Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/vundo Infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 Edwierdo

Edwierdo

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:12 AM

Posted 06 July 2008 - 05:00 PM

Hello to the wonderful team at Bleeping Computer. I've gone through some of the motions in removing what seems to be a Virtumonde and/or Vundo infection. I've run Malwarebytes and Ad-Aware, which removed most of the files and restored functionality to my system and the AutoUpdate (which was originally disabled with the infection). I kept getting a hit for MS Juan "Malware.Trace" but that seems to be taken care of as well.
I guess this is hopefully the last post I would need on the subject. I'm concerned there may be some more remnants lying around. I would greatly appreciate any help.
Here's the log from DSS:

Deckard's System Scanner v20071014.68
Run by ed on 2008-07-06 17:42:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 9.54 GiB (less than 15%) free.


-- HijackThis (run as ed.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:24 PM, on 7/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\I8kfanGUI\I8kfanGUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ed\Local Settings\Temp\jkos-ed\binaries\ScanningProcess.exe
C:\Documents and Settings\ed\Local Settings\Temp\jkos-ed\binaries\ScanningProcess.exe
C:\Documents and Settings\ed\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\ed.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [i8kfangui] C:\Program Files\I8kfanGUI\I8kfanGUI.exe /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1213375680553
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213380396265
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10226 bytes

