Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems Removing Spyware (virtumonde, Trojan, More)


  • Please log in to reply
28 replies to this topic

#1 lexicon111

lexicon111

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 10 June 2008 - 05:29 PM

Problems Removing Spyware
Earlier today, my computer freaked out.
It started running slowly and I got about three little icons in my lower right corner tray saying things like "Virus Infection!" and "Your computer may have a virus." And, next to the little clock, it said "Virus Infected."

I rebooted, but got the blue screen.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you've seen this... etc.

Technical Information:
*** STOP: 0x00000050 (0xBAD04000, 0x00000000, 0xE1AAB8F5, 0x00000000)

I can start my computer in safe mode with networking and get internet access, but I cannot see any of my internet browsers. They show up in Task Manager, though. I can still get new files onto it via USB drive, though.

I've tried running some anti-spyware (Multi Virus Cleaner, Ad-Aware SE Personal, and SUPERAntispyware) but nothing seems to be working. I ran a complete scan with SAS, quarantined/destroyed the files it found, however when I did another scan, many of the files were found again.

HIJACK THIS LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:27 PM, on 6/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\Application Data\U3\0000188C36759417\LaunchPad.exe
C:\WINDOWS\system32\ctfmon.exe
G:\Documents\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://bfirst.info/in.cgi?3&key=dave...es+block+party
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\system32\drvsuw.dll,startup
O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Rolando\cftmon.exe
O4 - HKLM\..\Run: [jdgf894jrghoiiskd] C:\DOCUME~1\Rolando\LOCALS~1\Temp\winlogan.exe
O4 - HKLM\..\Run: [DelayLoad] C:\DOCUME~1\Rolando\LOCALS~1\Temp\msprint.exe
O4 - HKLM\..\Run: [advap32] C:\DOCUME~1\Rolando\LOCALS~1\Temp\rbnpsrv.exe/r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [8494016a] rundll32.exe "C:\WINDOWS\system32\quqkbkuj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] G:\Documents\SUPERAntiSpyware\SUPERAntiSpyware.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} (Cisco AnyConnect VPN Client Web Control) - https://vpn2.lehman.edu/CACHE/stc/1/binaries/vpnweb.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/...ws-i586-jc.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O21 - SSODL: erpobmsw - {CFB8305E-CC4A-4F5E-A0CA-9F9BF74193AB} - C:\WINDOWS\erpobmsw.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: dlci_device - - C:\WINDOWS\system32\dlcicoms.exe
O23 - Service: Google Desktop Manager 5.7.712.18632 (GoogleDesktopManager-121807-210419) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: MySQL5 - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 4858 bytes

Any help would be VERY much appreciated.

Thanks in advance

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:34 AM

Posted 12 June 2008 - 11:04 AM

Hello lexicon111 and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - Desktop Components
      Reg - Software Policy Settings
      File - Additional Folder Scans
  • copy/paste the text in the codebox below into the Custon Scans box:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    HKEY_CURRENT_USER\Control Panel\International
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 lexicon111

lexicon111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 13 June 2008 - 03:33 PM

Thanks for responding.

I downloaded ATF-cleaner and OTScanIt, but I was only able to run ATF in safe mode. Whenever I turn on my computer in Reg mode, I get a blue screen.

Edited by lexicon111, 13 June 2008 - 03:33 PM.


#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:34 AM

Posted 13 June 2008 - 03:42 PM

Hi lexicon111. That's fine. Run them in Safe Mode then.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 lexicon111

lexicon111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 13 June 2008 - 11:42 PM

Does it matter that I am not able to run OTScanner?

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:34 AM

Posted 14 June 2008 - 08:25 AM

Hi lexicon111. Yes, it would matter. Without the report we can't see what is going on on that system. What happens when it is run?

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 lexicon111

lexicon111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 14 June 2008 - 10:13 AM

When I try to run the program, it says the program cannot run in safe mode.

I right click the exe and Run it as the administrator. This service cannot be started in Safe Mode is the error box that I get.

Edited by lexicon111, 14 June 2008 - 10:17 AM.


