Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Have Vundo


  • This topic is locked This topic is locked
3 replies to this topic

#1 jcutrono

jcutrono

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 03 June 2008 - 09:34 PM

Hi,
First time poster, received Virtumundo trojan and cannot get rid of. Posting HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:45 PM, on 6/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Desktop\Desktop\memcached-1.2.1-win32\memcached.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1152835655593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160925954375
O16 - DPF: {7557F5AA-D486-401D-BE55-0163FA78B5B8} (SkyFex Expert Object) - https://skyfex.com/download/SkyFexExpert.cab
O16 - DPF: {F84E0B64-1E86-4640-8094-5B38CEB28C1E} (SkyFex Client Object) - https://skyfex.com/download/SkyFexClient.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: memcached Server - Danga Interactive, Inc. - C:\Documents and Settings\Desktop\Desktop\memcached-1.2.1-win32\memcached.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe

--
End of file - 5102 bytes



_______________________________

Also this is the log from the VirtumundoBeGone.exe :


[06/03/2008, 21:51:27] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Desktop\Desktop\VirtumundoBeGone.exe" )
[06/03/2008, 21:51:33] - Detected System Information:
[06/03/2008, 21:51:33] - Windows Version: 5.1.2600, Service Pack 3
[06/03/2008, 21:51:33] - Current Username: Desktop (Admin)
[06/03/2008, 21:51:33] - Windows is in SAFE mode.
[06/03/2008, 21:51:33] - Searching for Browser Helper Objects:
[06/03/2008, 21:51:33] - BHO 1: {522E0112-EDD9-413D-A99E-C311A54B6676} ()
[06/03/2008, 21:51:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/03/2008, 21:51:33] - Checking for HKLM\...\Winlogon\Notify\qoMghfDS
[06/03/2008, 21:51:33] - Found: HKLM\...\Winlogon\Notify\qoMghfDS - This is probably Virtumundo.
[06/03/2008, 21:51:33] - Assigning {522E0112-EDD9-413D-A99E-C311A54B6676} MSEvents Object
[06/03/2008, 21:51:33] - BHO list has been changed! Starting over...
[06/03/2008, 21:51:33] - BHO 1: {522E0112-EDD9-413D-A99E-C311A54B6676} (MSEvents Object)
[06/03/2008, 21:51:33] - ALERT: Found MSEvents Object!
[06/03/2008, 21:51:33] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/03/2008, 21:51:33] - BHO 3: {839099f8-8e6d-4a57-ab5a-cae1b4e2b8c2} ()
[06/03/2008, 21:51:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/03/2008, 21:51:33] - Checking for HKLM\...\Winlogon\Notify\cedxtfce
[06/03/2008, 21:51:33] - Key not found: HKLM\...\Winlogon\Notify\cedxtfce, continuing.
[06/03/2008, 21:51:33] - BHO 4: {9F688F5D-42B7-41A5-B409-F6A84D8DC3BB} ()
[06/03/2008, 21:51:33] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/03/2008, 21:51:33] - Checking for HKLM\...\Winlogon\Notify\mlJDSklK
[06/03/2008, 21:51:33] - Key not found: HKLM\...\Winlogon\Notify\mlJDSklK, continuing.
[06/03/2008, 21:51:33] - BHO 5: {CC7E636D-39AA-49b6-B511-65413DA137A1} (IE Developer Toolbar BHO)
[06/03/2008, 21:51:33] - Finished Searching Browser Helper Objects
[06/03/2008, 21:51:33] - *** Detected MSEvents Object
[06/03/2008, 21:51:33] - Trying to remove MSEvents Object...
[06/03/2008, 21:51:34] - Terminating Process: IEXPLORE.EXE
[06/03/2008, 21:51:34] - Terminating Process: RUNDLL32.EXE
[06/03/2008, 21:51:34] - Disabling Automatic Shell Restart
[06/03/2008, 21:51:34] - Terminating Process: EXPLORER.EXE
[06/03/2008, 21:51:35] - Suspending the NT Session Manager System Service
[06/03/2008, 21:51:35] - Terminating Windows NT Logon/Logoff Manager
[06/03/2008, 21:51:35] - Re-enabling Automatic Shell Restart
[06/03/2008, 21:51:35] - File to disable: C:\WINDOWS\system32\qoMghfDS.dll
[06/03/2008, 21:51:35] - Renaming C:\WINDOWS\system32\qoMghfDS.dll -> C:\WINDOWS\system32\qoMghfDS.dll.vir
[06/03/2008, 21:51:35] - File successfully renamed!
[06/03/2008, 21:51:35] - Removing HKLM\...\Browser Helper Objects\{522E0112-EDD9-413D-A99E-C311A54B6676}
[06/03/2008, 21:51:35] - Removing HKCR\CLSID\{522E0112-EDD9-413D-A99E-C311A54B6676}
[06/03/2008, 21:51:35] - Adding Kill Bit for ActiveX for GUID: {522E0112-EDD9-413D-A99E-C311A54B6676}
[06/03/2008, 21:51:35] - Deleting ATLEvents/MSEvents Registry entries
[06/03/2008, 21:51:35] - Removing HKLM\...\Winlogon\Notify\qoMghfDS
[06/03/2008, 21:51:35] - Searching for Browser Helper Objects:
[06/03/2008, 21:51:35] - BHO 1: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/03/2008, 21:51:35] - BHO 2: {839099f8-8e6d-4a57-ab5a-cae1b4e2b8c2} ()
[06/03/2008, 21:51:35] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/03/2008, 21:51:35] - Checking for HKLM\...\Winlogon\Notify\cedxtfce
[06/03/2008, 21:51:35] - Key not found: HKLM\...\Winlogon\Notify\cedxtfce, continuing.
[06/03/2008, 21:51:35] - BHO 3: {9F688F5D-42B7-41A5-B409-F6A84D8DC3BB} ()
[06/03/2008, 21:51:35] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/03/2008, 21:51:35] - Checking for HKLM\...\Winlogon\Notify\mlJDSklK
[06/03/2008, 21:51:35] - Key not found: HKLM\...\Winlogon\Notify\mlJDSklK, continuing.
[06/03/2008, 21:51:35] - BHO 4: {CC7E636D-39AA-49b6-B511-65413DA137A1} (IE Developer Toolbar BHO)
[06/03/2008, 21:51:35] - Finished Searching Browser Helper Objects
[06/03/2008, 21:51:35] - Finishing up...
[06/03/2008, 21:51:35] - A restart is needed.
[06/03/2008, 21:51:43] - Attempting to Restart via STOP error (Blue Screen!)

