Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Vundo Trojans


  • This topic is locked This topic is locked
22 replies to this topic

#1 keaper

keaper

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 01 June 2008 - 05:44 AM

Got these trojans yesterday and have ad no luck removing them. Spybot tells me it's fixing them. I restart and the trojans reappear. When I start PC the desktop is completely blank and I get a box titled userinit.exe which says "The application failed to initialize properly. Click on OK to terminate the application." I can start applications only by using Windows Task Manager." Also cannot access anything inside Control Panel. It gives a box titled rundll32.exe which says "The application failed to initialize properly. Click on OK to terminate the application."

Hope you guys can help

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, June 01, 2008 4:54:23 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/06/2008
Kaspersky Anti-Virus database records: 729199
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: false
Scan Mail Bases: false

Scan Target - My Computer:
A:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
P:\
Q:\

Scan Statistics:
Total number of scanned objects: 97034
Number of viruses found: 4
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 00:31:29

Infected Object Name / Virus Name / Last Action
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\ea27146e4455a30c094442\admparse.dll Object is locked skipped
G:\ea27146e4455a30c094442\admparse.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\advpack.dll Object is locked skipped
G:\ea27146e4455a30c094442\advpack.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\browseui.dll Object is locked skipped
G:\ea27146e4455a30c094442\corpol.dll Object is locked skipped
G:\ea27146e4455a30c094442\custsat.dll Object is locked skipped
G:\ea27146e4455a30c094442\dxtmsft.dll Object is locked skipped
G:\ea27146e4455a30c094442\dxtrans.dll Object is locked skipped
G:\ea27146e4455a30c094442\extmgr.dll Object is locked skipped
G:\ea27146e4455a30c094442\extmgr.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\feeddisc.wav Object is locked skipped
G:\ea27146e4455a30c094442\hmmapi.dll Object is locked skipped
G:\ea27146e4455a30c094442\hmmapi.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\html.iec Object is locked skipped
G:\ea27146e4455a30c094442\html.iec.mui Object is locked skipped
G:\ea27146e4455a30c094442\icardie.dll Object is locked skipped
G:\ea27146e4455a30c094442\icardie.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\icrav03.rat Object is locked skipped
G:\ea27146e4455a30c094442\ie4uinit.exe Object is locked skipped
G:\ea27146e4455a30c094442\ie4uinit.exe.mui Object is locked skipped
G:\ea27146e4455a30c094442\ieakeng.dll Object is locked skipped
G:\ea27146e4455a30c094442\ieakeng.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\ieakmmc.chm Object is locked skipped
G:\ea27146e4455a30c094442\ieaksie.dll Object is locked skipped
G:\ea27146e4455a30c094442\ieaksie.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\ieakui.dll Object is locked skipped
G:\ea27146e4455a30c094442\ieakui.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\ieapfltr.dat Object is locked skipped
G:\ea27146e4455a30c094442\ieapfltr.dll Object is locked skipped
G:\ea27146e4455a30c094442\iedkcs32.dll Object is locked skipped
G:\ea27146e4455a30c094442\iedkcs32.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\iedw.exe Object is locked skipped
G:\ea27146e4455a30c094442\iedw.exe.mui Object is locked skipped
G:\ea27146e4455a30c094442\ieencode.dll Object is locked skipped
G:\ea27146e4455a30c094442\ieeula.chm Object is locked skipped
G:\ea27146e4455a30c094442\ieframe.dll Object is locked skipped
G:\ea27146e4455a30c094442\ieframe.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\iepeers.dll Object is locked skipped
G:\ea27146e4455a30c094442\iepeers.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\ieproxy.dll Object is locked skipped
G:\ea27146e4455a30c094442\iernonce.dll Object is locked skipped
G:\ea27146e4455a30c094442\iernonce.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\iertutil.dll Object is locked skipped
G:\ea27146e4455a30c094442\iesetup.dll Object is locked skipped
G:\ea27146e4455a30c094442\iesetup.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\iesupp.chm Object is locked skipped
G:\ea27146e4455a30c094442\ieudinit.exe Object is locked skipped
G:\ea27146e4455a30c094442\ieui.dll Object is locked skipped
G:\ea27146e4455a30c094442\ieui.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\ieuinit.inf Object is locked skipped
G:\ea27146e4455a30c094442\ieunatt.exe.mui Object is locked skipped
G:\ea27146e4455a30c094442\iexplore.chm Object is locked skipped
G:\ea27146e4455a30c094442\iexplore.exe Object is locked skipped
G:\ea27146e4455a30c094442\iexplore.exe.mui Object is locked skipped
G:\ea27146e4455a30c094442\imgutil.dll Object is locked skipped
G:\ea27146e4455a30c094442\inetcorp.iem Object is locked skipped
G:\ea27146e4455a30c094442\inetcpl.cpl Object is locked skipped
G:\ea27146e4455a30c094442\inetcpl.cpl.mui Object is locked skipped
G:\ea27146e4455a30c094442\inetres.adm Object is locked skipped
G:\ea27146e4455a30c094442\inetset.iem Object is locked skipped
G:\ea27146e4455a30c094442\infobar.wav Object is locked skipped
G:\ea27146e4455a30c094442\inseng.dll Object is locked skipped
G:\ea27146e4455a30c094442\inseng.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\install.ins Object is locked skipped
G:\ea27146e4455a30c094442\jscript.dll Object is locked skipped
G:\ea27146e4455a30c094442\jsproxy.dll Object is locked skipped
G:\ea27146e4455a30c094442\licmgr10.dll Object is locked skipped
G:\ea27146e4455a30c094442\licmgr10.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\msfeeds.dll Object is locked skipped
G:\ea27146e4455a30c094442\msfeeds.mof Object is locked skipped
G:\ea27146e4455a30c094442\msfeedsbs.dll Object is locked skipped
G:\ea27146e4455a30c094442\msfeedsbs.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\msfeedsbs.mof Object is locked skipped
G:\ea27146e4455a30c094442\msfeedssync.exe Object is locked skipped
G:\ea27146e4455a30c094442\mshta.exe Object is locked skipped
G:\ea27146e4455a30c094442\mshta.exe.mui Object is locked skipped
G:\ea27146e4455a30c094442\mshtml.dll Object is locked skipped
G:\ea27146e4455a30c094442\mshtml.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\mshtml.tlb Object is locked skipped
G:\ea27146e4455a30c094442\mshtmled.dll Object is locked skipped
G:\ea27146e4455a30c094442\mshtmled.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\mshtmler.dll Object is locked skipped
G:\ea27146e4455a30c094442\mshtmler.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\msls31.dll Object is locked skipped
G:\ea27146e4455a30c094442\msrating.dll Object is locked skipped
G:\ea27146e4455a30c094442\msrating.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\mstime.dll Object is locked skipped
G:\ea27146e4455a30c094442\navstart.wav Object is locked skipped
G:\ea27146e4455a30c094442\occache.dll Object is locked skipped
G:\ea27146e4455a30c094442\occache.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\occache.ini Object is locked skipped
G:\ea27146e4455a30c094442\pngfilt.dll Object is locked skipped
G:\ea27146e4455a30c094442\popupblk.wav Object is locked skipped
G:\ea27146e4455a30c094442\shdocvw.dll Object is locked skipped
G:\ea27146e4455a30c094442\shlwapi.dll Object is locked skipped
G:\ea27146e4455a30c094442\spmsg.dll Object is locked skipped
G:\ea27146e4455a30c094442\spuninst.exe Object is locked skipped
G:\ea27146e4455a30c094442\spupdsvc.exe Object is locked skipped
G:\ea27146e4455a30c094442\tdc.ocx Object is locked skipped
G:\ea27146e4455a30c094442\ticrf.rat Object is locked skipped
G:\ea27146e4455a30c094442\update\eula.rtf Object is locked skipped
G:\ea27146e4455a30c094442\update\idndl.exe Object is locked skipped
G:\ea27146e4455a30c094442\update\ie7.cat Object is locked skipped
G:\ea27146e4455a30c094442\update\iecustom.dll Object is locked skipped
G:\ea27146e4455a30c094442\update\iereseticons.exe Object is locked skipped
G:\ea27146e4455a30c094442\update\iesetup.exe Object is locked skipped
G:\ea27146e4455a30c094442\update\legitlibm.dll Object is locked skipped
G:\ea27146e4455a30c094442\update\nlsdl.exe Object is locked skipped
G:\ea27146e4455a30c094442\update\update.exe Object is locked skipped
G:\ea27146e4455a30c094442\update\update.exe.manifest Object is locked skipped
G:\ea27146e4455a30c094442\update\update.inf Object is locked skipped
G:\ea27146e4455a30c094442\update\update.ver Object is locked skipped
G:\ea27146e4455a30c094442\update\updspapi.dll Object is locked skipped
G:\ea27146e4455a30c094442\update\xmllitesetup.exe Object is locked skipped
G:\ea27146e4455a30c094442\url.dll Object is locked skipped
G:\ea27146e4455a30c094442\urlmon.dll Object is locked skipped
G:\ea27146e4455a30c094442\urlmon.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\vbscript.dll Object is locked skipped
G:\ea27146e4455a30c094442\vgx.dll Object is locked skipped
G:\ea27146e4455a30c094442\webcheck.dll Object is locked skipped
G:\ea27146e4455a30c094442\webcheck.dll.mui Object is locked skipped
G:\ea27146e4455a30c094442\webcheck.ini Object is locked skipped
G:\ea27146e4455a30c094442\winfxdocobj.exe Object is locked skipped
G:\ea27146e4455a30c094442\winfxdocobj.exe.mui Object is locked skipped
G:\ea27146e4455a30c094442\wininet.dll Object is locked skipped
G:\ea27146e4455a30c094442\wininet.dll.mui Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
P:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Q:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xw23e5x6.default\cert8.db Object is locked skipped
Q:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xw23e5x6.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
