-23 12:54 2,560 --a------ C:\WINDOWS\system32\rvnhgosd.exe
2008-05-23 12:47 . 2008-05-23 13:55 474 ---hs---- C:\WINDOWS\system32\sjxmqxgb.ini
2008-05-23 12:46 . 2008-05-23 12:46 92,160 --a------ C:\WINDOWS\system32\hspvrkag.dll
2008-05-22 16:40 . 2008-05-22 16:40 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\AVS4YOU
2008-05-22 16:40 . 2008-05-22 16:40 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-05-22 16:39 . 2008-05-23 13:43 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-22 16:39 . 2007-02-27 19:36 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-05-22 16:39 . 2007-02-27 19:36 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-29 14:28 . 2008-04-29 14:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 15:48 --------- d-----w D:\Documents and Settings\Luke\Application Data\Azureus
2008-05-29 13:09 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-05-28 23:28 --------- d-----w C:\Program Files\Bonjour
2008-05-28 16:57 --------- d-----w C:\Program Files\Google
2008-05-26 00:32 --------- d-----w D:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 00:30 --------- d-----w C:\Program Files\Symantec
2008-05-26 00:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-25 14:25 14,152 ----a-w C:\WINDOWS\system32\lccl.dll
2008-05-25 14:25 14,152 ----a-w C:\WINDOWS\system32\client_cc.dll
2008-05-25 14:24 20,048 ----a-w C:\WINDOWS\system32\BgOutlookHook.dll
2008-05-23 12:40 --------- d-----w C:\Program Files\1Click DVD Ripper
2008-04-21 15:52 12,288 ----a-w C:\WINDOWS\impborl.dll
2008-04-21 14:09 --------- d-----w C:\Program Files\Sony
2008-04-21 14:04 --------- d-----w C:\Program Files\Sony Setup
2008-04-21 12:58 464,112 ----a-w C:\WINDOWS\fishies.scr
2008-04-21 12:58 463,068 ----a-w C:\WINDOWS\fishies.exe
2008-04-21 12:58 40,960 ----a-w C:\WINDOWS\fishies.dll
2008-04-08 19:34 --------- d-----w C:\Program Files\Azureus
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-22 12:24 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2006-07-19 08:40 252 ----a-w D:\Documents and Settings\Luke\Application Data\wklnhst.dat
2006-06-23 10:38 248 ----a-w D:\Documents and Settings\Luke Barrett.049752020030.000\n.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="C:\APPS\SMP\SmpSys.exe" [2005-11-17 09:51 975360]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2008-05-25 15:23 308552]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-28 17:57 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00 455168]
"SMSERIAL"="sm56hlpr.exe" [2005-10-18 12:14 557056 C:\WINDOWS\sm56hlpr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-02 16:35 7110656]
"nwiz"="nwiz.exe" [2005-08-02 16:35 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-08-02 16:35 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 16:49 15691264 C:\WINDOWS\RTHDCPL.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-04 16:13 26112]
"Vade Retro Outlook Express"="C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [ ]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 11:43 90112]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2005-11-16 14:11 143360]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00 208952]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2003-09-04 10:45 135214]
"atwtusb"="atwtusb.exe" [2005-09-21 18:08 290816 C:\WINDOWS\system32\ATWTUSB.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 15:54 229952]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2007-01-08 20:38 155648]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"\\USER-8B2A3BCE77\EPSON Stylus C46 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.exe" [2004-01-13 19:00 99840]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2008-05-25 15:23 308552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

D:\Documents and Settings\Luke\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-07 16:35:01 113664]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-07 16:35:01 113664]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2008-02-02 16:15:58 114688]
IEEE 802.11g Wireless LAN Utility.lnk - C:\Program Files\IEEE 802.11g Wireless LAN Utility\WlanUtl.exe [2006-07-04 17:40:38 843776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm
"VIDC.MFZ0"= MyFlashZip0.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10093:TCP"= 10093:TCP:10093
"10093:UDP"= 10093:UDP:10093
"10094:TCP"= 10094:TCP:10094
"10094:UDP"= 10094:UDP:10094