-- Files created between 2008-06-06 and 2008-07-06 -----------------------------

2008-07-05 23:14:53 0 d-------- C:\Program Files\Common Files\Java
2008-07-05 22:39:57 0 d-------- C:\Program Files\SpywareGuard
2008-07-05 22:30:29 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-05 22:30:21 0 d-------- C:\Program Files\SpywareBlaster
2008-07-05 22:27:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-05 17:05:38 0 d-------- C:\Documents and Settings\ed\Application Data\Malwarebytes
2008-07-05 17:05:18 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-05 17:05:14 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-05 15:05:33 0 d-------- C:\VundoFix Backups
2008-07-05 13:46:25 0 d-------- C:\Program Files\Panda Security
2008-07-05 10:59:47 0 d-------- C:\HJT
2008-07-05 10:35:55 0 d-------- C:\Documents and Settings\ed\.housecall6.6
2008-07-05 10:20:24 0 d-------- C:\Program Files\Trend Micro
2008-07-05 08:42:28 78336 -----n--- C:\WINDOWS\system32\mmckgtef.dll
2008-07-05 00:25:49 0 d-------- C:\WINDOWS\Sun
2008-07-04 20:39:16 0 d-------- C:\Program Files\Lavasoft
2008-07-04 20:39:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-04 20:38:53 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-04 20:26:16 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-07-04 20:12:21 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-07-04 20:07:14 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-04 11:28:26 0 d-------- C:\Program Files\Canon
2008-07-04 11:27:34 0 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-07-04 11:27:30 0 d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-07-04 11:27:23 0 d--h----- C:\Program Files\CanonBJ
2008-07-01 22:27:54 0 d-------- C:\Documents and Settings\ed\Application Data\vlc
2008-07-01 22:26:50 0 d-------- C:\Program Files\VideoLAN
2008-07-01 22:25:14 0 d-------- C:\Documents and Settings\ed\Application Data\CoreCodec
2008-07-01 22:24:43 0 d-------- C:\Program Files\Haali
2008-07-01 22:24:36 0 d-------- C:\Program Files\CoreCodec
2008-06-29 20:29:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-06-29 20:29:26 0 d-------- C:\Documents and Settings\ed\Application Data\Azureus
2008-06-29 20:28:33 0 d-------- C:\Program Files\Vuze
2008-06-29 11:36:20 0 d-------- C:\Program Files\Safari
2008-06-29 11:36:10 0 d-------- C:\Program Files\Apple Software Update
2008-06-22 19:27:36 0 d-------- C:\Program Files\Curse
2008-06-22 14:47:19 0 d-------- C:\Logs
2008-06-22 12:42:05 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-06-22 12:35:20 0 d-------- C:\Program Files\World of Warcraft
2008-06-17 18:17:46 60772 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-16 16:39:01 0 d-------- C:\WINDOWS\Prefetch
2008-06-16 16:26:53 0 d-------- C:\WINDOWS\ServicePackFiles
2008-06-16 14:21:12 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-16 14:21:11 0 d-------- C:\Documents and Settings\ed\Application Data\skypePM
2008-06-16 14:20:15 0 d-------- C:\Documents and Settings\ed\Application Data\Skype
2008-06-16 14:20:04 0 d-------- C:\Program Files\Skype
2008-06-16 14:20:04 0 d-------- C:\Program Files\Common Files\Skype
2008-06-16 14:19:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-06-16 13:02:14 0 d-------- C:\Documents and Settings\ed\Application Data\Google
2008-06-16 12:57:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-06-16 12:46:01 14464 --a------ C:\WINDOWS\system32\drivers\fanio.sys <Not Verified; Christian Diefer; fanio.sys>
2008-06-16 12:45:59 0 d-------- C:\Program Files\I8kfanGUI
2008-06-16 12:09:23 0 d-------- C:\Program Files\SpeedFan
2008-06-16 09:23:05 0 d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-06-15 23:59:04 0 d-------- C:\Program Files\Steam
2008-06-15 21:31:09 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-15 21:29:18 0 d-------- C:\WINDOWS\system32\LogFiles
2008-06-15 21:29:18 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-14 16:06:08 0 d-------- C:\Documents and Settings\LocalService\Application Data\Intel
2008-06-14 16:04:07 0 d-------- C:\Program Files\MSXML 6.0
2008-06-14 15:50:41 376832 --a------ C:\WINDOWS\system32\AegisI5Installer.exe <Not Verified; ; AegisInstall Application>
2008-06-14 15:49:13 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Intel
2008-06-14 15:49:13 0 d-------- C:\Documents and Settings\Default User\Application Data\Intel
2008-06-14 15:49:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Intel
2008-06-14 15:49:13 0 d-------- C:\Documents and Settings\Administrator\Application Data\Intel
2008-06-14 15:48:24 0 d-------- C:\Documents and Settings\ed\Application Data\Intel
2008-06-14 11:17:31 0 d-------- C:\Program Files\MSXML 4.0
2008-06-14 10:08:12 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-06-14 10:07:48 0 d-------- C:\WINDOWS\Logs
2008-06-14 09:44:38 0 d-------- C:\WINDOWS\system32\N360_BACKUP
2008-06-14 09:34:22 0 d-------- C:\b01ec5d7bfa05311bf
2008-06-13 16:30:33 0 d-------- C:\Documents and Settings\ed\Application Data\Macromedia
2008-06-13 16:30:33 0 d-------- C:\Documents and Settings\ed\Application Data\Adobe
2008-06-13 16:08:54 0 d-------- C:\Program Files\Windows Sidebar
2008-06-13 16:08:42 0 d-------- C:\Program Files\Norton 360
2008-06-13 16:07:08 0 d-------- C:\Program Files\Symantec
2008-06-13 16:07:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-13 15:57:28 0 d-------- C:\Documents and Settings\ed\Application Data\Symantec