Q:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xw23e5x6.default\history.dat Object is locked skipped
Q:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xw23e5x6.default\key3.db Object is locked skipped
Q:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xw23e5x6.default\parent.lock Object is locked skipped
Q:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\xw23e5x6.default\search.sqlite Object is locked skipped
Q:\Documents and Settings\Administrator\Application Data\Symantec\NPMDataStore\CIMStore.xml Object is locked skipped
Q:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
Q:\Documents and Settings\Administrator\Desktop\SlySoft\CloneDVD mobile 1.1.6.0\keygen.exe Infected: Trojan.Win32.KillFiles.ry skipped
Q:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
Q:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
Q:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
Q:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\xw23e5x6.default\Cache\_CACHE_001_ Object is locked skipped
Q:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\xw23e5x6.default\Cache\_CACHE_002_ Object is locked skipped
Q:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\xw23e5x6.default\Cache\_CACHE_003_ Object is locked skipped
Q:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\xw23e5x6.default\Cache\_CACHE_MAP_ Object is locked skipped
Q:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
Q:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008060120080602\index.dat Object is locked skipped
Q:\Documents and Settings\Administrator\Local Settings\Temp\Installer-Crack-Keygen.exe Infected: P2P-Worm.Win32.Delf.by skipped
Q:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
Q:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Y6SCQMPE\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Homles.bs skipped
Q:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
Q:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
Q:\Documents and Settings\Administrator\UserData\index.dat Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{6D2593AE-119E-458F-97EF-28A6DA7DA1B0}.DAT Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\Common Client\{E9CA522A-5D3F-4B39-A416-02C134EBA3C6}.DAT Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-06-01_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211410572jtun_nav2k8en80521003.m25.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211424826jtun_80520034.skn.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211462056jtun_ncodat80522001-80522002.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211485582jtun_ncodat80522003-80522004.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211503177jtun_nis8enidcurd25.x86.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211519190jtun_80521036.skn.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211557223jtun_nav2k8en80522040.m25.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211571855jtun_ncodat80523003-80523004.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211583862jtun_ncodat80523004-80523005.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211597906jtun_nis8enidcurd25.x86.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211634857jtun_ncodat80524001-80524002.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211658137jtun_ncodat80524003-80524004.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211668760jtun_nav2k8en80524001.m25.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211682136jtun_ncodat80524005-80525001.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211725499jtun_nav2k8en80524007.m25.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211755333jtun_nav2k8en80525003.m25.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211768535jtun_ncodat80525005-80526001.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211818821jtun_ncodat80526002-80526003.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211841066jtun_nav2k8en80526004.m25.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211846224jtun_80523039.skn.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211869533jtun_nav2k8en80526022.m25.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211900895jtun_nav2k8en80526036.m25.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211918852jtun_ncodat80527003-80527004.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211937760jtun_nis8enidcurd25.x86.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211942982jtun_80526035.skn.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211981542jtun_ncodat80528001-80528002.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1211993643jtun_ncodat80528002-80528003.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212015454jtun_nav2k8en80528002.m25.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212023241jtun_80527038.skn.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212071453jtun_nav2k8en80528041.m25.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212105501jtun_ncodat80529003-80529004.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212112660jtun_nis8enidcurd25.x86.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212153341jtun_ncodat80530001-80530002.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212190877jtun_nav2k8en80529049.m25.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212198143jtun_ncodat80530005-80531001.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212240735jtun_ncodat80531002-80531003.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212252783jtun_ncodat80531003-80531004.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212274165jtun_nav2k8en80531002.m25.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1212287661jtun_ncodat80531006-80601001.x02.full.zip Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Log.LiveUpdate Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{2EE02490-9BB3-4B71-BEFB-9AE6076DA7A9}.ldb Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{2EE02490-9BB3-4B71-BEFB-9AE6076DA7A9}.sds Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\623F4F37.TMP Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\F2314AA8.TMP Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
Q:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
Q:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
Q:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
Q:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
Q:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
Q:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
Q:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
Q:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
Q:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
Q:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
Q:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
Q:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
Q:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
Q:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
Q:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
Q:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
Q:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
Q:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
Q:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
Q:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
Q:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
Q:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
Q:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
Q:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
Q:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
Q:\Program Files\Powerware\LanSafe\Log\XYNTService.log Object is locked skipped
Q:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Q:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
Q:\WINDOWS\mrofinu1869.exe Infected: Trojan-Downloader.Win32.Homles.bs skipped
Q:\WINDOWS\SchedLgU.Txt Object is locked skipped
Q:\WINDOWS\SDE038713.tmp Object is locked skipped
Q:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
Q:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
Q:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
Q:\WINDOWS\system32\config\default Object is locked skipped
Q:\WINDOWS\system32\config\default.LOG Object is locked skipped
Q:\WINDOWS\system32\config\SAM Object is locked skipped
Q:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
Q:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
Q:\WINDOWS\system32\config\SECURITY Object is locked skipped
Q:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
Q:\WINDOWS\system32\config\software Object is locked skipped
Q:\WINDOWS\system32\config\software.LOG Object is locked skipped
Q:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
Q:\WINDOWS\system32\config\system Object is locked skipped
Q:\WINDOWS\system32\config\system.LOG Object is locked skipped
Q:\WINDOWS\system32\drivers\etc\Hosts.bak Object is locked skipped
Q:\WINDOWS\system32\fccYrPJD.dll Infected: Trojan-Downloader.Win32.Agent.rfl skipped
Q:\WINDOWS\system32\hgGVNgDw.dll Infected: Trojan-Downloader.Win32.Agent.rfl skipped
Q:\WINDOWS\system32\msupdte.exe Infected: P2P-Worm.Win32.Delf.by skipped
Q:\WINDOWS\system32\rqRLeDwU.dll Infected: Trojan-Downloader.Win32.Agent.rfl skipped
Q:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
Q:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
Q:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
Q:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
Q:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
Q:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
Q:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
Q:\WINDOWS\system32\WinSecure.exe Infected: P2P-Worm.Win32.Delf.by skipped
Q:\WINDOWS\Temp\JETC2C3.tmp Object is locked skipped