R1 VFILT;BullGuard Firewall Kernel Driver;C:\Program Files\BullGuard Software\BullGuard\FwEngine\FiltNt.sys [2006-11-02 12:36]
R2 BdFileSpy;BullGuard File Monitor Driver;C:\WINDOWS\system32\drivers\BdFileSpy.sys [2008-05-25 15:24]
R2 BsFileScan;BullGuard File Scan Service;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
R2 BsFwall;BullGuard Firewall Service;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
R2 gearsec;gearsec;C:\WINDOWS\system32\gearsec.exe [2003-12-01 15:27]
R3 NBXG750;NB 802.11g XG750 Driver;C:\WINDOWS\system32\DRIVERS\WlanUTG.sys [2005-04-01 16:46]
R3 PROTECT.DLL;BullGuard Firewall Protection Plugin;C:\Program Files\BullGuard Software\BullGuard\FwEngine\Protect.dll [2006-11-02 12:36]
R3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Software\BullGuard\reconn.sys [2008-05-25 15:24]
S1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]
S3 ADBLOCK.DLL;BullGuard Firewall Adware Plugin;C:\Program Files\BullGuard Software\BullGuard\FwEngine\AdBlock.dll []
S3 HTMLFILT.DLL;BullGuard Firewall HTML Plugin;C:\Program Files\BullGuard Software\BullGuard\FwEngine\HtmlFilt.dll []
S3 HTTPFILT.DLL;BullGuard Firewall HTTP Plugin;C:\Program Files\BullGuard Software\BullGuard\FwEngine\HttpFilt.dll []
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2003-09-04 10:38]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 18:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 18:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 18:59]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 19:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy
BullGuardFw REG_MULTI_SZ BsFwall

*Newly Created Service* - CATCHME
*Newly Created Service* - PCANDIS5
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 18:57:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\USER-8B2A3BCE77\\EPSON Stylus C46 Series (Copy 1)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0T1.EXE /P50 \"\\\\USER-8B2A3BCE77\\EPSON Stylus C46 Series (Copy 1)\" /O6 \"USB001\" /M \"Stylus C46\""
.
Completion time: 2008-05-29 18:58:07
ComboFix-quarantined-files.txt 2008-05-29 17:57:47
ComboFix2.txt 2008-05-29 16:05:36

Pre-Run: 15,668,166,656 bytes free
Post-Run: 15,653,072,896 bytes free

196 --- E O F --- 2008-05-28 16:53:51

#5 LUKEB_82

LUKEB_82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 29 May 2008 - 01:01 PM

and here is the new HiJACKTHIS LOG




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:00:22, on 29/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\spm\spmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\apps\Powercinema\PCMService.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\APPS\SMP\SmpSys.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Luke\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Vade Retro Outlook Express] "C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [PCMService] "c:\apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [\\USER-8B2A3BCE77\EPSON Stylus C46 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P50 "\\USER-8B2A3BCE77\EPSON Stylus C46 Series (Copy 1)" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKCU\..\Run: [SmpcSys] C:\APPS\SMP\SmpSys.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\apps\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10042 bytes

#6 LUKEB_82

LUKEB_82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 29 May 2008 - 01:06 PM

I noticed a "catchme" thing on one of the logs... is this the virus????

#7 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 29 May 2008 - 01:36 PM

I noticed a "catchme" thing on one of the logs... is this the virus????

Nope.....it's part of the tools we use. Please disable Bullguard and run ComboFix again to be sure it didn't interfere with any removals it might have needed to do.

Thanks,
tea:)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#8 LUKEB_82

LUKEB_82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 29 May 2008 - 04:27 PM

I disabled Bullguard and re run Combo Fix.. is everything in working order? touch wood it seems to be running smoothly... has the virus been wiped? how can make sure it does come back or is still lurking about?