[06/03/2008, 22:09:49] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Desktop\Desktop\VirtumundoBeGone.exe" )
[06/03/2008, 22:09:51] - Detected System Information:
[06/03/2008, 22:09:51] - Windows Version: 5.1.2600, Service Pack 3
[06/03/2008, 22:09:51] - Current Username: Desktop (Admin)
[06/03/2008, 22:09:51] - Windows is in SAFE mode with Networking.
[06/03/2008, 22:09:51] - Searching for Browser Helper Objects:
[06/03/2008, 22:09:51] - BHO 1: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[06/03/2008, 22:09:51] - BHO 2: {839099f8-8e6d-4a57-ab5a-cae1b4e2b8c2} ()
[06/03/2008, 22:09:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/03/2008, 22:09:51] - Checking for HKLM\...\Winlogon\Notify\cedxtfce
[06/03/2008, 22:09:51] - Key not found: HKLM\...\Winlogon\Notify\cedxtfce, continuing.
[06/03/2008, 22:09:51] - BHO 3: {A819B89D-97F7-44ED-B5E0-2A36D204322A} ()
[06/03/2008, 22:09:51] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/03/2008, 22:09:51] - Checking for HKLM\...\Winlogon\Notify\mlJDSklK
[06/03/2008, 22:09:51] - Key not found: HKLM\...\Winlogon\Notify\mlJDSklK, continuing.
[06/03/2008, 22:09:51] - BHO 4: {CC7E636D-39AA-49b6-B511-65413DA137A1} (IE Developer Toolbar BHO)
[06/03/2008, 22:09:51] - Finished Searching Browser Helper Objects
[06/03/2008, 22:09:51] - Finishing up...
[06/03/2008, 22:09:51] - Nothing found! Exiting...