Scan process completed.


Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-01 19:59:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive Q: has 40.36 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:00:05 PM, on 1/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
Q:\WINDOWS\System32\smss.exe
Q:\WINDOWS\system32\csrss.exe
Q:\WINDOWS\system32\winlogon.exe
Q:\WINDOWS\system32\services.exe
Q:\WINDOWS\system32\lsass.exe
Q:\WINDOWS\system32\svchost.exe
Q:\WINDOWS\system32\svchost.exe
Q:\WINDOWS\System32\svchost.exe
Q:\WINDOWS\system32\svchost.exe
Q:\WINDOWS\system32\svchost.exe
Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Q:\WINDOWS\system32\spoolsv.exe
Q:\WINDOWS\Explorer.EXE
Q:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
Q:\Program Files\Bonjour\mDNSResponder.exe
Q:\WINDOWS\System32\svchost.exe
Q:\Program Files\Powerware\LanSafe\Bin\PowerMonitor.exe
Q:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
Q:\Program Files\Powerware\LanSafe\Bin\LSTrayAgent.exe
Q:\WINDOWS\system32\nvsvc32.exe
Q:\WINDOWS\system32\oodag.exe
Q:\WINDOWS\system32\PnkBstrA.exe
Q:\Program Files\Windows Media Player\WMPNetwk.exe
Q:\Program Files\Powerware\LanSafe\bin\xyntservice.exe
Q:\Program Files\Powerware\LanSafe\bin\httpserver.exe
Q:\Program Files\Powerware\LanSafe\bin\status_glance.exe
Q:\WINDOWS\System32\alg.exe
Q:\WINDOWS\RTHDCPL.EXE
Q:\Program Files\Google\Google Talk\googletalk.exe
Q:\WINDOWS\system32\RUNDLL32.EXE
Q:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Q:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
Q:\WINDOWS\system32\ctfmon.exe
Q:\Program Files\PeerGuardian2\pg2.exe
Q:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
Q:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
Q:\Program Files\Windows Media Player\WMPNSCFG.exe
Q:\Program Files\BWMeter\BWMeter.exe
Q:\Program Files\MagicDisc\MagicDisc.exe
Q:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IXP001.TMP\TESTIN~1.EXE
Q:\WINDOWS\notepad.exe
Q:\WINDOWS\system32\rundll32.exe
Q:\WINDOWS\system32\rundll32.exe
Q:\WINDOWS\system32\notepad.exe
Q:\WINDOWS\system32\NOTEPAD.EXE
Q:\WINDOWS\system32\NOTEPAD.EXE
Q:\Documents and Settings\Administrator\Desktop\dss.exe
Q:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE
Q:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {048AAF82-DF81-4B43-A85A-D53497EA8012} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Q:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B160305-D4AC-47E4-95EC-F0A5509ADCD5} - Q:\WINDOWS\system32\wvUoNHAt.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - Q:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5502D47E-EEB3-41C2-8F7C-8AEFE3564CEB} - Q:\WINDOWS\system32\yayyARhh.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - Q:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: (no name) - {6A561351-E3BE-42CE-8228-38F1C1FD65DB} - Q:\WINDOWS\system32\cbXNHBTJ.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - Q:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - Q:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {79AB5D84-78F6-487B-ABB6-073A90931E97} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Q:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] Q:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] Q:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] Q:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [googletalk] Q:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE Q:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE Q:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSScheduler] "Q:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "Q:\Program Files\QuickTime Alternative\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TFMBM] Q:\PROGRA~1\MINGBA~1\MBM.exe
O4 - HKLM\..\Run: [ccApp] "Q:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "Q:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Microsoft WinUpdate] Q:\WINDOWS\system32\msupdte.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "Q:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [BM57c1efe6] Rundll32.exe "Q:\WINDOWS\system32\ysfnajuh.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "Q:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7582] command /c del "Q:\WINDOWS\system32\geBuuRhg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7231] cmd /c del "Q:\WINDOWS\system32\geBuuRhg.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] Q:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] Q:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [AnyDVD] Q:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] Q:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] Q:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exe
O4 - Startup: BWMeter.lnk = Q:\Program Files\BWMeter\BWMeter.exe
O4 - Startup: MagicDisc.lnk = Q:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://Q:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Q:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Q:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - Q:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Q:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - Q:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - Q:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - Q:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Q:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Q:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O20 - AppInit_DLLs: Q:\WINDOWS\system32\__c0021AB5.dat
O20 - Winlogon Notify: ssqOgEvv - Q:\WINDOWS\
O20 - Winlogon Notify: ssqPhFYp - Q:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - Q:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - Q:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - Q:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LanSafe Power Monitor (LanSafe PM) - Eaton Corporation - Q:\Program Files\Powerware\LanSafe\Bin\PowerMonitor.exe
O23 - Service: LanSafe Process Manager - Powerware - Q:\Program Files\Powerware\LanSafe\bin\xyntservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - Q:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - Q:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - Q:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - Q:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - Q:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9515 bytes

-- Files created between 2008-05-01 and 2008-06-01 -----------------------------

2008-06-01 18:53:11 114176 --a------ Q:\WINDOWS\system32\hrqkgqif.dll
2008-06-01 18:47:12 51200 --a------ Q:\WINDOWS\system32\__c0021AB5.dat
2008-06-01 18:47:11 51200 --a------ Q:\WINDOWS\system32\kjbjgifr.dll
2008-06-01 18:41:30 126464 --a------ Q:\WINDOWS\system32\ysfnajuh.dll
2008-06-01 18:41:10 475785 --ahs---- Q:\WINDOWS\system32\hhRAyyay.ini2
2008-06-01 18:41:01 373248 --a------ Q:\WINDOWS\system32\yayyARhh.dll
2008-06-01 18:18:42 57344 --a------ Q:\WINDOWS\system32\wvUlllIx.dll
2008-06-01 17:31:23 51200 --a------ Q:\WINDOWS\system32\chbddtbx.dll
2008-06-01 17:31:22 51200 --a------ Q:\WINDOWS\system32\ewrqyguo.dll
2008-06-01 17:31:20 51200 --a------ Q:\WINDOWS\system32\raeoogej.dll
2008-06-01 17:31:14 0 d-------- Q:\Program Files\Trend Micro
2008-06-01 17:28:25 51200 --a------ Q:\WINDOWS\system32\vjnbuibe.dll
2008-06-01 17:28:23 51200 --a------ Q:\WINDOWS\system32\mjcufttm.dll
2008-06-01 17:28:21 51200 --a------ Q:\WINDOWS\system32\pyxnlqdn.dll
2008-06-01 17:25:23 51200 --a------ Q:\WINDOWS\system32\fevlqjbq.dll
2008-06-01 17:25:22 51200 --a------ Q:\WINDOWS\system32\selvpijx.dll
2008-06-01 17:25:20 51200 --a------ Q:\WINDOWS\system32\naajrtqv.dll
2008-06-01 17:22:23 51200 --a------ Q:\WINDOWS\system32\kytxpvvp.dll
2008-06-01 17:22:22 51200 --a------ Q:\WINDOWS\system32\tqmlqknt.dll
2008-06-01 17:22:20 51200 --a------ Q:\WINDOWS\system32\seoqvkij.dll
2008-06-01 17:19:23 51200 --a------ Q:\WINDOWS\system32\xtibktfs.dll
2008-06-01 17:19:21 51200 --a------ Q:\WINDOWS\system32\sykhjlsk.dll
2008-06-01 17:19:20 51200 --a------ Q:\WINDOWS\system32\urabeoww.dll
2008-06-01 17:16:22 51200 --a------ Q:\WINDOWS\system32\fsatecra.dll
2008-06-01 17:16:21 51200 --a------ Q:\WINDOWS\system32\acgkxogu.dll
2008-06-01 17:16:20 51200 --a------ Q:\WINDOWS\system32\cdnahhfo.dll
2008-06-01 17:13:22 51200 --a------ Q:\WINDOWS\system32\novjywaf.dll
2008-06-01 17:13:21 51200 --a------ Q:\WINDOWS\system32\cwuoofeh.dll
2008-06-01 17:11:15 114176 -----n--- Q:\WINDOWS\system32\xvsuoila.dll
2008-06-01 17:11:01 126464 --a------ Q:\WINDOWS\system32\amgcchcs.dll
2008-06-01 17:10:20 479326 --ahs---- Q:\WINDOWS\system32\ghRuuBeg.ini2
2008-06-01 15:20:37 472007 --ahs---- Q:\WINDOWS\system32\mpWvvyxx.ini2
2008-06-01 07:17:54 0 d-------- Q:\Program Files\Sun
2008-06-01 00:56:32 41984 --a------ Q:\WINDOWS\mrofinu1869.exe
2008-06-01 00:55:54 57344 --a------ Q:\WINDOWS\system32\hgGVNgDw.dll
2008-06-01 00:03:11 0 d-------- Q:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 00:03:10 0 d-------- Q:\WINDOWS\system32\Kaspersky Lab
2008-05-31 23:44:33 0 d-------- Q:\VundoFix Backups
2008-05-31 21:57:50 0 d-------- Q:\Program Files\Lavasoft
2008-05-31 21:57:49 0 d-------- Q:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 21:27:00 114176 --a------ Q:\WINDOWS\system32\dcqligpw.dll
2008-05-31 21:18:01 51200 --a------ Q:\WINDOWS\system32\__c00CD78.dat
2008-05-31 21:18:00 51200 --a------ Q:\WINDOWS\system32\nxidumja.dll
2008-05-31 21:15:42 126464 --a------ Q:\WINDOWS\system32\pydhrfsj.dll
2008-05-31 21:14:59 499205 --ahs---- Q:\WINDOWS\system32\kmlllUvw.ini2
2008-05-31 21:11:12 57344 --a------ Q:\WINDOWS\system32\rqRLeDwU.dll
2008-05-31 19:58:22 57344 --a------ Q:\WINDOWS\system32\fccYrPJD.dll
2008-05-31 18:04:04 51200 --a------ Q:\WINDOWS\system32\rxfhamti.dll
2008-05-31 17:52:46 122356 --a------ Q:\WINDOWS\system32\jceprwxd.dll
2008-05-31 17:52:03 472447 --ahs---- Q:\WINDOWS\system32\JTBHNXbc.ini2
2008-05-31 16:21:45 51200 --a------ Q:\WINDOWS\system32\kurbrimx.dll
2008-05-31 16:10:26 122356 --a------ Q:\WINDOWS\system32\uaildehy.dll
2008-05-31 16:09:44 482773 --ahs---- Q:\WINDOWS\system32\BJPWEfhk.ini2
2008-05-31 15:11:56 0 d-------- Q:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-31 15:11:50 0 d-------- Q:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-31 15:11:49 0 d-------- Q:\Program Files\Malwarebytes' Anti-Malware
2008-05-31 13:11:06 472160 --ahs---- Q:\WINDOWS\system32\ggNoYcdd.ini2
2008-05-31 10:46:19 122356 --a------ Q:\WINDOWS\system32\isdlujgd.dll
2008-05-31 10:45:37 471525 --ahs---- Q:\WINDOWS\system32\DJRXHRqr.ini2
2008-05-31 07:09:51 0 dr-h----- Q:\Documents and Settings\LocalService\Recent
2008-05-31 00:28:13 51200 --a------ Q:\WINDOWS\system32\xshtnnfd.dll
2008-05-30 12:23:14 116224 --a------ Q:\WINDOWS\system32\xfcttquh.dll
2008-05-30 12:22:32 471443 --ahs---- Q:\WINDOWS\system32\tAHNoUvw.ini2
2008-05-30 12:12:37 885248 --a------ Q:\WINDOWS\system32\WinSecure.exe
2008-05-30 12:12:35 37888 --a------ Q:\WINDOWS\system32\rar.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-05-29 16:35:07 0 d-------- Q:\t
2008-05-29 16:29:04 0 d-------- Q:\WINDOWS\WinAVI Video Converter 9.0
2008-05-29 16:29:03 0 d-------- Q:\Program Files\WinAVI Video Converter 9.0
2008-05-29 16:27:35 885248 --a------ Q:\WINDOWS\system32\msupdte.exe
2008-05-27 16:55:16 0 d-------- Q:\Program Files\NaturalSoft
2008-05-27 16:54:46 0 d-------- Q:\WINDOWS\Downloaded Installations
2008-05-27 13:09:14 0 d-------- Q:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-05-27 13:01:55 0 d-------- Q:\Program Files\Elaborate Bytes
2008-05-21 18:36:30 0 d-------- Q:\Documents and Settings\Administrator\Application Data\XLink Kai
2008-05-21 18:35:55 0 d-------- Q:\Program Files\XLink Kai
2008-05-09 23:39:49 0 d-------- Q:\WINDOWS\Prefetch
2008-05-09 23:33:50 0 d-------- Q:\WINDOWS\system32\scripting
2008-05-09 23:33:50 0 d-------- Q:\WINDOWS\system32\en
2008-05-09 23:33:50 0 d-------- Q:\WINDOWS\system32\bits
2008-05-09 23:33:50 0 d-------- Q:\WINDOWS\l2schemas
2008-05-09 23:31:47 0 d-------- Q:\WINDOWS\ServicePackFiles
2008-05-09 23:30:16 0 d-------- Q:\WINDOWS\network diagnostic
2008-05-09 21:56:10 0 d-------- Q:\Program Files\MSBuild
2008-05-09 21:55:03 0 d-------- Q:\WINDOWS\system32\XPSViewer
2008-05-09 21:54:37 0 d-------- Q:\Program Files\Reference Assemblies
2008-05-09 21:52:15 0 d-------- Q:\Program Files\MSXML 6.0
2008-05-09 01:58:55 0 d-------- Q:\Program Files\Windows Media Connect 2
2008-05-09 01:56:50 0 d-------- Q:\WINDOWS\system32\drivers\UMDF
2008-05-09 01:42:43 0 d-------- Q:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage


