Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumundo


  • This topic is locked This topic is locked
2 replies to this topic

#1 Zulu1959

Zulu1959

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:14 AM

Posted 07 June 2008 - 11:32 AM

Hello,

Symantec Endpoint Protection keeps popping up with "Virtumundo activity detected". I scanned my computer with Symantec Endpoint Protection and it found nothing! I then scanned my computer with Spybot Search & Destroy, which found Virtumundo. I then had Spybot Search & Destroy fix the exploit, however, each time that I re-boot my computer and scan with Spybot Search & Destroy it finds Virtumundo again, this has happened six or seven times today.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:17:24, on 07.06.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\T Clock\tclock.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Jamie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Favorites
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BC1DFD2-2067-4563-AC41-88E605DF2B75} - C:\WINDOWS\system32\yayyXNEu.dll (file missing)
O2 - BHO: (no name) - {1D5A4860-4422-46BD-A36A-15D7FD7841A5} - C:\WINDOWS\system32\byXOhFvv.dll (file missing)
O2 - BHO: (no name) - {449A975A-7A91-4320-A2B9-7F05D05F4F15} - C:\WINDOWS\system32\rqRKbayy.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257} - C:\WINDOWS\system32\tuvVPgFX.dll
O2 - BHO: (no name) - {EECC3475-F4FD-4831-96F4-17E2B155B413} - C:\WINDOWS\system32\opnnoolm.dll (file missing)
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5366] command /c del "C:\WINDOWS\system32\byXOhFvv.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1385] cmd /c del "C:\WINDOWS\system32\byXOhFvv.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3124] command /c del "C:\WINDOWS\system32\opnnoolm.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2069] cmd /c del "C:\WINDOWS\system32\opnnoolm.dll_old"
O4 - Global Startup: tclock.lnk = C:\Program Files\T Clock\tclock.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189801760562
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15034/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{51639724-B9B3-429A-B2BD-3B0952A4F03D}: NameServer = 212.77.192.60 212.77.192.59
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (file missing)
O20 - AppInit_DLLs: interceptor.dll
O20 - Winlogon Notify: tuvVPgFX - C:\WINDOWS\SYSTEM32\tuvVPgFX.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9708 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 alcan5wn (SpeedTouch USB ADSL PPP Networking Driver (NDISWAN)) - c:\windows\system32\drivers\alcan5wn.sys <Not Verified; THOMSON; SpeedTouch USB>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
S3 grmnusb - c:\windows\system32\drivers\grmnusb.sys <Not Verified; GARMIN Corp.; Garmin USB GPS>
S3 STHDA (SigmaTel High Definition Audio CODEC) - c:\windows\system32\drivers\sthda.sys (file missing)
S3 tapvpn (TAP VPN Adapter) - c:\windows\system32\drivers\tapvpn.sys <Not Verified; The OpenVPN Project; TAP-Win32 Virtual Network Driver>
S3 TVICHW32 - c:\windows\system32\drivers\tvichw32.sys <Not Verified; EnTech Taiwan; TVicHW32 Generic Device Driver for Windows 95/98/ME/NT/2000/2003/XP/XP64>
S3 usbsermpt (Motorola USB Modem Driver for MPT) - c:\windows\system32\drivers\usbsermpt.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 CTAudSvcService (Creative Audio Service) - c:\program files\creative\shared files\ctaudsvc.exe <Not Verified; Creative Technology Ltd; Creative Audio Service>

S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 Microsoft Office Groove Audit Service - "c:\program files\microsoft office\office12\grooveauditservice.exe" (file missing)
S3 nTuneService (nTune Service) - c:\program files\nvidia corporation\ntune\ntuneservice.exe /startservice <Not Verified; NVIDIA; NVIDIA nTune>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom NetXtreme 57xx Gigabit Controller
Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_02071028&REV_21\4&3601BAE0&0&0028
Manufacturer: Broadcom
Name: Broadcom NetXtreme 57xx Gigabit Controller
PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_02071028&REV_21\4&3601BAE0&0&0028
Service: b57w2k

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\C3DF390080B91900
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\C3DF390080B91900
Service: NIC1394