2008-06-13 15:51:56 0 d-------- C:\Program Files\Microsoft Works
2008-06-13 15:50:46 0 d-------- C:\Program Files\Microsoft.NET
2008-06-13 15:47:59 0 d-------- C:\WINDOWS\SHELLNEW
2008-06-13 15:47:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-13 15:46:51 0 dr-h----- C:\MSOCache
2008-06-13 15:12:42 0 d-------- C:\Program Files\PowerISO
2008-06-13 15:11:00 0 d-------- C:\Documents and Settings\ed\Application Data\DivX
2008-06-13 15:05:38 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-06-13 14:56:43 0 d-------- C:\Documents and Settings\ed\Application Data\WinRAR
2008-06-13 14:18:46 0 d-------- C:\Documents and Settings\ed\Contacts
2008-06-13 14:18:30 0 d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-06-13 14:16:59 0 d-------- C:\Program Files\Messenger Plus! Live
2008-06-13 14:01:50 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-13 14:01:43 0 d-------- C:\Program Files\Windows Live
2008-06-13 14:01:35 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-13 13:32:32 0 d-------- C:\WINDOWS\system32\scripting
2008-06-13 13:32:32 0 d-------- C:\WINDOWS\l2schemas
2008-06-13 13:32:31 0 d-------- C:\WINDOWS\system32\en
2008-06-13 13:32:31 0 d-------- C:\WINDOWS\system32\bits
2008-06-13 13:31:45 0 d-------- C:\Program Files\Audible
2008-06-13 13:31:15 0 d-------- C:\Documents and Settings\ed\Application Data\Mozilla
2008-06-13 13:31:03 0 d-------- C:\Program Files\DivX
2008-06-13 13:30:32 155648 --a------ C:\WINDOWS\system32\ssleay32.dll
2008-06-13 13:30:31 696320 --a------ C:\WINDOWS\system32\libeay32.dll
2008-06-13 13:30:31 0 d-------- C:\Documents and Settings\LocalService\Application Data\iolo
2008-06-13 13:30:30 9341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
2008-06-13 13:30:28 22528 --a------ C:\WINDOWS\system32\smrgdf.exe
2008-06-13 13:30:27 34304 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2008-06-13 13:30:26 0 d-------- C:\Program Files\iolo
2008-06-13 13:29:41 0 d-------- C:\Documents and Settings\ed\Application Data\iolo
2008-06-13 13:29:41 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2008-06-13 13:29:36 0 d-------- C:\Program Files\Mozilla Thunderbird
2008-06-13 13:29:02 0 d-------- C:\Program Files\Picasa2
2008-06-13 13:28:50 0 d-------- C:\Documents and Settings\ed\Application Data\Apple Computer
2008-06-13 13:28:37 0 d-------- C:\Program Files\iPod
2008-06-13 13:28:32 0 d-------- C:\Program Files\iTunes
2008-06-13 13:28:24 0 d-------- C:\Program Files\Bonjour
2008-06-13 13:28:01 0 d-------- C:\Program Files\QuickTime
2008-06-13 13:27:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-13 13:27:45 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-06-13 13:27:37 0 d-------- C:\Program Files\Common Files\Apple
2008-06-13 13:27:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-13 13:26:31 0 d-------- C:\WINDOWS\network diagnostic
2008-06-13 13:18:39 0 d--hs---- C:\WINDOWS\CSC
2008-06-13 13:09:02 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-13 13:04:28 0 d-------- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
2008-06-13 13:04:18 0 d-------- C:\Documents and Settings\ed\Application Data\McAfee.com Personal Firewall
2008-06-13 13:03:18 0 d-------- C:\Documents and Settings\ed\Application Data\Identities
2008-06-13 13:03:18 0 d--h----- C:\Documents and Settings\ed\Application Data\Gtek
2008-06-13 13:03:16 0 dr------- C:\Documents and Settings\ed\Favorites
2008-06-13 13:03:16 0 d-------- C:\Documents and Settings\ed\Desktop
2008-06-13 13:03:16 0 d--hs---- C:\Documents and Settings\ed\Cookies
2008-06-13 13:03:16 0 d-------- C:\Documents and Settings\ed\Bluetooth Software
2008-06-13 13:03:16 0 dr-h----- C:\Documents and Settings\ed\Application Data
2008-06-13 13:03:16 0 d-------- C:\Documents and Settings\ed\Application Data\Sun
2008-06-13 13:03:14 0 d--h----- C:\Documents and Settings\ed\Templates
2008-06-13 13:03:14 0 dr------- C:\Documents and Settings\ed\Start Menu
2008-06-13 13:03:14 0 dr-h----- C:\Documents and Settings\ed\SendTo
2008-06-13 13:03:14 0 dr-h----- C:\Documents and Settings\ed\Recent
2008-06-13 13:03:14 0 d--h----- C:\Documents and Settings\ed\PrintHood
2008-06-13 13:03:14 0 d--h----- C:\Documents and Settings\ed\NetHood
2008-06-13 13:03:14 0 dr------- C:\Documents and Settings\ed\My Documents
2008-06-13 13:03:14 0 d--h----- C:\Documents and Settings\ed\Local Settings
2008-06-13 13:03:13 4718592 --ah----- C:\Documents and Settings\ed\NTUSER.DAT
2008-06-13 13:02:24 262144 --a------ C:\Documents and Settings\All Users\NTUSER.DAT
2008-06-13 13:02:17 0 d-------- C:\Documents and Settings\Default User\Bluetooth Software
2008-06-13 13:02:17 0 d-------- C:\Documents and Settings\Default User\Application Data\Sun
2008-06-13 13:02:17 0 d-------- C:\Documents and Settings\Default User\Application Data\Identities
2008-06-13 12:53:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2008-06-13 12:53:06 0 d-------- C:\WINDOWS\system32\PreInstall
2008-06-13 12:50:50 0 d-------- C:\Program Files\Nvidia Omega Drivers
2008-06-13 12:49:06 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-06-13 12:47:12 0 d--hs---- C:\Documents and Settings\ed\UserData
2008-06-13 12:45:02 0 d-------- C:\Documents and Settings\ed\Application Data\Thunderbird
2008-06-13 12:34:36 0 d-------- C:\Program Files\Common Files\Symantec Shared