-- Find3M Report ---------------------------------------------------------------

2008-06-01 20:01:16 0 d-------- Q:\Program Files\PeerGuardian2
2008-06-01 18:23:28 0 d-------- Q:\Program Files\Common Files\Symantec Shared
2008-06-01 10:28:56 0 d-------- Q:\Documents and Settings\Administrator\Application Data\Azureus
2008-06-01 07:17:33 0 d-------- Q:\Program Files\Java
2008-06-01 01:05:51 0 d-------- Q:\Program Files\Common Files
2008-05-31 23:49:25 0 d-------- Q:\Program Files\PowerISO
2008-05-09 23:34:06 0 d-------- Q:\Program Files\Messenger
2008-05-09 23:33:49 0 d-------- Q:\Program Files\Movie Maker
2008-05-09 23:31:36 0 d-------- Q:\Program Files\Windows NT
2008-05-07 00:17:26 0 d-------- Q:\Program Files\IrfanView
2008-05-04 23:16:46 0 d-------- Q:\Program Files\BWMeter
2008-05-04 23:10:23 0 d-------- Q:\Documents and Settings\Administrator\Application Data\DeskSoft
2008-04-30 23:24:51 0 d-------- Q:\Documents and Settings\Administrator\Application Data\mIRC
2008-04-30 23:24:01 0 d-------- Q:\Program Files\mIRC
2008-04-30 00:20:27 0 d-------- Q:\Program Files\Microsoft Silverlight
2008-04-26 18:03:39 0 d-------- Q:\Program Files\Norton Internet Security
2008-04-26 18:03:30 0 d-------- Q:\Program Files\Symantec
2008-04-26 18:03:08 0 d-------- Q:\Program Files\Windows Sidebar
2008-04-26 17:36:15 0 d-------- Q:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-18 18:21:09 0 d-------- Q:\Program Files\Azureus
2008-04-05 17:47:48 0 d-------- Q:\Documents and Settings\Administrator\Application Data\BWMonitor
2008-04-05 17:43:29 0 d-------- Q:\Program Files\MING Bandwidth Monitor
2008-04-02 15:08:48 0 d-------- Q:\Documents and Settings\Administrator\Application Data\Talkback
2008-04-02 15:08:42 0 d-------- Q:\Documents and Settings\Administrator\Application Data\Mozilla


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-06-01 20:01:31 ------------

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:33 PM

Posted 02 June 2008 - 04:30 AM

Hi,

I see you're not afraid of visiting cracksites and other illegal sites, because some cracks are being flagged as malicious.
If you visit cracksites, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :thumbsup:
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

Don't forget to change your passwords afterwards, once we are done with this thread, because they are known. Don't change them now, because as long as the malware is still present, it will gather the changed passwords as well.


I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer <== click me for instructions.
After you disabled Teatimer, download ResetTeaTimer.bat to your desktop. (In case you use Firefox, rightclick the link and choose "save as").
Doubleclick ResetTeaTimer.bat and let it run.
This will only take a few seconds.


* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:33 PM

Posted 02 June 2008 - 04:52 AM

Post removed

Edited by Thunder, 02 June 2008 - 06:40 AM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 keaper

keaper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 02 June 2008 - 07:43 AM

Thanks for helping me miekiemoes.
I'm having trouble aleady. I've downloaded Combofix and downloaded file for Windows XP Recovery Console. I've selected ServicePack2 but I have installed ServicePack3. There is no file for ServicePack3.
I then drag that file over Combofix and all hat happens is a Rundll32.exe application error. Tried it a couple of times without sucess.