ComboFix 08-05-29.1 - Luke 2008-05-29 22:21:22.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.531 [GMT 1:00]
Running from: D:\Documents and Settings\Luke\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 16:56 . 2008-05-29 16:56 92,160 --a------ C:\WINDOWS\system32\ywgfffrj.dll.vir
2008-05-29 16:56 . 2008-05-29 16:56 92,160 --a------ C:\WINDOWS\system32\yfirwtgu.dll.vir
2008-05-29 16:56 . 2008-05-29 16:56 92,160 --a------ C:\WINDOWS\system32\xlbsvffj.dll.vir
2008-05-29 16:56 . 2008-05-29 16:56 92,160 --a------ C:\WINDOWS\system32\tpxyalmq.dll.vir
2008-05-29 16:56 . 2008-05-29 16:56 92,160 --a------ C:\WINDOWS\system32\hspvrkag.dll.vir
2008-05-29 11:16 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-05-29 11:16 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-05-29 11:16 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-05-29 11:16 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-05-29 11:16 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-05-29 11:15 . 2008-05-29 11:16 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\Simply Super Software
2008-05-29 11:15 . 2008-05-29 11:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-05-28 18:36 . 2008-05-28 18:36 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\Talkback
2008-05-28 17:57 . 2008-05-29 19:58 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-28 17:42 . 2008-05-28 17:42 <DIR> d--hs---- D:\Documents and Settings\NetworkService.NT AUTHORITY.001
2008-05-28 17:42 . 2008-05-28 17:42 <DIR> d--hs---- D:\Documents and Settings\LocalService.NT AUTHORITY.001
2008-05-28 17:36 . 2008-05-28 17:40 <DIR> d--hs---- C:\RECYCLER(2)
2008-05-28 14:10 . 2008-05-28 14:10 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\Malwarebytes
2008-05-28 14:10 . 2008-05-28 14:10 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-28 14:10 . 2008-05-28 14:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-28 14:10 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 14:10 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 13:52 . 2008-05-28 13:52 2,560 --a------ C:\WINDOWS\system32\yodmwwtj.exe
2008-05-28 13:46 . 2008-05-28 13:46 92,160 --a------ C:\WINDOWS\system32\xlbsvffj.dll
2008-05-28 13:12 . 2008-05-28 13:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-28 12:51 . 2008-05-28 12:51 2,560 --a------ C:\WINDOWS\system32\lrcymxwh.exe
2008-05-27 12:03 . 2008-05-27 12:03 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\BullGuard
2008-05-27 12:00 . 2006-07-05 00:01 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-05-27 12:00 . 2008-05-28 17:41 <DIR> d-------- D:\Documents and Settings\Administrator
2008-05-27 00:22 . 2008-05-27 00:22 2,560 --a------ C:\WINDOWS\system32\rjtoafbn.exe
2008-05-27 00:12 . 2008-05-27 00:12 92,160 --a------ C:\WINDOWS\system32\tpxyalmq.dll
2008-05-25 16:28 . 2008-05-27 00:10 894 ---hs---- C:\WINDOWS\system32\usqipmks.ini
2008-05-25 16:22 . 2008-05-25 16:22 2,560 --a------ C:\WINDOWS\system32\ffbjlfdr.exe
2008-05-25 16:20 . 2008-05-25 16:20 92,160 --a------ C:\WINDOWS\system32\ywgfffrj.dll
2008-05-25 15:08 . 2008-05-29 00:15 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\BullGuard
2008-05-25 15:08 . 2008-05-29 22:19 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\BullGuard
2008-05-25 15:08 . 2008-05-25 15:24 50,896 --a------ C:\WINDOWS\system32\drivers\BdFileSpy.sys
2008-05-25 15:07 . 2008-05-25 15:07 <DIR> d-------- C:\Program Files\BullGuard Software
2008-05-25 13:29 . 2008-05-25 13:29 2,560 --a------ C:\WINDOWS\system32\jqvqedhr.exe
2008-05-25 13:23 . 2008-05-25 15:18 594 ---hs---- C:\WINDOWS\system32\uyehqpke.ini
2008-05-24 13:28 . 2008-05-24 13:28 2,560 --a------ C:\WINDOWS\system32\pemeoeqd.exe
2008-05-24 13:13 . 2008-05-24 13:13 92,160 --a------ C:\WINDOWS\system32\yfirwtgu.dll
2008-05-24 13:13 . 2008-05-25 13:18 414 ---hs---- C:\WINDOWS\system32\ylncgpgy.ini
2008-05-23 12:54 . 2008-05-23 12:54 2,560 --a------ C:\WINDOWS\system32\rvnhgosd.exe
2008-05-23 12:47 . 2008-05-23 13:55 474 ---hs---- C:\WINDOWS\system32\sjxmqxgb.ini
2008-05-23 12:46 . 2008-05-23 12:46 92,160 --a------ C:\WINDOWS\system32\hspvrkag.dll
2008-05-22 16:40 . 2008-05-22 16:40 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\AVS4YOU
2008-05-22 16:40 . 2008-05-22 16:40 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-05-22 16:39 . 2008-05-23 13:43 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-22 16:39 . 2007-02-27 19:36 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-05-22 16:39 . 2007-02-27 19:36 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-29 14:28 . 2008-04-29 14:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\NCH Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 15:48 --------- d-----w D:\Documents and Settings\Luke\Application Data\Azureus
2008-05-29 13:09 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-05-28 23:28 --------- d-----w C:\Program Files\Bonjour
2008-05-28 16:57 --------- d-----w C:\Program Files\Google
2008-05-26 00:32 --------- d-----w D:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 00:30 --------- d-----w C:\Program Files\Symantec
2008-05-26 00:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-25 14:25 14,152 ----a-w C:\WINDOWS\system32\lccl.dll
2008-05-25 14:25 14,152 ----a-w C:\WINDOWS\system32\client_cc.dll
2008-05-25 14:24 20,048 ----a-w C:\WINDOWS\system32\BgOutlookHook.dll
2008-05-23 12:40 --------- d-----w C:\Program Files\1Click DVD Ripper
2008-04-21 15:52 12,288 ----a-w C:\WINDOWS\impborl.dll
2008-04-21 14:09 --------- d-----w C:\Program Files\Sony
2008-04-21 14:04 --------- d-----w C:\Program Files\Sony Setup
2008-04-21 12:58 464,112 ----a-w C:\WINDOWS\fishies.scr
2008-04-21 12:58 463,068 ----a-w C:\WINDOWS\fishies.exe
2008-04-21 12:58 40,960 ----a-w C:\WINDOWS\fishies.dll
2008-04-08 19:34 --------- d-----w C:\Program Files\Azureus
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-22 12:24 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2006-07-19 08:40 252 ----a-w D:\Documents and Settings\Luke\Application Data\wklnhst.dat
2006-06-23 10:38 248 ----a-w D:\Documents and Settings\Luke Barrett.049752020030.000\n.bat
.