-- Files created between 2008-05-07 and 2008-06-07 -----------------------------

2008-06-07 17:22:53 0 d------c- C:\Program Files\Trend Micro
2008-06-07 16:17:00 0 dr-h---c- C:\Documents and Settings\Jamie\Recent
2008-06-07 15:59:58 1160 --ahs--c- C:\WINDOWS\system32\vvFhOXyb.ini2
2008-06-07 12:58:49 3812 --ahs--c- C:\WINDOWS\system32\mloonnpo.ini2
2008-06-06 20:28:08 893 --ahs--c- C:\WINDOWS\system32\uENXyyay.ini2
2008-06-06 19:10:43 8607 --ahs--c- C:\WINDOWS\system32\yyabKRqr.ini2
2008-06-04 19:09:04 59392 --a----c- C:\WINDOWS\system32\xxyawtrR.dll
2008-06-04 19:07:13 59392 --a----c- C:\WINDOWS\system32\xxyxUmKE.dll
2008-06-04 19:07:00 59392 --a----c- C:\WINDOWS\system32\tuvvtqoM.dll
2008-06-04 19:06:12 59392 --a----c- C:\WINDOWS\system32\geBstrrr.dll
2008-06-04 19:05:56 59392 --a----c- C:\WINDOWS\system32\tuvVPhHy.dll
2008-06-04 19:05:10 59392 --a----c- C:\WINDOWS\system32\ljJBrSmJ.dll
2008-06-04 19:03:38 59392 --a----c- C:\WINDOWS\system32\byXQgHwv.dll
2008-06-04 19:02:09 59392 --a----c- C:\WINDOWS\system32\iifdbCut.dll
2008-06-04 19:01:00 0 d------c- C:\Program Files\DFX
2008-06-04 19:00:40 59392 --a----c- C:\WINDOWS\system32\tuvVPgFX.dll
2008-06-04 18:36:23 164352 --a----c- C:\WINDOWS\system32\unrar.dll
2008-06-04 18:36:21 0 d------c- C:\Program Files\K-Lite Codec Pack
2008-06-02 19:57:40 0 d------c- C:\Documents and Settings\All Users\Application Data\DFX
2008-06-02 19:57:39 0 d------c- C:\Program Files\Common Files\DFX
2008-06-02 00:06:39 1599488 ---hs--c- C:\DownloadsMfJ8A4_cfdg.exe
2008-06-02 00:01:52 1599488 ---hs--c- C:\DownloadsRcC6Ja_cfdg.exe
2008-05-31 22:45:42 0 d------c- C:\WINDOWS\Downloaded Installations
2008-05-30 09:42:41 0 d--h---c- C:\Program Files\InstallShield Installation Information
2008-05-24 21:56:51 0 d-a----c- C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-20 14:37:12 0 d------c- C:\Documents and Settings\Jamie\Application Data\Uniblue
2008-05-20 14:37:09 0 d------c- C:\Program Files\Uniblue
2008-05-20 00:41:49 1599488 ---hs--c- C:\DownloadsYvC66v_cfdg.exe
2008-05-19 00:50:57 1599488 ---hs--c- C:\DownloadsCgR6An_cfdg.exe
2008-05-19 00:45:28 1599488 ---hs--c- C:\DownloadsDrr25k_cfdg.exe
2008-05-19 00:29:00 0 d------c- C:\WINDOWS\Applian FLV Player
2008-05-19 00:19:36 0 d------c- C:\Program Files\FDRLab
2008-05-18 16:53:38 0 d------c- C:\Documents and Settings\Jamie\Application Data\Nero
2008-05-18 16:50:28 368640 --a----c- C:\WINDOWS\system32\TwnLib4.dll <Not Verified; Pegasus Imaging Corporation; TwnLib4 - TwainPRO v4.0 - Utility Library>
2008-05-18 16:50:28 802816 --a----c- C:\WINDOWS\system32\imagXRA7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-18 16:50:28 258048 --a----c- C:\WINDOWS\system32\imagXR7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-18 16:50:28 1757184 --a----c- C:\WINDOWS\system32\imagX7.dll <Not Verified; Pegasus Imaging Corp.; ImagXpress7>
2008-05-18 16:50:27 0 d------c- C:\Program Files\Nero
2008-05-18 16:50:27 0 d------c- C:\Program Files\Common Files\Nero
2008-05-17 14:57:42 0 d------c- C:\Documents and Settings\Jamie\Application Data\SolSuite
2008-05-17 14:57:42 0 d------c- C:\Documents and Settings\All Users\Application Data\TreeCardGames
2008-05-14 16:49:33 0 d------c- C:\WINDOWS\nvidia icons
2008-05-14 16:40:20 0 d------c- C:\Program Files\SystemRequirementsLab
2008-05-14 16:39:26 0 d------c- C:\Documents and Settings\Jamie\Application Data\SystemRequirementsLab
2008-05-11 00:39:45 0 d------c- C:\WINDOWS\Prefetch
2008-05-11 00:34:47 0 d------c- C:\WINDOWS\system32\scripting
2008-05-11 00:34:46 0 d------c- C:\WINDOWS\system32\en
2008-05-11 00:34:46 0 d------c- C:\WINDOWS\system32\bits
2008-05-11 00:34:46 0 d------c- C:\WINDOWS\l2schemas
2008-05-11 00:32:59 0 d------c- C:\WINDOWS\ServicePackFiles
2008-05-11 00:03:37 0 d------c- C:\Documents and Settings\All Users\Desktop