Here is HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:30 PM, on 2/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
Q:\WINDOWS\System32\smss.exe
Q:\WINDOWS\system32\winlogon.exe
Q:\WINDOWS\system32\services.exe
Q:\WINDOWS\system32\lsass.exe
Q:\WINDOWS\system32\svchost.exe
Q:\WINDOWS\System32\svchost.exe
Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Q:\WINDOWS\system32\spoolsv.exe
Q:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
Q:\Program Files\Bonjour\mDNSResponder.exe
Q:\WINDOWS\System32\svchost.exe
Q:\Program Files\Powerware\LanSafe\Bin\PowerMonitor.exe
Q:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
Q:\Program Files\Powerware\LanSafe\Bin\LSTrayAgent.exe
Q:\WINDOWS\system32\nvsvc32.exe
Q:\WINDOWS\system32\oodag.exe
Q:\WINDOWS\system32\PnkBstrA.exe
Q:\Program Files\Powerware\LanSafe\bin\xyntservice.exe
Q:\Program Files\Powerware\LanSafe\bin\httpserver.exe
Q:\Program Files\Powerware\LanSafe\bin\status_glance.exe
Q:\WINDOWS\explorer.exe
Q:\Program Files\Mozilla Firefox\firefox.exe
Q:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {048AAF82-DF81-4B43-A85A-D53497EA8012} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Q:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B160305-D4AC-47E4-95EC-F0A5509ADCD5} - Q:\WINDOWS\system32\wvUoNHAt.dll (file missing)
O2 - BHO: (no name) - {5502D47E-EEB3-41C2-8F7C-8AEFE3564CEB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - Q:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: (no name) - {6A561351-E3BE-42CE-8228-38F1C1FD65DB} - Q:\WINDOWS\system32\cbXNHBTJ.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - Q:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - Q:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {79AB5D84-78F6-487B-ABB6-073A90931E97} - (no file)
O2 - BHO: (no name) - {8053AF4F-F35D-4EC6-A411-039EFB515CD8} - Q:\WINDOWS\system32\yayxyvWM.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Q:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] Q:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] Q:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] Q:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [googletalk] Q:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE Q:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE Q:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSScheduler] "Q:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "Q:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TFMBM] Q:\PROGRA~1\MINGBA~1\MBM.exe
O4 - HKLM\..\Run: [ccApp] "Q:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "Q:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Microsoft WinUpdate] Q:\WINDOWS\system32\msupdte.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "Q:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [BM57c1efe6] Rundll32.exe "Q:\WINDOWS\system32\agsvnqik.dll",s
O4 - HKLM\..\Run: [000000af] rundll32.exe "Q:\WINDOWS\system32\yerfwhgw.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] Q:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] Q:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [AnyDVD] Q:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] Q:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exe
O4 - S-1-5-18 Startup: BWMeter.lnk = Q:\Program Files\BWMeter\BWMeter.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: MagicDisc.lnk = Q:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: BWMeter.lnk = Q:\Program Files\BWMeter\BWMeter.exe (User 'Default user')
O4 - .DEFAULT Startup: MagicDisc.lnk = Q:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')
O4 - Startup: BWMeter.lnk = Q:\Program Files\BWMeter\BWMeter.exe
O4 - Startup: MagicDisc.lnk = Q:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://Q:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Q:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Q:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - Q:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - Q:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - Q:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Q:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Q:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O20 - AppInit_DLLs: Q:\WINDOWS\system32\__c0079E31.dat
O20 - Winlogon Notify: ssqOgEvv - Q:\WINDOWS\
O20 - Winlogon Notify: ssqPhFYp - Q:\WINDOWS\
O20 - Winlogon Notify: yayxyvWM - Q:\WINDOWS\SYSTEM32\yayxyvWM.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - Q:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - Q:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - Q:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LanSafe Power Monitor (LanSafe PM) - Eaton Corporation - Q:\Program Files\Powerware\LanSafe\Bin\PowerMonitor.exe
O23 - Service: LanSafe Process Manager - Powerware - Q:\Program Files\Powerware\LanSafe\bin\xyntservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - Q:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - Q:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - Q:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - Q:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - Q:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8251 bytes

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:33 PM

Posted 02 June 2008 - 08:42 AM

Hi,

The rundll32.exe error is most probably also caused because of the malicious appinit_dlls which is present here. I'm sure you'll get more similar errors for other applications as well.
Yes, the SP2 recovery console is the good one for SP3 as well, but skip that step for now and proceed with the instructions how to run Combofix without installing the Recovery console.

If that didn't work, try to run it from Windows Safe mode.

°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 keaper

keaper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 02 June 2008 - 09:36 AM

I'm not having much luck here. I've shutdown AntiVirus/Firewall and get rundll32.exe application error when I doubleclick on ComboFix. Tried it in Safe Mode and get same error. Tried running it from Windows Task Manager and get the same.

Is there another way to do this??

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:33 PM

Posted 02 June 2008 - 09:47 AM

Hmm, I'm wondering why rundll32.exe pops up here anyway, since Combofix doesn't require rundll32.exe to run.
Can you rename Combofix.exe to keaper.exe and then try to run it?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 keaper

keaper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 02 June 2008 - 09:54 AM

No different :thumbsup:

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:33 PM

Posted 02 June 2008 - 09:55 AM

Strange..

Can you rescan with Deckard system scanner again and post the new log in your next reply?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:33 PM

Posted 02 June 2008 - 09:58 AM

By the way, what happens if you just click OK for the rundll32.exe error? Does it then continue to run?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 keaper

keaper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 02 June 2008 - 10:01 AM

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-03 00:57:45
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive Q: has 38.25 GiB (less than 15%) free.


-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:56 AM, on 3/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
Q:\WINDOWS\System32\smss.exe
Q:\WINDOWS\system32\winlogon.exe
Q:\WINDOWS\system32\services.exe
Q:\WINDOWS\system32\lsass.exe
Q:\WINDOWS\system32\svchost.exe
Q:\WINDOWS\System32\svchost.exe
Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Q:\WINDOWS\system32\spoolsv.exe
Q:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
Q:\Program Files\Bonjour\mDNSResponder.exe
Q:\WINDOWS\System32\svchost.exe
Q:\Program Files\Powerware\LanSafe\Bin\PowerMonitor.exe
Q:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
Q:\Program Files\Powerware\LanSafe\Bin\LSTrayAgent.exe
Q:\WINDOWS\system32\nvsvc32.exe
Q:\WINDOWS\system32\oodag.exe
Q:\WINDOWS\system32\PnkBstrA.exe
Q:\Program Files\Powerware\LanSafe\bin\xyntservice.exe
Q:\Program Files\Powerware\LanSafe\bin\httpserver.exe
Q:\Program Files\Powerware\LanSafe\bin\status_glance.exe
Q:\WINDOWS\explorer.exe
Q:\WINDOWS\RTHDCPL.EXE
Q:\Program Files\Google\Google Talk\googletalk.exe
Q:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
Q:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
Q:\WINDOWS\system32\ctfmon.exe
Q:\WINDOWS\mrofinu1869.exe
Q:\Program Files\PeerGuardian2\pg2.exe
Q:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
Q:\Program Files\Windows Media Player\WMPNSCFG.exe
Q:\Program Files\BWMeter\BWMeter.exe
Q:\Program Files\MagicDisc\MagicDisc.exe
Q:\WINDOWS\17PHolmes1869.exe
Q:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
Q:\Program Files\Mozilla Firefox\firefox.exe
Q:\Documents and Settings\Administrator\Desktop\dss.exe
Q:\PROGRA~1\TRENDM~1\HIJACK~1\ADMINI~1.EXE

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {048AAF82-DF81-4B43-A85A-D53497EA8012} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - Q:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0B160305-D4AC-47E4-95EC-F0A5509ADCD5} - Q:\WINDOWS\system32\wvUoNHAt.dll (file missing)
O2 - BHO: (no name) - {4EC41B93-CE4F-4687-95E7-C6A3154A305C} - Q:\WINDOWS\system32\khfFyvUk.dll
O2 - BHO: (no name) - {5502D47E-EEB3-41C2-8F7C-8AEFE3564CEB} - (no file)
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - Q:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: (no name) - {6A561351-E3BE-42CE-8228-38F1C1FD65DB} - Q:\WINDOWS\system32\cbXNHBTJ.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - Q:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - Q:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {79AB5D84-78F6-487B-ABB6-073A90931E97} - (no file)
O2 - BHO: (no name) - {8053AF4F-F35D-4EC6-A411-039EFB515CD8} - Q:\WINDOWS\system32\vtUolIay.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Q:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] Q:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [JMB36X IDE Setup] Q:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] Q:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [googletalk] Q:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE Q:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE Q:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISUSScheduler] "Q:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QuickTime Task] "Q:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TFMBM] Q:\PROGRA~1\MINGBA~1\MBM.exe
O4 - HKLM\..\Run: [ccApp] "Q:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "Q:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Microsoft WinUpdate] Q:\WINDOWS\system32\msupdte.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "Q:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [BM57c1efe6] Rundll32.exe "Q:\WINDOWS\system32\pwpkqojs.dll",s
O4 - HKLM\..\Run: [000000af] rundll32.exe "Q:\WINDOWS\system32\rionqqmk.dll",b
O4 - HKLM\..\Run: [runner1] Q:\WINDOWS\mrofinu1869.exe 61A847B5BBF728133A9D31466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [ctfmon.exe] Q:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PeerGuardian] Q:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [AnyDVD] Q:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [WMPNSCFG] Q:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exe
O4 - S-1-5-18 Startup: BWMeter.lnk = Q:\Program Files\BWMeter\BWMeter.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: MagicDisc.lnk = Q:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: BWMeter.lnk = Q:\Program Files\BWMeter\BWMeter.exe (User 'Default user')
O4 - .DEFAULT Startup: MagicDisc.lnk = Q:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')
O4 - Startup: BWMeter.lnk = Q:\Program Files\BWMeter\BWMeter.exe
O4 - Startup: MagicDisc.lnk = Q:\Program Files\MagicDisc\MagicDisc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://Q:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Q:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Q:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - Q:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - Q:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - Q:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Q:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - Q:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O20 - AppInit_DLLs: Q:\WINDOWS\system32\__c0095530.dat
O20 - Winlogon Notify: ssqOgEvv - Q:\WINDOWS\
O20 - Winlogon Notify: ssqPhFYp - Q:\WINDOWS\
O20 - Winlogon Notify: vtUolIay - Q:\WINDOWS\SYSTEM32\vtUolIay.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - Q:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - Q:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - Q:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LanSafe Power Monitor (LanSafe PM) - Eaton Corporation - Q:\Program Files\Powerware\LanSafe\Bin\PowerMonitor.exe
O23 - Service: LanSafe Process Manager - Powerware - Q:\Program Files\Powerware\LanSafe\bin\xyntservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - Q:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - Q:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - Q:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - Q:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - Q:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Core LC - Unknown owner - Q:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9140 bytes