BC AdBot (Login to Remove)

 


m

#2 jcutrono

jcutrono
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 03 June 2008 - 10:00 PM

ran vundofix again:

VundoFix V7.0.5

Scan started at 9:41:12 PM 6/3/2008

Listing files found while scanning....

C:\Program Files\PowerISO\PWRISOSH.DLL

Beginning removal...

Attempting to delete C:\Program Files\PowerISO\PWRISOSH.DLL
C:\Program Files\PowerISO\PWRISOSH.DLL Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V7.0.5

Scan started at 9:58:58 PM 6/3/2008

Listing files found while scanning....

No infected files were found.


++++++++++++++++++++++++++++++++

And then ran combo fix and that fixed everything!!!!!!!!!!!!!!!!!!!!!!!! Thanks

ComboFix 08-06-03.1 - Desktop 2008-06-03 22:38:29.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1484 [GMT -4:00]
Running from: C:\Documents and Settings\Desktop\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM4f89b84b.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\betyhvdx.ini
C:\WINDOWS\system32\cedxtfce.dll
C:\WINDOWS\system32\jmelljnm.ini
C:\WINDOWS\system32\jxhffvkc.exe
C:\WINDOWS\system32\KlkSDJlm.ini
C:\WINDOWS\system32\KlkSDJlm.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlJDSklK.dll
C:\WINDOWS\system32\mnjllemj.dll
C:\WINDOWS\system32\pdpfopli.dll
C:\WINDOWS\system32\qdfragcv.dll
C:\WINDOWS\system32\yqmcrqgw.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-04 to 2008-06-04 )))))))))))))))))))))))))))))))
.

2008-06-03 22:18 . 2008-06-03 22:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-03 21:44 . 2008-06-03 21:44 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-06-03 21:41 . 2008-06-03 21:58 <DIR> d-------- C:\VundoFix Backups
2008-06-03 21:32 . 2008-06-03 21:40 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-01 21:39 . 2008-06-01 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-01 20:56 . 2008-06-01 20:56 58,880 --a------ C:\WINDOWS\system32\rqRHwVME.dll
2008-06-01 20:56 . 2008-06-01 20:56 58,880 --a------ C:\WINDOWS\system32\qoMghfDS.dll.vir
2008-06-01 20:56 . 2008-06-01 20:56 58,880 --a------ C:\WINDOWS\system32\khfdaBsS.dll
2008-05-31 18:36 . 2008-05-31 18:36 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-29 18:39 . 2008-05-29 18:39 <DIR> d-------- C:\Documents and Settings\Desktop\Application Data\Canon
2008-05-29 18:32 . 2008-05-29 18:32 <DIR> d-------- C:\Program Files\Canon
2008-05-29 18:30 . 2008-05-29 18:30 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-05-29 18:30 . 2008-05-29 18:30 <DIR> d-------- C:\Documents and Settings\Desktop\Application Data\ScanSoft
2008-05-29 18:30 . 2008-05-29 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-05-29 18:30 . 2008-05-29 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-05-29 18:30 . 2008-05-29 18:30 416 --a------ C:\WINDOWS\MAXLINK.INI
2008-05-29 18:29 . 2008-05-29 18:29 <DIR> d-------- C:\Program Files\ScanSoft
2008-05-29 18:28 . 2008-05-29 18:28 <DIR> d-------- C:\Program Files\ArcSoft
2008-05-29 18:28 . 1995-07-31 13:44 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2008-05-29 18:27 . 2008-05-29 18:27 <DIR> d--h----- C:\CanoScan
2008-05-29 18:27 . 2005-06-23 22:17 352,256 --a------ C:\WINDOWS\system32\CNQL1213.DLL
2008-05-29 18:27 . 2005-02-28 13:20 57,344 --a------ C:\WINDOWS\system32\CNQU110.DLL
2008-05-14 21:07 . 2008-05-14 21:07 <DIR> d-------- C:\Program Files\Cobian Backup 9
2008-05-13 16:52 . 2008-06-03 22:27 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-13 16:08 . 2008-05-13 16:08 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-13 16:08 . 2008-05-13 16:08 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-13 16:08 . 2008-05-13 16:08 <DIR> d-------- C:\WINDOWS\l2schemas