((((((((((((((((((((((((((((( snapshot@2008-05-29_18.57.33.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 17:50:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-29 21:17:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="C:\APPS\SMP\SmpSys.exe" [2005-11-17 09:51 975360]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2008-05-25 15:23 308552]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-28 17:57 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00 455168]
"SMSERIAL"="sm56hlpr.exe" [2005-10-18 12:14 557056 C:\WINDOWS\sm56hlpr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-02 16:35 7110656]
"nwiz"="nwiz.exe" [2005-08-02 16:35 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-08-02 16:35 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 16:49 15691264 C:\WINDOWS\RTHDCPL.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-04 16:13 26112]
"Vade Retro Outlook Express"="C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [ ]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 11:43 90112]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2005-11-16 14:11 143360]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00 208952]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2003-09-04 10:45 135214]
"atwtusb"="atwtusb.exe" [2005-09-21 18:08 290816 C:\WINDOWS\system32\ATWTUSB.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 15:54 229952]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2007-01-08 20:38 155648]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"\\USER-8B2A3BCE77\EPSON Stylus C46 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.exe" [2004-01-13 19:00 99840]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2008-05-25 15:23 308552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

D:\Documents and Settings\Luke\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-07 16:35:01 113664]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-07 16:35:01 113664]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2008-02-02 16:15:58 114688]
IEEE 802.11g Wireless LAN Utility.lnk - C:\Program Files\IEEE 802.11g Wireless LAN Utility\WlanUtl.exe [2006-07-04 17:40:38 843776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm
"VIDC.MFZ0"= MyFlashZip0.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10093:TCP"= 10093:TCP:10093
"10093:UDP"= 10093:UDP:10093
"10094:TCP"= 10094:TCP:10094
"10094:UDP"= 10094:UDP:10094