-- Files created between 2008-05-03 and 2008-06-03 -----------------------------

2008-06-03 00:29:31 57344 --a------ Q:\WINDOWS\system32\qoMEUNdd.dll
2008-06-03 00:16:49 114176 --a------ Q:\WINDOWS\system32\rionqqmk.dll
2008-06-03 00:11:28 126464 --a------ Q:\WINDOWS\system32\pwpkqojs.dll
2008-06-03 00:10:48 269658 --ahs---- Q:\WINDOWS\system32\ayyyGfhk.ini2
2008-06-03 00:10:41 373248 --a------ Q:\WINDOWS\system32\khfGyyya.dll
2008-06-03 00:05:43 0 d-------- Q:\Documents and Settings\All Users\Application Data\Adsl Software Limited
2008-06-03 00:05:35 57344 --a------ Q:\WINDOWS\system32\vtUolIay.dll
2008-06-02 23:28:50 51200 --a------ Q:\WINDOWS\system32\__c0095530.dat
2008-06-02 23:28:49 51200 --a------ Q:\WINDOWS\system32\kjrxstqp.dll
2008-06-02 23:22:50 51200 --a------ Q:\WINDOWS\system32\lcrwclfd.dll
2008-06-02 23:19:50 114176 --a------ Q:\WINDOWS\system32\rrefhuwu.dll
2008-06-02 23:14:30 126464 --a------ Q:\WINDOWS\system32\plnniocx.dll
2008-06-02 23:13:49 274467 --ahs---- Q:\WINDOWS\system32\kUvyFfhk.ini2
2008-06-02 23:13:40 373248 --a------ Q:\WINDOWS\system32\khfFyvUk.dll
2008-06-02 23:09:12 57344 --a------ Q:\WINDOWS\system32\mlJArroO.dll
2008-06-02 22:19:02 0 d-------- Q:\327882R2FWJFW
2008-06-02 22:01:13 57344 --a------ Q:\WINDOWS\system32\wvUnKAsS.dll
2008-06-02 21:57:09 126464 --a------ Q:\WINDOWS\system32\agsvnqik.dll
2008-06-02 21:56:28 345 --ahs---- Q:\WINDOWS\system32\MnoYbccf.ini2
2008-06-02 21:56:21 373248 --a------ Q:\WINDOWS\system32\fccbYonM.dll
2008-06-02 20:36:46 57344 --a------ Q:\WINDOWS\system32\qoMcawVN.dll
2008-06-02 19:33:31 57344 --a------ Q:\WINDOWS\system32\yayxyvWM.dll
2008-06-02 18:47:45 51200 --a------ Q:\WINDOWS\system32\__c0079E31.dat
2008-06-02 18:47:43 51200 --a------ Q:\WINDOWS\system32\beialvay.dll
2008-06-02 18:47:42 51200 --a------ Q:\WINDOWS\system32\bxjisrtp.dll
2008-06-02 18:44:42 114176 --a------ Q:\WINDOWS\system32\yerfwhgw.dll
2008-06-02 18:42:08 126464 --a------ Q:\WINDOWS\system32\ksxcfiku.dll
2008-06-02 01:40:45 0 d-------- Q:\t2
2008-06-01 18:53:11 114176 --a------ Q:\WINDOWS\system32\hrqkgqif.dll
2008-06-01 18:47:12 51200 --a------ Q:\WINDOWS\system32\__c0021AB5.dat
2008-06-01 18:47:11 51200 --a------ Q:\WINDOWS\system32\kjbjgifr.dll
2008-06-01 18:41:30 126464 --a------ Q:\WINDOWS\system32\ysfnajuh.dll
2008-06-01 18:41:10 481095 --ahs---- Q:\WINDOWS\system32\hhRAyyay.ini2
2008-06-01 18:18:42 57344 --a------ Q:\WINDOWS\system32\wvUlllIx.dll
2008-06-01 17:31:23 51200 --a------ Q:\WINDOWS\system32\chbddtbx.dll
2008-06-01 17:31:22 51200 --a------ Q:\WINDOWS\system32\ewrqyguo.dll
2008-06-01 17:31:20 51200 --a------ Q:\WINDOWS\system32\raeoogej.dll
2008-06-01 17:31:14 0 d-------- Q:\Program Files\Trend Micro
2008-06-01 17:28:25 51200 --a------ Q:\WINDOWS\system32\vjnbuibe.dll
2008-06-01 17:28:23 51200 --a------ Q:\WINDOWS\system32\mjcufttm.dll
2008-06-01 17:28:21 51200 --a------ Q:\WINDOWS\system32\pyxnlqdn.dll
2008-06-01 17:25:23 51200 --a------ Q:\WINDOWS\system32\fevlqjbq.dll
2008-06-01 17:25:22 51200 --a------ Q:\WINDOWS\system32\selvpijx.dll
2008-06-01 17:25:20 51200 --a------ Q:\WINDOWS\system32\naajrtqv.dll
2008-06-01 17:22:23 51200 --a------ Q:\WINDOWS\system32\kytxpvvp.dll
2008-06-01 17:22:22 51200 --a------ Q:\WINDOWS\system32\tqmlqknt.dll
2008-06-01 17:22:20 51200 --a------ Q:\WINDOWS\system32\seoqvkij.dll
2008-06-01 17:19:23 51200 --a------ Q:\WINDOWS\system32\xtibktfs.dll
2008-06-01 17:19:21 51200 --a------ Q:\WINDOWS\system32\sykhjlsk.dll
2008-06-01 17:19:20 51200 --a------ Q:\WINDOWS\system32\urabeoww.dll
2008-06-01 17:16:22 51200 --a------ Q:\WINDOWS\system32\fsatecra.dll
2008-06-01 17:16:21 51200 --a------ Q:\WINDOWS\system32\acgkxogu.dll
2008-06-01 17:16:20 51200 --a------ Q:\WINDOWS\system32\cdnahhfo.dll
2008-06-01 17:13:22 51200 --a------ Q:\WINDOWS\system32\novjywaf.dll
2008-06-01 17:13:21 51200 --a------ Q:\WINDOWS\system32\cwuoofeh.dll
2008-06-01 17:11:01 126464 --a------ Q:\WINDOWS\system32\amgcchcs.dll
2008-06-01 17:10:20 479326 --ahs---- Q:\WINDOWS\system32\ghRuuBeg.ini2
2008-06-01 15:20:37 472007 --ahs---- Q:\WINDOWS\system32\mpWvvyxx.ini2
2008-06-01 07:17:54 0 d-------- Q:\Program Files\Sun
2008-06-01 00:56:32 41984 --a------ Q:\WINDOWS\mrofinu1869.exe
2008-06-01 00:55:54 57344 --a------ Q:\WINDOWS\system32\hgGVNgDw.dll
2008-06-01 00:03:11 0 d-------- Q:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-01 00:03:10 0 d-------- Q:\WINDOWS\system32\Kaspersky Lab
2008-05-31 23:44:33 0 d-------- Q:\VundoFix Backups
2008-05-31 21:57:50 0 d-------- Q:\Program Files\Lavasoft
2008-05-31 21:57:49 0 d-------- Q:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-31 21:27:00 114176 --a------ Q:\WINDOWS\system32\dcqligpw.dll
2008-05-31 21:18:01 51200 --a------ Q:\WINDOWS\system32\__c00CD78.dat
2008-05-31 21:18:00 51200 --a------ Q:\WINDOWS\system32\nxidumja.dll
2008-05-31 21:15:42 126464 --a------ Q:\WINDOWS\system32\pydhrfsj.dll
2008-05-31 21:14:59 499205 --ahs---- Q:\WINDOWS\system32\kmlllUvw.ini2
2008-05-31 21:11:12 57344 --a------ Q:\WINDOWS\system32\rqRLeDwU.dll
2008-05-31 19:58:22 57344 --a------ Q:\WINDOWS\system32\fccYrPJD.dll
2008-05-31 18:04:04 51200 --a------ Q:\WINDOWS\system32\rxfhamti.dll
2008-05-31 17:52:46 122356 --a------ Q:\WINDOWS\system32\jceprwxd.dll
2008-05-31 17:52:03 472447 --ahs---- Q:\WINDOWS\system32\JTBHNXbc.ini2
2008-05-31 16:21:45 51200 --a------ Q:\WINDOWS\system32\kurbrimx.dll
2008-05-31 16:10:26 122356 --a------ Q:\WINDOWS\system32\uaildehy.dll
2008-05-31 16:09:44 482773 --ahs---- Q:\WINDOWS\system32\BJPWEfhk.ini2
2008-05-31 15:11:56 0 d-------- Q:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-31 15:11:50 0 d-------- Q:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-31 15:11:49 0 d-------- Q:\Program Files\Malwarebytes' Anti-Malware
2008-05-31 13:11:06 472160 --ahs---- Q:\WINDOWS\system32\ggNoYcdd.ini2
2008-05-31 10:46:19 122356 --a------ Q:\WINDOWS\system32\isdlujgd.dll
2008-05-31 10:45:37 471525 --ahs---- Q:\WINDOWS\system32\DJRXHRqr.ini2
2008-05-31 07:09:51 0 dr-h----- Q:\Documents and Settings\LocalService\Recent
2008-05-31 00:28:13 51200 --a------ Q:\WINDOWS\system32\xshtnnfd.dll
2008-05-30 12:23:14 116224 --a------ Q:\WINDOWS\system32\xfcttquh.dll
2008-05-30 12:22:32 471443 --ahs---- Q:\WINDOWS\system32\tAHNoUvw.ini2
2008-05-30 12:12:37 885248 --a------ Q:\WINDOWS\system32\WinSecure.exe
2008-05-30 12:12:35 37888 --a------ Q:\WINDOWS\system32\rar.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-05-29 16:35:07 0 d-------- Q:\t
2008-05-29 16:29:04 0 d-------- Q:\WINDOWS\WinAVI Video Converter 9.0
2008-05-29 16:29:03 0 d-------- Q:\Program Files\WinAVI Video Converter 9.0
2008-05-29 16:27:35 885248 --a------ Q:\WINDOWS\system32\msupdte.exe
2008-05-27 16:55:16 0 d-------- Q:\Program Files\NaturalSoft
2008-05-27 16:54:46 0 d-------- Q:\WINDOWS\Downloaded Installations
2008-05-27 13:09:14 0 d-------- Q:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2008-05-27 13:01:55 0 d-------- Q:\Program Files\Elaborate Bytes
2008-05-21 18:36:30 0 d-------- Q:\Documents and Settings\Administrator\Application Data\XLink Kai
2008-05-21 18:35:55 0 d-------- Q:\Program Files\XLink Kai
2008-05-09 23:39:49 0 d-------- Q:\WINDOWS\Prefetch
2008-05-09 23:33:50 0 d-------- Q:\WINDOWS\system32\scripting
2008-05-09 23:33:50 0 d-------- Q:\WINDOWS\system32\en
2008-05-09 23:33:50 0 d-------- Q:\WINDOWS\system32\bits
2008-05-09 23:33:50 0 d-------- Q:\WINDOWS\l2schemas
2008-05-09 23:31:47 0 d-------- Q:\WINDOWS\ServicePackFiles
2008-05-09 23:30:16 0 d-------- Q:\WINDOWS\network diagnostic
2008-05-09 21:56:10 0 d-------- Q:\Program Files\MSBuild
2008-05-09 21:55:03 0 d-------- Q:\WINDOWS\system32\XPSViewer
2008-05-09 21:54:37 0 d-------- Q:\Program Files\Reference Assemblies
2008-05-09 21:52:15 0 d-------- Q:\Program Files\MSXML 6.0
2008-05-09 01:58:55 0 d-------- Q:\Program Files\Windows Media Connect 2
2008-05-09 01:56:50 0 d-------- Q:\WINDOWS\system32\drivers\UMDF
2008-05-09 01:42:43 0 d-------- Q:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage


-- Find3M Report ---------------------------------------------------------------

2008-06-03 00:59:55 0 d-------- Q:\Program Files\PeerGuardian2
2008-06-03 00:52:11 0 d-------- Q:\Program Files\Common Files\Symantec Shared
2008-06-02 23:05:44 0 d-------- Q:\Program Files\Symantec
2008-06-02 18:58:01 0 d-------- Q:\Documents and Settings\Administrator\Application Data\Azureus
2008-06-02 16:31:08 0 d-------- Q:\Documents and Settings\Administrator\Application Data\mIRC
2008-06-02 16:30:07 0 d-------- Q:\Program Files\mIRC
2008-06-01 07:17:33 0 d-------- Q:\Program Files\Java
2008-06-01 01:05:51 0 d-------- Q:\Program Files\Common Files
2008-05-31 23:49:25 0 d-------- Q:\Program Files\PowerISO
2008-05-09 23:34:06 0 d-------- Q:\Program Files\Messenger
2008-05-09 23:33:49 0 d-------- Q:\Program Files\Movie Maker
2008-05-09 23:31:36 0 d-------- Q:\Program Files\Windows NT
2008-05-07 00:17:26 0 d-------- Q:\Program Files\IrfanView
2008-05-04 23:16:46 0 d-------- Q:\Program Files\BWMeter
2008-05-04 23:10:23 0 d-------- Q:\Documents and Settings\Administrator\Application Data\DeskSoft
2008-04-30 00:20:27 0 d-------- Q:\Program Files\Microsoft Silverlight
2008-04-26 18:03:39 0 d-------- Q:\Program Files\Norton Internet Security
2008-04-26 18:03:08 0 d-------- Q:\Program Files\Windows Sidebar
2008-04-26 17:36:15 0 d-------- Q:\Documents and Settings\Administrator\Application Data\Symantec
2008-04-18 18:21:09 0 d-------- Q:\Program Files\Azureus
2008-04-05 17:47:48 0 d-------- Q:\Documents and Settings\Administrator\Application Data\BWMonitor
2008-04-05 17:43:29 0 d-------- Q:\Program Files\MING Bandwidth Monitor


-- Registry Dump ---------------------------------------------------------------



-- End of Deckard's System Scanner: finished at 2008-06-03 01:00:06 ------------

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:33 PM

Posted 02 June 2008 - 10:18 AM

Hi,

Please perform the following instructions in the right order...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: (no name) - {048AAF82-DF81-4B43-A85A-D53497EA8012} - (no file)
O2 - BHO: (no name) - {0B160305-D4AC-47E4-95EC-F0A5509ADCD5} - Q:\WINDOWS\system32\wvUoNHAt.dll (file missing)
O2 - BHO: (no name) - {4EC41B93-CE4F-4687-95E7-C6A3154A305C} - Q:\WINDOWS\system32\khfFyvUk.dll
O2 - BHO: (no name) - {5502D47E-EEB3-41C2-8F7C-8AEFE3564CEB} - (no file)
O2 - BHO: (no name) - {6A561351-E3BE-42CE-8228-38F1C1FD65DB} - Q:\WINDOWS\system32\cbXNHBTJ.dll (file missing)
O2 - BHO: (no name) - {79AB5D84-78F6-487B-ABB6-073A90931E97} - (no file)
O2 - BHO: (no name) - {8053AF4F-F35D-4EC6-A411-039EFB515CD8} - Q:\WINDOWS\system32\vtUolIay.dll
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [TFMBM] Q:\PROGRA~1\MINGBA~1\MBM.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] Q:\WINDOWS\system32\msupdte.exe
O4 - HKLM\..\Run: [BM57c1efe6] Rundll32.exe "Q:\WINDOWS\system32\pwpkqojs.dll",s
O4 - HKLM\..\Run: [000000af] rundll32.exe "Q:\WINDOWS\system32\rionqqmk.dll",b
O4 - HKLM\..\Run: [runner1] Q:\WINDOWS\mrofinu1869.exe 61A847B5BBF728133A9D31466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Policies\Explorer\Run: [Windows Security Tool] WinSecure.exe
O20 - AppInit_DLLs: Q:\WINDOWS\system32\__c0095530.dat
O20 - Winlogon Notify: ssqOgEvv - Q:\WINDOWS\
O20 - Winlogon Notify: ssqPhFYp - Q:\WINDOWS\
O20 - Winlogon Notify: vtUolIay - Q:\WINDOWS\SYSTEM32\vtUolIay.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Don't worry if some entries won't get fixed. We'll deal with the stubborn ones afterwards. First let delete what can be deleted first..