#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:34 AM

Posted 14 June 2008 - 10:33 AM

Hi lexicon111. Is this the downloaded file or the files that have been extracted from it? There are no services involved and it is not restricted in any way from running in Safe Mode.

It could be that the extraction service isn't working ont hat machine. In that case, the files will need to be extracted on another machine and transferred to the non-working machine. Double-clicking the downloaded file will perform the extraction and create a folder named OTScanIt. Do that on a working machine and then transfer the entire folder to the non-working machine.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 lexicon111

lexicon111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 15 June 2008 - 04:25 PM

Thanks, I realized what I was doing wrong. I extracted it on my good computer and just transferred it to my bad one.

I ran it while logged into administrator, and I was looking at the processes in task manager. Whenever I double clicked the .exe, it ran for a split second, then died. Nothing changed on my screen (no GUI came up or anything).

I tried run as-> administrator, but that can't be done in safe mode apparently...

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:34 AM

Posted 15 June 2008 - 04:46 PM

Hi lexicon111. Run As Administrator is only an option on Vista. There might be a Run As... option on XP depending on how the machine is set up but it wouldn't make a difference if you are logged on as an Administrator to begin with.

About the only other thing you can try is renaming OTScanIt.exe to something else. Try 123.exe or 123.com and see what it does. If that doesn't work it might be time for a reinstall.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 lexicon111

lexicon111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 15 June 2008 - 09:10 PM

Wow... I renamed the file and it worked perfectly (thanks).
The attached is the log.
By the way. If it wouldn't bee too much trouble, could you please explain to me what is going on? I have a very vague idea, but I'd like to know more specifically what is happening to my system as it gets cleaned/what happened to it originally.

Attached Files



#12 lexicon111

lexicon111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 15 June 2008 - 10:05 PM

Oldtimer, I just ran Combofix.exe (called combofix1.exe) and when my computer restarted, I wasn't there... It is running in normal mode!

Edited by lexicon111, 15 June 2008 - 10:17 PM.


#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:34 AM

Posted 15 June 2008 - 10:27 PM

Hi lexicon111. This is a variant of a Vundo infection. All of these types of infections that I see (and I see alot of them) come from files that have downloaded from a file-sharing network. These infections can blow right through any security applications installed (even though I don't see any on this system) and do what they want. See the instructions further on for free antivirus and firewall products and stay away from file-sharing networks and your system will be much happier.

Now let's see what we can do. Follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
Beep
Files to delete:
%systemroot%\bm87a732f6.xml
%systemroot%\eobp.exe
%systemroot%\system32\beep.sys
%systemroot%\system32\bmf.cs
%systemroot%\system32\ccs.so
%systemroot%\system32\drivers\beep.sys
%systemroot%\system32\drvsuw.dll
%systemroot%\system32\evevevxs.dll
%systemroot%\system32\havtkcaj.dll
%systemroot%\system32\ho.ln
%systemroot%\system32\hpoasijh.ini
%systemroot%\system32\jukbkquq.ini
%systemroot%\system32\ko.o
%systemroot%\system32\mljbtmjy.dll
%systemroot%\system32\mn.n
%systemroot%\system32\mwvwuplo.ini
%systemroot%\system32\ntpl.bin
%systemroot%\system32\nvrsma.dll
%systemroot%\system32\olpuwvwm.dll
%systemroot%\system32\uuxilutv.ini
%systemroot%\system32\uuxilutv.ini2
%systemroot%\system32\winnov32.dll
%systemroot%\system32\winver.bat
%systemroot%\system32\yjmtbjlm.ini
%systemroot%\system32\yjmtbjlm.ini2
%systemroot%\xbqmfsed.exe
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
Folders to delete:
%allusersprofile%\application data\adsl software limited
%systemroot%\privacy_danger