R1 VFILT;BullGuard Firewall Kernel Driver;C:\Program Files\BullGuard Software\BullGuard\FwEngine\FiltNt.sys [2006-11-02 12:36]
R2 BdFileSpy;BullGuard File Monitor Driver;C:\WINDOWS\system32\drivers\BdFileSpy.sys [2008-05-25 15:24]
R2 BsFileScan;BullGuard File Scan Service;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
R2 BsFwall;BullGuard Firewall Service;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
R2 gearsec;gearsec;C:\WINDOWS\system32\gearsec.exe [2003-12-01 15:27]
R3 NBXG750;NB 802.11g XG750 Driver;C:\WINDOWS\system32\DRIVERS\WlanUTG.sys [2005-04-01 16:46]
R3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Software\BullGuard\reconn.sys [2008-05-25 15:24]
S1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]
S3 ADBLOCK.DLL;BullGuard Firewall Adware Plugin;C:\Program Files\BullGuard Software\BullGuard\FwEngine\AdBlock.dll []
S3 HTMLFILT.DLL;BullGuard Firewall HTML Plugin;C:\Program Files\BullGuard Software\BullGuard\FwEngine\HtmlFilt.dll []
S3 HTTPFILT.DLL;BullGuard Firewall HTTP Plugin;C:\Program Files\BullGuard Software\BullGuard\FwEngine\HttpFilt.dll []
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2003-09-04 10:38]
S3 PROTECT.DLL;BullGuard Firewall Protection Plugin;C:\Program Files\BullGuard Software\BullGuard\FwEngine\Protect.dll [2006-11-02 12:36]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 18:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 18:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 18:59]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 19:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy
BullGuardFw REG_MULTI_SZ BsFwall

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 22:24:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\USER-8B2A3BCE77\\EPSON Stylus C46 Series (Copy 1)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0T1.EXE /P50 \"\\\\USER-8B2A3BCE77\\EPSON Stylus C46 Series (Copy 1)\" /O6 \"USB001\" /M \"Stylus C46\""
.
Completion time: 2008-05-29 22:25:02
ComboFix-quarantined-files.txt 2008-05-29 21:24:49
ComboFix2.txt 2008-05-29 17:58:08
ComboFix3.txt 2008-05-29 16:05:36

Pre-Run: 15,716,646,912 bytes free
Post-Run: 15,701,757,952 bytes free

199 --- E O F --- 2008-05-28 16:53:51

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 29 May 2008 - 04:58 PM

Hello,

Glad it's running better. :thumbsup: Still some to do though:

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

File::
C:\WINDOWS\system32\ywgfffrj.dll.vir
C:\WINDOWS\system32\yfirwtgu.dll.vir
C:\WINDOWS\system32\xlbsvffj.dll.vir
C:\WINDOWS\system32\tpxyalmq.dll.vir
C:\WINDOWS\system32\hspvrkag.dll.vir
C:\WINDOWS\system32\yodmwwtj.exe
C:\WINDOWS\system32\xlbsvffj.dll
C:\WINDOWS\system32\lrcymxwh.exe
C:\WINDOWS\system32\tpxyalmq.dll
C:\WINDOWS\system32\usqipmks.ini
C:\WINDOWS\system32\ffbjlfdr.exe
C:\WINDOWS\system32\ywgfffrj.dll
C:\WINDOWS\system32\jqvqedhr.exe
C:\WINDOWS\system32\uyehqpke.ini
C:\WINDOWS\system32\pemeoeqd.exe
C:\WINDOWS\system32\yfirwtgu.dll
C:\WINDOWS\system32\ylncgpgy.ini
C:\WINDOWS\system32\rvnhgosd.exe
C:\WINDOWS\system32\sjxmqxgb.ini
C:\WINDOWS\system32\hspvrkag.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 LUKEB_82

LUKEB_82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 31 May 2008 - 07:22 AM

THIS IS THE COMBO FIX AND ON REBOOT ALL THESE NEW VIRUSES CAME THROUGH I HAD NO PROBLEMS BEFORE RUNNING THE LAST COMBO FIX???????