-- Find3M Report ---------------------------------------------------------------

2008-07-06 12:50:01 74053 --a------ C:\WINDOWS\system32\nvModes.dat
2008-07-05 23:17:32 0 d-------- C:\Program Files\Java
2008-07-05 23:14:53 0 d-------- C:\Program Files\Common Files
2008-06-16 16:29:00 0 d-------- C:\Program Files\Messenger
2008-06-16 16:28:47 0 d-------- C:\Program Files\Movie Maker
2008-06-16 16:26:41 0 d-------- C:\Program Files\Windows NT
2008-06-16 13:01:18 0 d-------- C:\Program Files\Google
2008-06-14 08:51:30 0 d-------- C:\Program Files\Sonic
2008-06-13 13:23:04 0 d-------- C:\Program Files\Common Files\Sonic Shared
2008-06-13 13:22:32 0 d-------- C:\Program Files\Dell
2008-06-13 13:22:25 0 d-------- C:\Program Files\Common Files\Real
2008-06-13 13:21:55 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-13 13:21:55 0 d-------- C:\Program Files\CyberLink
2008-06-13 13:20:53 0 d-------- C:\Program Files\MUSICMATCH
2008-06-13 13:10:48 0 d-------- C:\Program Files\GemMaster
2008-06-13 13:07:57 0 d-------- C:\Program Files\Common Files\AOL
2008-05-30 13:22:22 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-30 13:18:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-30 13:18:56 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-30 13:18:50 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 13:18:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 13:18:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 13:18:48 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 13:18:48 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 13:18:00 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
06/30/2008 01:44 PM 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
06/13/2008 04:09 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll [06/30/2008 01:44 PM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 03:01 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [03/21/2006 06:03 AM]
"nwiz"="nwiz.exe" [03/21/2006 06:03 AM C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [03/21/2006 06:03 AM C:\WINDOWS\system32\nvhotkey.dll]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/08/2006 12:48 PM]
"SigmatelSysTrayApp"="stsystra.exe" [03/24/2006 05:30 PM C:\WINDOWS\stsystra.exe]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe" [05/06/2008 04:48 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/18/2008 03:37 PM]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [02/26/2008 10:50 AM]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [03/04/2008 02:46 PM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [03/04/2008 02:41 PM]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 11:44 AM]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [09/14/2007 10:50 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [06/13/2008 02:15 PM]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/13/2008 08:12 PM]
"i8kfangui"="C:\Program Files\I8kfanGUI\I8kfanGUI.exe" [02/16/2007 12:58 PM]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 11:43 AM]

C:\Documents and Settings\ed\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [8/29/2003 7:05:35 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-07-06 17:45:22 ------------

BC AdBot (Login to Remove)

 


m

#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:12 AM

Posted 28 July 2008 - 08:33 PM

Welcome to the BleepingComputer Forums. Since it has been a few days, please post a new Deckard's System Scanner which includes the HijackThis log. Please see Preparation Guide for use before posting about your potential Malware problem. Thank you for your patience.

If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:06:12 AM

Posted 05 August 2008 - 05:59 AM

This subject is now closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users