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Driver Services - Non-Microsoft Only]
YY -> (Beep) Beep [Kernel | System | Stopped] -> %SystemRoot%\System32\drivers\beep.sys
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> 8494016a -> %SystemRoot%\system32\olpuwvwm.dll [rundll32.exe "C:\WINDOWS\system32\olpuwvwm.dll",b]
YY -> BM87a732f6 -> %SystemRoot%\system32\evevevxs.dll [Rundll32.exe "C:\WINDOWS\system32\evevevxs.dll",s]
YY -> MSDisp32 -> %SystemRoot%\system32\drvsuw.dll [rundll32.exe C:\WINDOWS\system32\drvsuw.dll,startup]
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> MSMSGS -> %ProgramFiles%\Messenger\msmsgs.exe ["C:\Program Files\Messenger\msmsgs.exe" /background]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> {BF0CA4FC-6378-4062-B546-3CDE8A28B1E0} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> winnov32 -> %SystemRoot%\system32\winnov32.dll
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {24aa0530-3c9e-4413-92d8-c2e818c203e2} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\havtkcaj.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {DF5DB230-A5B9-4016-8356-9EDFFBA8F4BD} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\mlJBTmJY.dll [Reg Error: Value  does not exist or could not be read.]
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\
YN -> {FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec -> %ProgramFiles%\Messenger\msmsgs.exe [Messenger]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\
YN -> {67DABFBF-D0AB-41FA-9C46-CC0F21721616}[HKEY_LOCAL_MACHINE] -> http://download.divx.com/player/DivXBrowserPlugin.cab[Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINDOWS\system32\mlJBTmJY -> %SystemRoot%\system32\mlJBTmJY.dll
< BotCheck > -> 
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WoW-2.0.0-enUS-Installer-downloader.exe -> %SystemDrive%\WoW-2.0.0-enUS-Installer-downloader.exe [C:\WoW-2.0.0-enUS-Installer-downloader.exe:*:Enabled:Blizzard Downloader]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Rolando\Desktop\Mafiaboy's Repack\ascent.exe -> %SystemDrive%\Documents and Settings\Rolando\Desktop\Mafiaboy's Repack\ascent.exe [C:\Documents and Settings\Rolando\Desktop\Mafiaboy's Repack\ascent.exe:*:Enabled:ascent]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BitLord\BitLord.exe -> %ProgramFiles%\BitLord\BitLord.exe [C:\Program Files\BitLord\BitLord.exe:*:Enabled:BitLord]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\VentSrv\ventrilo_srv.exe -> %ProgramFiles%\VentSrv\ventrilo_srv.exe [C:\Program Files\VentSrv\ventrilo_srv.exe:*:Enabled:ventrilo_srv]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\BitTorrent\bittorrent.exe -> %ProgramFiles%\BitTorrent\bittorrent.exe [C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\LimeWire\LimeWire.exe -> %ProgramFiles%\LimeWire\LimeWire.exe [C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Rolando\Desktop\Halo Custom Edition\haloce.exe -> %SystemDrive%\Documents and Settings\Rolando\Desktop\Halo Custom Edition\haloce.exe [C:\Documents and Settings\Rolando\Desktop\Halo Custom Edition\haloce.exe:*:Enabled:Halo]
YN -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Documents and Settings\Rolando\Desktop\Warcraft III\Warcraft III.exe -> %SystemDrive%\Documents and Settings\Rolando\Desktop\Warcraft III\Warcraft III.exe [C:\Documents and Settings\Rolando\Desktop\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III]
[Files/Folders - Created Within 30 days]