-- Find3M Report ---------------------------------------------------------------

2008-06-06 19:20:22 0 d------c- C:\Program Files\SpywareBlaster
2008-06-06 08:54:06 0 d------c- C:\Documents and Settings\Jamie\Application Data\uTorrent
2008-06-05 18:28:22 0 d------c- C:\Documents and Settings\Jamie\Application Data\Skype
2008-06-04 22:20:12 4212 --ah---c- C:\WINDOWS\system32\zllictbl.dat
2008-06-03 00:24:08 0 d------c- C:\Documents and Settings\Jamie\Application Data\LimeWire
2008-06-02 19:57:39 0 d------c- C:\Program Files\Common Files
2008-05-19 23:49:08 0 d------c- C:\Program Files\Microsoft Silverlight
2008-05-18 16:03:39 0 d------c- C:\Program Files\Star Downloader
2008-05-17 15:00:48 0 d------c- C:\Program Files\SolSuite
2008-05-11 00:34:47 0 d--h---c- C:\Program Files\movie maker
2008-05-11 00:32:49 0 d--h---c- C:\Program Files\Windows NT
2008-05-03 10:49:02 0 d------c- C:\Program Files\Eraser
2008-05-03 10:39:44 0 d------c- C:\Program Files\Google
2008-05-02 22:46:00 1630208 --a----c- C:\WINDOWS\system32\nwiz.exe
2008-05-02 22:46:00 1019904 --a----c- C:\WINDOWS\system32\nvwimg.dll
2008-05-02 22:46:00 1703936 --a----c- C:\WINDOWS\system32\nvwdmcpl.dll
2008-05-02 22:46:00 466944 --a----c- C:\WINDOWS\system32\nvshell.dll
2008-05-02 22:46:00 1486848 --a----c- C:\WINDOWS\system32\nview.dll
2008-05-02 22:46:00 1339392 --a----c- C:\WINDOWS\system32\nvdspsch.exe
2008-05-02 22:46:00 442368 --a----c- C:\WINDOWS\system32\nvappbar.exe
2008-05-02 22:46:00 425984 --a----c- C:\WINDOWS\system32\keystone.exe
2008-04-19 10:55:50 0 d------c- C:\Program Files\Garmin
2008-04-19 09:54:05 0 d------c- C:\Program Files\Common Files\xing shared
2008-04-19 09:54:03 0 d------c- C:\Program Files\Common Files\Real
2008-04-16 20:16:55 0 d------c- C:\Program Files\Java
2008-04-15 00:13:49 0 d------c- C:\Program Files\Intel
2008-04-14 19:14:15 0 d------c- C:\Program Files\Common Files\Symantec Shared
2008-04-14 19:13:28 0 d------c- C:\Program Files\Symantec
2008-04-09 19:13:49 0 d------c- C:\Program Files\Diskeeper Corporation
2008-04-03 00:36:18 413696 --a----c- C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-04-03 00:36:18 110592 --a----c- C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions © Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL™ Library>
2008-03-22 19:42:18 0 --a----c- C:\WINDOWS\nsreg.dat
2008-03-20 22:16:51 203776 --a----c- C:\WINDOWS\system32\clrviddc.dll <Not Verified; Iterated Systems, Inc.; ClearVideo Decoder DLL>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BC1DFD2-2067-4563-AC41-88E605DF2B75}]
C:\WINDOWS\system32\yayyXNEu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D5A4860-4422-46BD-A36A-15D7FD7841A5}]
C:\WINDOWS\system32\byXOhFvv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{449A975A-7A91-4320-A2B9-7F05D05F4F15}]
C:\WINDOWS\system32\rqRKbayy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257}]
04.06.2008 19:00 59392 --a--c--- C:\WINDOWS\system32\tuvVPgFX.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EECC3475-F4FD-4831-96F4-17E2B155B413}]
C:\WINDOWS\system32\opnnoolm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [02.04.2008 21:07]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [01.02.2008 01:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"Spybot - Search & Destroy"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
"SpybotDeletingA5366"=command /c del "C:\WINDOWS\system32\byXOhFvv.dll_old"
"SpybotDeletingC1385"=cmd /c del "C:\WINDOWS\system32\byXOhFvv.dll_old"
"SpybotDeletingA3124"=command /c del "C:\WINDOWS\system32\opnnoolm.dll_old"
"SpybotDeletingC2069"=cmd /c del "C:\WINDOWS\system32\opnnoolm.dll_old"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
tclock.lnk - C:\Program Files\T Clock\tclock.exe [9/14/2007 7:28:57 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)
"NoSharedDocuments"=1 (0x1)
"NoLowDiskSpaceChecks"=0 (0x0)
"StartMenuLogoff"=1 (0x1)
"NoChangeStartMenu"=0 (0x0)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"MaxRecentDocs"=11 (0xb)
"NoStartMenuMFUprogramsList"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257}"= C:\WINDOWS\system32\tuvVPgFX.dll [04.06.2008 19:00 59392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 02.05.2008 02:42 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvVPgFX]
tuvVPgFX.dll 04.06.2008 19:00 59392 C:\WINDOWS\system32\tuvVPgFX.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=interceptor.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXOhFvv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antvirus]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{977508d7-ba53-11dc-b745-0090d09db8b9}]
AutoRun\command- N:\USBNB.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 babe.the-killer.bz
127.0.0.1 www.babe.the-killer.bz
127.0.0.1 babe.k-lined.com
127.0.0.1 www.babe.k-lined.com
127.0.0.1 did.i-used.cc
127.0.0.1 www.did.i-used.cc
127.0.0.1 coolwwwsearch.com
127.0.0.1 www.coolwwwsearch.com
127.0.0.1 coolwebsearch.com
127.0.0.1 www.coolwebsearch.com