ComboFix 08-05-29.1 - Luke 2008-05-31 13:08:05.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.476 [GMT 1:00]
Running from: D:\Documents and Settings\Luke\Desktop\ComboFix.exe
Command switches used :: D:\Documents and Settings\Luke\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\system32\ffbjlfdr.exe
C:\WINDOWS\system32\hspvrkag.dll
C:\WINDOWS\system32\hspvrkag.dll.vir
C:\WINDOWS\system32\jqvqedhr.exe
C:\WINDOWS\system32\lrcymxwh.exe
C:\WINDOWS\system32\pemeoeqd.exe
C:\WINDOWS\system32\rvnhgosd.exe
C:\WINDOWS\system32\sjxmqxgb.ini
C:\WINDOWS\system32\tpxyalmq.dll
C:\WINDOWS\system32\tpxyalmq.dll.vir
C:\WINDOWS\system32\usqipmks.ini
C:\WINDOWS\system32\uyehqpke.ini
C:\WINDOWS\system32\xlbsvffj.dll
C:\WINDOWS\system32\xlbsvffj.dll.vir
C:\WINDOWS\system32\yfirwtgu.dll
C:\WINDOWS\system32\yfirwtgu.dll.vir
C:\WINDOWS\system32\ylncgpgy.ini
C:\WINDOWS\system32\yodmwwtj.exe
C:\WINDOWS\system32\ywgfffrj.dll
C:\WINDOWS\system32\ywgfffrj.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ffbjlfdr.exe
C:\WINDOWS\system32\hspvrkag.dll
C:\WINDOWS\system32\hspvrkag.dll.vir
C:\WINDOWS\system32\jqvqedhr.exe
C:\WINDOWS\system32\lrcymxwh.exe
C:\WINDOWS\system32\pemeoeqd.exe
C:\WINDOWS\system32\rvnhgosd.exe
C:\WINDOWS\system32\sjxmqxgb.ini
C:\WINDOWS\system32\tpxyalmq.dll
C:\WINDOWS\system32\tpxyalmq.dll.vir
C:\WINDOWS\system32\usqipmks.ini
C:\WINDOWS\system32\uyehqpke.ini
C:\WINDOWS\system32\xlbsvffj.dll
C:\WINDOWS\system32\xlbsvffj.dll.vir
C:\WINDOWS\system32\yfirwtgu.dll
C:\WINDOWS\system32\yfirwtgu.dll.vir
C:\WINDOWS\system32\ylncgpgy.ini
C:\WINDOWS\system32\yodmwwtj.exe
C:\WINDOWS\system32\ywgfffrj.dll
C:\WINDOWS\system32\ywgfffrj.dll.vir

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-29 11:16 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-05-29 11:16 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\unrar3.dll
2008-05-29 11:16 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-05-29 11:16 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-05-29 11:16 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-05-29 11:15 . 2008-05-29 11:16 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\Simply Super Software
2008-05-29 11:15 . 2008-05-29 11:15 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-05-28 18:36 . 2008-05-28 18:36 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\Talkback
2008-05-28 17:57 . 2008-05-30 20:59 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Google Updater
2008-05-28 17:42 . 2008-05-28 17:42 <DIR> d--hs---- D:\Documents and Settings\NetworkService.NT AUTHORITY.001
2008-05-28 17:42 . 2008-05-28 17:42 <DIR> d--hs---- D:\Documents and Settings\LocalService.NT AUTHORITY.001
2008-05-28 17:36 . 2008-05-28 17:40 <DIR> d--hs---- C:\RECYCLER(2)
2008-05-28 14:10 . 2008-05-28 14:10 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\Malwarebytes
2008-05-28 14:10 . 2008-05-28 14:10 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-28 14:10 . 2008-05-28 14:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-28 14:10 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 14:10 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 13:12 . 2008-05-28 13:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-27 12:03 . 2008-05-27 12:03 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\BullGuard
2008-05-27 12:00 . 2006-07-05 00:01 <DIR> d-------- D:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-05-27 12:00 . 2008-05-28 17:41 <DIR> d-------- D:\Documents and Settings\Administrator
2008-05-27 00:22 . 2008-05-27 00:22 2,560 --a------ C:\WINDOWS\system32\rjtoafbn.exe
2008-05-25 15:08 . 2008-05-29 00:15 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\BullGuard
2008-05-25 15:08 . 2008-05-31 13:05 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\BullGuard
2008-05-25 15:08 . 2008-05-25 15:24 50,896 --a------ C:\WINDOWS\system32\drivers\BdFileSpy.sys
2008-05-25 15:07 . 2008-05-25 15:07 <DIR> d-------- C:\Program Files\BullGuard Software
2008-05-22 16:40 . 2008-05-22 16:40 <DIR> d-------- D:\Documents and Settings\Luke\Application Data\AVS4YOU
2008-05-22 16:40 . 2008-05-22 16:40 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-05-22 16:39 . 2008-05-23 13:43 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-05-22 16:39 . 2007-02-27 19:36 974,848 --a------ C:\WINDOWS\system32\mfc70.dll
2008-05-22 16:39 . 2007-02-27 19:36 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-29 14:28 . 2008-04-29 14:28 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\NCH Software
2008-04-21 16:52 . 2008-04-21 16:52 12,288 --a------ C:\WINDOWS\impborl.dll
2008-04-21 15:04 . 2008-04-21 15:04 <DIR> d-------- C:\Program Files\Sony Setup
2008-04-21 13:58 . 2008-04-21 13:58 464,112 --a------ C:\WINDOWS\fishies.scr
2008-04-21 13:58 . 2008-04-21 13:58 463,068 --a------ C:\WINDOWS\fishies.exe
2008-04-21 13:58 . 2008-04-21 13:58 40,960 --a------ C:\WINDOWS\fishies.dll
2008-04-21 13:58 . 2008-04-21 13:58 18,192 --a------ C:\WINDOWS\fishies.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 15:48 --------- d-----w D:\Documents and Settings\Luke\Application Data\Azureus
2008-05-29 13:09 --------- d---a-w D:\Documents and Settings\All Users\Application Data\TEMP
2008-05-28 23:28 --------- d-----w C:\Program Files\Bonjour
2008-05-28 16:57 --------- d-----w C:\Program Files\Google
2008-05-26 00:32 --------- d-----w D:\Documents and Settings\All Users\Application Data\Symantec
2008-05-26 00:30 --------- d-----w C:\Program Files\Symantec
2008-05-26 00:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-23 12:40 --------- d-----w C:\Program Files\1Click DVD Ripper
2008-04-21 14:09 --------- d-----w C:\Program Files\Sony
2008-04-08 19:34 --------- d-----w C:\Program Files\Azureus
2006-07-19 08:40 252 ----a-w D:\Documents and Settings\Luke\Application Data\wklnhst.dat
2006-06-23 10:38 248 ----a-w D:\Documents and Settings\Luke Barrett.049752020030.000\n.bat
.