NY -> beep.sys -> %SystemRoot%\System32\beep.sys
NY -> bmf.cs -> %SystemRoot%\System32\bmf.cs
NY -> ccs.so -> %SystemRoot%\System32\ccs.so
NY -> drvsuw.dll -> %SystemRoot%\System32\drvsuw.dll
NY -> evevevxs.dll -> %SystemRoot%\System32\evevevxs.dll
NY -> havtkcaj.dll -> %SystemRoot%\System32\havtkcaj.dll
NY -> ho.ln -> %SystemRoot%\System32\ho.ln
NY -> hpoasijh.ini -> %SystemRoot%\System32\hpoasijh.ini
NY -> jukbkquq.ini -> %SystemRoot%\System32\jukbkquq.ini
NY -> ko.o -> %SystemRoot%\System32\ko.o
NY -> mn.n -> %SystemRoot%\System32\mn.n
NY -> mwvwuplo.ini -> %SystemRoot%\System32\mwvwuplo.ini
NY -> ntpl.bin -> %SystemRoot%\System32\ntpl.bin
NY -> nvrsma.dll -> %SystemRoot%\System32\nvrsma.dll
NY -> olpuwvwm.dll -> %SystemRoot%\System32\olpuwvwm.dll
NY -> uuxIlUtv.ini -> %SystemRoot%\System32\uuxIlUtv.ini
NY -> uuxIlUtv.ini2 -> %SystemRoot%\System32\uuxIlUtv.ini2
NY -> winnov32.dll -> %SystemRoot%\System32\winnov32.dll
NY -> winver.bat -> %SystemRoot%\System32\winver.bat
NY -> YJmTBJlm.ini2 -> %SystemRoot%\System32\YJmTBJlm.ini2
NY -> ??crosoft.NET -> %SystemRoot%\System32\Μіcrosoft.NET
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> BM87a732f6.xml -> %SystemRoot%\BM87a732f6.xml
NY -> eobp.exe -> %SystemRoot%\eobp.exe
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> privacy_danger -> %SystemRoot%\privacy_danger
NY -> xbqmfsed.exe -> %SystemRoot%\xbqmfsed.exe
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> Adsl Software Limited -> %AllUsersProfile%\Application Data\Adsl Software Limited
[Files/Folders - Modified Within 30 days]
NY -> beep.sys -> %SystemRoot%\System32\drivers\beep.sys
NY -> beep.sys -> %SystemRoot%\System32\beep.sys
NY -> bmf.cs -> %SystemRoot%\System32\bmf.cs
NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> ccs.so -> %SystemRoot%\System32\ccs.so
NY -> drvsuw.dll -> %SystemRoot%\System32\drvsuw.dll
NY -> evevevxs.dll -> %SystemRoot%\System32\evevevxs.dll
NY -> havtkcaj.dll -> %SystemRoot%\System32\havtkcaj.dll
NY -> ho.ln -> %SystemRoot%\System32\ho.ln
NY -> hpoasijh.ini -> %SystemRoot%\System32\hpoasijh.ini
NY -> jukbkquq.ini -> %SystemRoot%\System32\jukbkquq.ini
NY -> ko.o -> %SystemRoot%\System32\ko.o
NY -> mn.n -> %SystemRoot%\System32\mn.n
NY -> mwvwuplo.ini -> %SystemRoot%\System32\mwvwuplo.ini
NY -> ntpl.bin -> %SystemRoot%\System32\ntpl.bin
NY -> nvrsma.dll -> %SystemRoot%\System32\nvrsma.dll
NY -> olpuwvwm.dll -> %SystemRoot%\System32\olpuwvwm.dll
NY -> uuxIlUtv.ini -> %SystemRoot%\System32\uuxIlUtv.ini
NY -> uuxIlUtv.ini2 -> %SystemRoot%\System32\uuxIlUtv.ini2
NY -> winnov32.dll -> %SystemRoot%\System32\winnov32.dll
NY -> winver.bat -> %SystemRoot%\System32\winver.bat
NY -> YJmTBJlm.ini -> %SystemRoot%\System32\YJmTBJlm.ini
NY -> YJmTBJlm.ini2 -> %SystemRoot%\System32\YJmTBJlm.ini2
NY -> ??crosoft.NET -> %SystemRoot%\System32\Μіcrosoft.NET
NY -> 4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> BM87a732f6.xml -> %SystemRoot%\BM87a732f6.xml
NY -> eobp.exe -> %SystemRoot%\eobp.exe
NY -> privacy_danger -> %SystemRoot%\privacy_danger
NY -> xbqmfsed.exe -> %SystemRoot%\xbqmfsed.exe
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> @Alternate Data Stream - 123 bytes -> %AllUsersProfile%\Application Data\TEMP:05EE1EEF
NY -> @Alternate Data Stream - 115 bytes -> %AllUsersProfile%\Application Data\TEMP:664FE078
NY -> @Alternate Data Stream - 98 bytes -> %AllUsersProfile%\Application Data\TEMP:DFC5A2B2
[Extra Files]
Purity
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.