8756 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-07 18:19:38 ---


I shall thank you in advance for any help in solving this problem.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:14 PM

Posted 08 June 2008 - 02:09 PM

Hello Zulu1959,

C:\Downloads\dss.exe



Please delete the dss.exe you have in your downloads folder.

I need to have dss.exe installed on your desktop.

Please download Deckard's System Scanner (DSS) from one of the links below and save to your Desktop.
Primary Mirror
Secondary Mirror

DSS will do the following:
1. Create a new System Restore point in Windows XP and Vista.
2. Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
3. Check some important areas of your system and produce a report for an analyst to review.
4. Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.

Note: You must be logged onto an account with administrator privileges when using Deckard's System Scanner.

1. Close all applications and windows.
2. Double-click on dss.exe to run it and follow the prompts.

3. If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
4. When the scan is complete, two text files will open in Notepad:
main.txt <-- Will be maximized
extra.txt <-- Will be minimized
5. If not, they both can be found in the C:\Deckard\System Scanner folder.
6. Please copy (<Control>+C) and paste (<Control>+V) the contents of main.txt and extra.txt in your next reply.

Note: When running DSS, some firewalls may warn that DSS is trying to access the Internet; especially if you are asked to download the most current version of HijackThis. Please ensure that DSS is given permission to access the internet.
Note: If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.

In your next reply, I need to see the following reports:
DSS Main.txt
DSS Extra.txt

You can attach the DSS Extra folder.

Edited by SifuMike, 08 June 2008 - 02:19 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:10:14 PM

Posted 13 June 2008 - 10:22 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users