((((((((((((((((((((((((((((( snapshot@2008-05-29_18.57.33.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-29 17:50:19 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-31 12:14:18 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="C:\APPS\SMP\SmpSys.exe" [2005-11-17 09:51 975360]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2008-05-25 15:23 308552]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-28 17:57 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 14:00 455168]
"SMSERIAL"="sm56hlpr.exe" [2005-10-18 12:14 557056 C:\WINDOWS\sm56hlpr.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-08-02 16:35 7110656]
"nwiz"="nwiz.exe" [2005-08-02 16:35 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-08-02 16:35 86016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 16:49 15691264 C:\WINDOWS\RTHDCPL.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52 36975]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2006-04-04 16:13 26112]
"Vade Retro Outlook Express"="C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe" [ ]
"Ulead AutoDetector v2"="C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 11:43 90112]
"PCMService"="c:\apps\Powercinema\PCMService.exe" [2005-11-16 14:11 143360]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 14:00 208952]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE" [2003-09-04 10:45 135214]
"atwtusb"="atwtusb.exe" [2005-09-21 18:08 290816 C:\WINDOWS\system32\ATWTUSB.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 15:54 229952]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2007-01-08 20:38 155648]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"\\USER-8B2A3BCE77\EPSON Stylus C46 Series (Copy 1)"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.exe" [2004-01-13 19:00 99840]
"BullGuard"="C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" [2008-05-25 15:23 308552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 14:00 15360]

D:\Documents and Settings\Luke\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-07 16:35:01 113664]

D:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-08-07 16:35:01 113664]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2008-02-02 16:15:58 114688]
IEEE 802.11g Wireless LAN Utility.lnk - C:\Program Files\IEEE 802.11g Wireless LAN Utility\WlanUtl.exe [2006-07-04 17:40:38 843776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm
"VIDC.MFZ0"= MyFlashZip0.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10093:TCP"= 10093:TCP:10093
"10093:UDP"= 10093:UDP:10093
"10094:TCP"= 10094:TCP:10094
"10094:UDP"= 10094:UDP:10094