If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

I see no antivirus or firewall installed on this system. You should definitely have a good antivirus to stop many infections before they can start and spread. Here are 3 free anti-virus programs that are available for personal use (I use these on various machines and they are all good):You should also have a good firewall for blocking unwanted access to and from your computer. These also are free for personal use:It is best to have both a firewall and anti virus to protect your system and to keep them updated.

Step #5

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt and locate the OTScanIt.txt file in the folder where OTScanIt.exe is located.
  • Attach that file back here in your next reply.
Step #6

Copy/paste the following back here in your next reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Attach the following back here in your next reply:
  • The new OTScanIt scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 lexicon111

lexicon111
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:34 AM

Posted 15 June 2008 - 11:06 PM

Well... I ran combofix as combofix1.exe and my computer restarted in normal mode and everything seemed to be working perfectly. I could run windows in safe mode, run programs, etc... Then I ran avenger and it all started falling apart. When it restarted, I got all of the virus' original attacks (constant popups encouraging me to buy fake anti spyware and the like). I ran combofix in safe mode again, but the computer still isnt back to normal. I am typing this from my infected computer, which is a start since I am now able to access the internet, but I still get popups and lack of computer control. What could have happened?

ComboFix 08-06-10.1 - Administrator 2008-06-15 23:48:09.2 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2307 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\123.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\cftmon.exe
C:\Documents and Settings\Rolando\cftmon.exe
C:\Documents and Settings\Rolando\Desktop\Error Cleaner.url
C:\Documents and Settings\Rolando\Desktop\Privacy Protector.url
C:\Documents and Settings\Rolando\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Rolando\Favorites\Error Cleaner.url
C:\Documents and Settings\Rolando\Favorites\Privacy Protector.url
C:\Documents and Settings\Rolando\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\TEMP\Local Settings\Temporary Internet Files\
C:\Program Files\antiviirus.exe
C:\Program Files\tmp0.exe
C:\Program Files\tmp1.exe
C:\Program Files\tmp2.exe
C:\WINDOWS\epmq.exe
C:\WINDOWS\kvsdpfeagep.dll
C:\WINDOWS\resources\VolumeRun.dll
C:\WINDOWS\rtsplgob.dll
C:\WINDOWS\system32\763444
C:\WINDOWS\system32\763444\763444.dll
C:\WINDOWS\system32\drivers\spools.exe
C:\WINDOWS\system32\kdiyk.exe
C:\WINDOWS\system32\vtUkkljG.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_Schedule
-------\Service_Schedule