Then,

* Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Where it says: "Paste List of Files/Folders to be Moved", copy and paste next bold part into that Window:

    Q:\WINDOWS\system32\qoMEUNdd.dll
    Q:\WINDOWS\system32\rionqqmk.dll
    Q:\WINDOWS\system32\pwpkqojs.dll
    Q:\WINDOWS\system32\ayyyGfhk.ini2
    Q:\WINDOWS\system32\khfGyyya.dll
    Q:\WINDOWS\system32\vtUolIay.dll
    Q:\WINDOWS\system32\__c0095530.dat
    Q:\WINDOWS\system32\kjrxstqp.dll
    Q:\WINDOWS\system32\lcrwclfd.dll
    Q:\WINDOWS\system32\rrefhuwu.dll
    Q:\WINDOWS\system32\plnniocx.dll
    Q:\WINDOWS\system32\kUvyFfhk.ini2
    Q:\WINDOWS\system32\khfFyvUk.dll
    Q:\WINDOWS\system32\mlJArroO.dll
    Q:\327882R2FWJFW
    Q:\WINDOWS\system32\wvUnKAsS.dll
    Q:\WINDOWS\system32\agsvnqik.dll
    Q:\WINDOWS\system32\MnoYbccf.ini2
    Q:\WINDOWS\system32\fccbYonM.dll
    Q:\WINDOWS\system32\qoMcawVN.dll
    Q:\WINDOWS\system32\yayxyvWM.dll
    Q:\WINDOWS\system32\__c0079E31.dat
    Q:\WINDOWS\system32\beialvay.dll
    Q:\WINDOWS\system32\bxjisrtp.dll
    Q:\WINDOWS\system32\yerfwhgw.dll
    Q:\WINDOWS\system32\ksxcfiku.dll
    Q:\t2
    Q:\t
    Q:\WINDOWS\system32\hrqkgqif.dll
    Q:\WINDOWS\system32\__c0021AB5.dat
    Q:\WINDOWS\system32\kjbjgifr.dll
    Q:\WINDOWS\system32\ysfnajuh.dll
    Q:\WINDOWS\system32\hhRAyyay.ini2
    Q:\WINDOWS\system32\wvUlllIx.dll
    Q:\WINDOWS\system32\chbddtbx.dll
    Q:\WINDOWS\system32\ewrqyguo.dll
    Q:\WINDOWS\system32\raeoogej.dll
    Q:\WINDOWS\system32\vjnbuibe.dll
    Q:\WINDOWS\system32\mjcufttm.dll
    Q:\WINDOWS\system32\pyxnlqdn.dll
    Q:\WINDOWS\system32\fevlqjbq.dll
    Q:\WINDOWS\system32\selvpijx.dll
    Q:\WINDOWS\system32\naajrtqv.dll
    Q:\WINDOWS\system32\kytxpvvp.dll
    Q:\WINDOWS\system32\tqmlqknt.dll
    Q:\WINDOWS\system32\seoqvkij.dll
    Q:\WINDOWS\system32\xtibktfs.dll
    Q:\WINDOWS\system32\sykhjlsk.dll
    Q:\WINDOWS\system32\urabeoww.dll
    Q:\WINDOWS\system32\fsatecra.dll
    Q:\WINDOWS\system32\acgkxogu.dll
    Q:\WINDOWS\system32\cdnahhfo.dll
    Q:\WINDOWS\system32\novjywaf.dll
    Q:\WINDOWS\system32\cwuoofeh.dll
    Q:\WINDOWS\system32\amgcchcs.dll
    Q:\WINDOWS\system32\ghRuuBeg.ini2
    Q:\WINDOWS\system32\mpWvvyxx.ini2
    Q:\WINDOWS\mrofinu1869.exe
    Q:\WINDOWS\system32\hgGVNgDw.dll
    Q:\VundoFix Backups
    Q:\WINDOWS\system32\dcqligpw.dll
    Q:\WINDOWS\system32\__c00CD78.dat
    Q:\WINDOWS\system32\nxidumja.dll
    Q:\WINDOWS\system32\pydhrfsj.dll
    Q:\WINDOWS\system32\kmlllUvw.ini2
    Q:\WINDOWS\system32\rqRLeDwU.dll
    Q:\WINDOWS\system32\fccYrPJD.dll
    Q:\WINDOWS\system32\rxfhamti.dll
    Q:\WINDOWS\system32\jceprwxd.dll
    Q:\WINDOWS\system32\JTBHNXbc.ini2
    Q:\WINDOWS\system32\kurbrimx.dll
    Q:\WINDOWS\system32\uaildehy.dll
    Q:\WINDOWS\system32\BJPWEfhk.ini2
    Q:\WINDOWS\system32\ggNoYcdd.ini2
    Q:\WINDOWS\system32\isdlujgd.dll
    Q:\WINDOWS\system32\DJRXHRqr.ini2
    Q:\WINDOWS\system32\xshtnnfd.dll
    Q:\WINDOWS\system32\xfcttquh.dll
    Q:\WINDOWS\system32\tAHNoUvw.ini2
    Q:\WINDOWS\system32\WinSecure.exe
    Q:\WINDOWS\system32\rar.exe
    Q:\WINDOWS\system32\msupdte.exe
    Q:\Documents and Settings\Administrator\Local Settings\Temp\Installer-Crack-Keygen.exe
    Q:\Documents and Settings\Administrator\Desktop\SlySoft\CloneDVD mobile 1.1.6.0\keygen.exe



  • Then click the red Moveit! button on top.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.. Then it will reboot your computer.
Even though OTMoveIT didn't ask to reboot your computer - reboot anyway, this since moved files may still be in use.

Then, after reboot, go to next folder: C:\_OTMoveIt\MovedFiles and search for the log: ********_******.log (the * stands for date and time) and post the contents of it in your next reply together with a new log from Deckards system scanner.


By the way... Is your Norton version up to date? Because it suprises me that it didn't detect/delete all the files here. Unless you are also using a hacked/cracked version. Please let me know, because it's important that you have a properly working Antivirus which is up to date and no trial/hacked/cracked/whatever version.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 keaper

keaper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 02 June 2008 - 09:19 PM

Hi

Having some major dramas here now.
In answer to your question earlier, when I clicked on tho OK of rundll32.exe error, nothing happened, no application only 3 more error boxes titled RUNDLL32.exe application error, cmd application error and CMD applicattion error. Applications will not start at all.

So I've followed the steps above and I'm at a point where I can go no further.
Have done the HJT without problem selecting only those you listed and then downloaded OTMoveit and copied list. It told me to restart like your instructions. After restart I get the same userinit application error and the same blank desktop. I then press CTRL-ALT-DEL for windows task manager and get a box saying Windows Task Manager has been disabled by Administrator.
Can I do anything to get past this?

I only have limited access to another PC. Hoping to here good news.

:thumbsup: :wacko: :(

Edited by keaper, 02 June 2008 - 09:20 PM.


#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:33 PM

Posted 03 June 2008 - 12:29 AM

Hi,

Well, this actually didn't suprise me at all though. As you see, your system is severly infected and malware damages a lot. That's what I already tried to tell you in my first post.
Not sure if we can still save this computer and even if we can get it up and running again - not sure if it's worth it because of the huge amount of malware. That's why in some cases, it's better to format and reinstall since this is the fastest and especially the safest method.

Can you run Windows in safe mode? Also tried to run in safe mode with command prompt?
Also tried last known good from safe mode?

But as I said - I have a bad feeling about this though...
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 keaper

keaper
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 03 June 2008 - 02:43 AM

Hi

I've attempted Normal Mode, Safe Mode, Last Known Good and Safe Mode with Command Prompt. Each of them have userinit.exe application error and Windows Task Manager disabled by Administrator.

Norton Internet Security 2008 is legitimate and upto date. I did a full system scan last night before we started to resolve these problems. It found nothing while Spybot SD continuosly found Virtuemonde, Vundo & Vlob downloader.

I am going to see if I can find a HD to reinstall. Is there anything else we can try? I don't wnt to lose what I have on the Hard Drive.
It might take a day or two to find my disks and a hard drive, so if anything else could work please let me know.

Hope there's more good news :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users