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-04 01:45 --------- d-----w C:\Program Files\PowerISO
2008-06-03 03:39 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-02 22:03 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-31 22:26 --------- d-----w C:\Program Files\PeerGuardian2
2008-05-30 02:09 --------- d-----w C:\Program Files\Starcraft
2008-05-30 00:01 --------- d-----w C:\Documents and Settings\Desktop\Application Data\Skype
2008-05-29 22:32 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-29 22:30 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-20 16:34 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-03 23:20 --------- d-----w C:\Program Files\Investintech.com Inc
2008-05-03 23:17 --------- d-----w C:\Program Files\pdf995
2008-04-23 02:41 --------- d-----w C:\Documents and Settings\Desktop\Application Data\vlc
2008-04-23 02:39 --------- d-----w C:\Program Files\VideoLAN
2008-04-14 00:13 40,840 ------w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ------w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ------w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ------w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 19:28 175,744 ------w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ------w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ------w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ------w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ------w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ------w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ------w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ------w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ------w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ------w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ------w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ------w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ------w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ------w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ------w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ------w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ------w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ------w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ------w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ------w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ------w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ------w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ------w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ------w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ------w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ------w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ------w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ------w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ------w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ------w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ------w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ------w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ------w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ------w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,288 ------w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ------w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ------w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ------w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ------w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ------w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ------w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ------w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ------w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ------w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ------w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ------w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ------w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ------w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ------w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ------w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ------w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ------w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ------w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:39 92,544 ------w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 18:39 7,552 ------w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,376 ------w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-13 18:39 42,368 ------w C:\WINDOWS\system32\drivers\mountmgr.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@={30351346-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@={30351347-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@={30351348-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@={3035134B-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@={3035134C-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@={3035134D-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@={3035134E-7B7D-4FCC-81B4-1E394CA267EB}

[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-01-05 15:03 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-01-05 15:03 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-01-05 15:03 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-01-05 15:03 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-01-05 15:03 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-01-05 15:03 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-01-05 15:03 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 20:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-11 10:08 29744]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 02:01 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ivimp3en"= ivimp3en.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-04 18:14 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-10-04 18:14 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2005-07-22 15:00 81920 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-07-26 03:03 49263 C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--------- 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Macromedia\\Fireworks MX\\Fireworks.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 memcached Server;memcached Server;"C:\Documents and Settings\Desktop\Desktop\memcached-1.2.1-win32\memcached.exe" -d runservice []
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-01-11 18:39]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-01-11 18:54]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-11 10:08]
S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe" -k runservice []
S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe wampmysqld []
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-01-11 18:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\SETUP.EXE

.
Contents of the 'Scheduled Tasks' folder
"2008-06-04 02:45:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-03 22:43:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-03 22:46:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-04 02:46:38

Pre-Run: 49,286,397,952 bytes free
Post-Run: 49,204,563,968 bytes free

267 --- E O F --- 2008-05-31 22:36:29

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 14 June 2008 - 06:54 PM

Welcome to Bleeping Computer, please be sure you have read and followed the
Preparation Guide For Use Before Posting A Hijackthis Log, Instructions for receiving help in cleaning your computer http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
All advice given is taken at your own risk.

I apologize for the wait, if your issues are not resolved, read the instructions posted above and then follow the directions below. If you no longer need help, I would appreciate a quick post letting me know so I can close your topic.

Please read the instructions and the Forum Guidelines at the top of this page, then if you are still having malware issues, post a new HijackThis log using Add Reply.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 23 June 2008 - 03:49 PM

There has been no response to this topic in a week
This topic is closed
Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users