((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-15 23:57 . 2008-06-15 23:57 <DIR> d-------- C:\Documents and Settings\Rolando\Application Data\TmpRecentIcons
2008-06-15 23:34 . 2008-06-15 09:01 356,352 --a------ C:\WINDOWS\rnopbfgt.dll
2008-06-15 23:34 . 2008-06-15 09:01 299,008 --a------ C:\WINDOWS\xkefqtgs.dll
2008-06-15 23:34 . 2008-06-15 09:01 155,648 --a------ C:\WINDOWS\pebgkxwq.exe
2008-06-15 23:16 . 2008-06-15 23:16 <DIR> d-------- C:\Program Files\Viewpoint
2008-06-15 23:16 . 2008-06-15 23:16 <DIR> d-------- C:\Program Files\Common Files\AOL
2008-06-15 23:16 . 2008-06-15 23:17 <DIR> d-------- C:\Program Files\AIM6
2008-06-15 23:16 . 2008-06-15 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-15 23:16 . 2008-06-15 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-15 23:16 . 2008-06-15 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-06-15 23:16 . 2008-06-15 23:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\acccore
2008-06-15 23:16 . 2008-06-15 23:17 461 --ah----- C:\IPH.PH
2008-06-15 23:06 . 2004-08-12 10:10 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-06-15 22:48 . 2008-06-15 23:08 <DIR> d-------- C:\ComboFix1
2008-06-15 22:37 . 2008-06-15 22:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-15 22:16 . 2008-06-15 22:16 <DIR> d-------- C:\_OTMoveIt
2008-06-15 17:35 . 2008-06-15 17:35 <DIR> d-------- C:\Deckard
2008-06-10 18:12 . 2008-06-10 18:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-10 18:12 . 2008-06-15 17:34 <DIR> d-------- C:\SDFix
2008-06-10 17:50 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-06-10 17:50 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-06-10 17:50 . 2008-05-27 13:54 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-06-10 17:50 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-06-10 17:50 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-06-10 17:50 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-06-10 17:50 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-06-10 17:50 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-06-10 17:23 . 2008-06-10 17:54 1,316 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-10 17:18 . 2008-06-10 17:18 <DIR> d-------- C:\VundoFix Backups
2008-06-10 16:40 . 2008-06-10 16:40 4,614,888 --a------ C:\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
2008-06-09 20:49 . 2008-06-09 20:49 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Uniblue
2008-06-09 18:45 . 2008-06-09 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-09 18:45 . 2008-06-10 17:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\U3
2008-06-09 18:45 . 2008-06-09 18:45 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-06-09 18:28 . 2008-06-15 23:55 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-09 17:42 . 2008-06-09 17:42 <DIR> d-------- C:\Documents and Settings\Rolando\Application Data\Lavasoft
2008-06-09 17:41 . 2008-06-09 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-09 16:05 . 2008-06-09 16:05 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-06-09 15:57 . 2008-06-09 15:57 9,662 --a------ C:\WINDOWS\system32\ZoneAlarmIconUS.ico
2008-06-09 13:31 . 2008-06-09 13:31 1,169 --a------ C:\WINDOWS\mozver.dat
2008-06-05 23:51 . 2008-06-09 15:37 <DIR> d-------- C:\Program Files\Warcraft III
2008-05-30 15:54 . 2008-06-09 16:26 <DIR> d-------- C:\Documents and Settings\Rolando\Application Data\LimeWire
2008-05-29 14:56 . 2008-05-29 14:56 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Cisco
2008-05-29 11:23 . 2008-05-29 11:23 24,760 --a------ C:\WINDOWS\system32\vpnevents.dll
2008-05-17 09:29 . 2008-06-09 07:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-16 03:22 --------- d-----w C:\Program Files\World of Warcraft
2008-06-12 16:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-09 21:53 --------- d-----w C:\Documents and Settings\Rolando\Application Data\Skype
2008-06-09 21:40 --------- d-----w C:\Documents and Settings\Rolando\Application Data\U3
2008-06-09 20:11 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-09 20:10 --------- d-----w C:\Program Files\Creative
2008-06-09 20:10 --------- d-----w C:\Documents and Settings\Rolando\Application Data\skypePM
2008-06-09 20:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-09 20:04 --------- d-----w C:\Program Files\Easy Icon Maker
2008-06-09 11:41 --------- d-----w C:\Program Files\Dl_cats
2008-05-28 01:57 7,592 ----a-w C:\Program Files\flowers.jpg
2008-05-22 14:37 --------- d-----w C:\Documents and Settings\Rob\Application Data\U3
2008-05-19 00:11 --------- d-----w C:\Program Files\DNA
2008-05-17 13:30 --------- d-----w C:\Program Files\Google