R1 VFILT;BullGuard Firewall Kernel Driver;C:\Program Files\BullGuard Software\BullGuard\FwEngine\FiltNt.sys [2006-11-02 12:36]
R2 BdFileSpy;BullGuard File Monitor Driver;C:\WINDOWS\system32\drivers\BdFileSpy.sys [2008-05-25 15:24]
R2 BsFileScan;BullGuard File Scan Service;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
R2 BsFwall;BullGuard Firewall Service;C:\WINDOWS\System32\svchost.exe [2004-08-04 14:00]
R2 gearsec;gearsec;C:\WINDOWS\system32\gearsec.exe [2003-12-01 15:27]
R3 NBXG750;NB 802.11g XG750 Driver;C:\WINDOWS\system32\DRIVERS\WlanUTG.sys [2005-04-01 16:46]
R3 PROTECT.DLL;BullGuard Firewall Protection Plugin;C:\Program Files\BullGuard Software\BullGuard\FwEngine\Protect.dll [2006-11-02 12:36]
R3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Software\BullGuard\reconn.sys [2008-05-25 15:24]
S1 aiptektp;HyperPen;C:\WINDOWS\system32\DRIVERS\aiptektp.sys [2004-07-07 16:02]
S3 ADBLOCK.DLL;BullGuard Firewall Adware Plugin;C:\Program Files\BullGuard Software\BullGuard\FwEngine\AdBlock.dll []
S3 HTMLFILT.DLL;BullGuard Firewall HTML Plugin;C:\Program Files\BullGuard Software\BullGuard\FwEngine\HtmlFilt.dll []
S3 HTTPFILT.DLL;BullGuard Firewall HTTP Plugin;C:\Program Files\BullGuard Software\BullGuard\FwEngine\HttpFilt.dll []
S3 PID_0920;Logitech QuickCam Express(PID_0920);C:\WINDOWS\system32\DRIVERS\LV532AV.SYS [2003-09-04 10:38]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 18:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 18:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 18:59]
S3 VNUSB;VN Series Device;C:\WINDOWS\system32\DRIVERS\VNUSB.sys [2003-12-15 19:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy
BullGuardFw REG_MULTI_SZ BsFwall

*Newly Created Service* - PCANDIS5
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 13:14:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"\\\\USER-8B2A3BCE77\\EPSON Stylus C46 Series (Copy 1)"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I0T1.EXE /P50 \"\\\\USER-8B2A3BCE77\\EPSON Stylus C46 Series (Copy 1)\" /O6 \"USB001\" /M \"Stylus C46\""
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\APPS\Powercinema\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\spm\spmd.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-31 13:19:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-31 12:19:46
ComboFix2.txt 2008-05-29 21:25:04
ComboFix3.txt 2008-05-29 17:58:08
ComboFix4.txt 2008-05-29 16:05:36

Pre-Run: 15,683,526,656 bytes free
Post-Run: 15,666,180,096 bytes free

239 --- E O F --- 2008-05-28 16:53:51

#11 LUKEB_82

LUKEB_82
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:06 PM

Posted 31 May 2008 - 07:23 AM

THIS THE NEW HI JACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22:48, on 31/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\spm\spmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\apps\Powercinema\PCMService.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\WINDOWS\system32\atwtusb.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\APPS\SMP\SmpSys.exe
C:\Program Files\BullGuard Software\BullGuard\bullguard.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\IEEE 802.11g Wireless LAN Utility\WlanUtl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
D:\Documents and Settings\Luke\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Vade Retro Outlook Express] "C:\PROGRA~1\GOTOSO~1\VADERE~1\Vaderetro_oe.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [PCMService] "c:\apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [atwtusb] atwtusb.exe beta
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [\\USER-8B2A3BCE77\EPSON Stylus C46 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0T1.EXE /P50 "\\USER-8B2A3BCE77\EPSON Stylus C46 Series (Copy 1)" /O6 "USB001" /M "Stylus C46"
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe" -boot
O4 - HKCU\..\Run: [SmpcSys] C:\APPS\SMP\SmpSys.exe
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: IEEE 802.11g Wireless LAN Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard Software - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\apps\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\spm\spmd.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 10090 bytes

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 31 May 2008 - 10:35 AM

Hello,

..........AND ON REBOOT ALL THESE NEW VIRUSES CAME THROUGH I HAD NO PROBLEMS BEFORE RUNNING THE LAST COMBO FIX???????

No, you've got it wrong. Those aren't new. They're the leftovers from when you were infected, and ComboFix deleted them with the script I had you put into it. :thumbsup: Those logs look all right now.....still running all right? Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:04:06 PM

Posted 15 June 2008 - 03:01 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users