2008-01-20 20:43 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2008-01-04 23:30 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-15_23.08.17.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-07-26 04:20:23 110,080 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatex.dll
+ 2005-07-26 04:20:24 498,688 ----a-w C:\WINDOWS\$hf_mig$\KB902400\SP2QFE\clbcatq.dll
+ 2004-08-12 13:56:05 110,080 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatex.dll
+ 2004-08-12 13:56:05 501,248 -c----w C:\WINDOWS\$NtUninstallKB902400$\clbcatq.dll
- 2008-06-16 03:04:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 03:56:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-01-24 01:41:42 841,304 ----a-w C:\WINDOWS\Downloaded Program Files\ampAx3.0.84.2.dll
+ 2008-06-16 03:16:28 38,428 ----a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
+ 2004-08-12 13:56:04 10,752 ----a-w C:\WINDOWS\system32\clb.dll
+ 2005-07-26 04:39:43 110,080 ----a-w C:\WINDOWS\system32\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 ----a-w C:\WINDOWS\system32\clbcatq.dll
+ 2004-08-12 13:56:04 10,752 -c--a-w C:\WINDOWS\system32\dllcache\clb.dll
+ 2005-07-26 04:39:43 110,080 -c--a-w C:\WINDOWS\system32\dllcache\clbcatex.dll
+ 2005-07-26 04:39:43 498,688 -c--a-w C:\WINDOWS\system32\dllcache\clbcatq.dll
- 2008-06-10 21:51:48 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-06-16 03:50:11 59,780 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-10 21:51:48 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-06-16 03:50:11 397,560 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{82CB8960-D26A-49D2-B4CA-AF01B48C7873}"= "C:\WINDOWS\rtsplgob.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{82cb8960-d26a-49d2-b4ca-af01b48c7873}]
[HKEY_CLASSES_ROOT\rtsplgob.1]
[HKEY_CLASSES_ROOT\TypeLib\{1B6C6CEA-B99A-459B-B6DD-2C927C4DF9EA}]
[HKEY_CLASSES_ROOT\rtsplgob]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jdgf894jrghoiiskd"="C:\DOCUME~1\Rolando\LOCALS~1\Temp\winlogan.exe" [ ]
"InstallProgram"="C:\DOCUME~1\Rolando\LOCALS~1\Temp\setup_526_1_.exe" [ ]
"Jnskdfmf9eldfd"="C:\DOCUME~1\Rolando\LOCALS~1\Temp\csrssc.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 09:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\WINDOWS\system32\kdiyk.exe"="C:\WINDOWS\system32\kdiyk.exe" [ ]
"MSDisp32"="C:\WINDOWS\system32\drvsuw.dll" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-03 17:53 29744]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)
"NoDispCPL"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 1 (0x1)
"StartMenuLogoff"= 1 (0x1)
"NoStartMenuMorePrograms"= 1 (0x1)
"NoSetFolders"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"xkefqtgs"= {F55B281B-0736-41C7-82F3-1785AA4095E0} - C:\WINDOWS\xkefqtgs.dll [2008-06-15 09:01 299008]
"rnopbfgt"= {C098C672-2AC1-4104-89F1-1B3AC9471A49} - C:\WINDOWS\rnopbfgt.dll [2008-06-15 09:01 356352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"C:\\WINDOWS\\system32\\dlcicoms.exe"=
"C:\\Program Files\\Dell AIO Printer 946\\DLCImon.exe"=
"C:\\Program Files\\Dell AIO Printer 946\\DLCIaiox.exe"=
"C:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 dlci_device;dlci_device;C:\WINDOWS\system32\dlcicoms.exe [2006-12-08 01:17]
R2 MySQL5;MySQL5;"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="C:\Program Files\MySQL\MySQL Server 5.0\my.ini" MySQL5 []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
S3 GoogleDesktopManager-121807-210419;Google Desktop Manager 5.7.712.18632;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-01-03 17:53]
S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows;C:\WINDOWS\system32\DRIVERS\vpnva.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 23:57:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL5]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL5"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-15 23:59:20 - machine was rebooted [Rolando]
ComboFix-quarantined-files.txt 2008-06-16 03:59:17
ComboFix2.txt 2008-06-16 03:08:30

Pre-Run: 302,748,811,264 bytes free
Post-Run: 302,734,422,016 bytes free

209 --- E O F --- 2008-05-28 10:31:12

Edited by lexicon111, 15 June 2008 - 11:15 PM.


#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:34 AM

Posted 15 June 2008 - 11:23 PM

Hi lexicon111. I did not instruct you to run combofix on this machine. Running that on here will do no good and simply trash the machine.

Now let's start all over again:

Before running a new scan let's clean out the temporary folders.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Close ALL Internet browsers (very important).
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users