Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Trojan Removal


  • This topic is locked This topic is locked
1 reply to this topic

#1 Nicenic61

Nicenic61

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:09:56 PM

Posted 08 July 2008 - 02:24 PM

Kind folks,

I'm not particularly computer literate, please take care....

My desktop is infected with Virtumonde, in various shapes and forms. Spybot identifies it and gets rid, but it reappears the next time I use the Internet. Internet becomes very, very slow and there are many pop-ups. Very frustrating and it makes me sooooo angry that this kind of thing is legal!

On searching the net I came across instructions for using Combofix and Hijackthis, and something about posting the results so one of you kind, knowledgeable folks may help me. Running XP.

This is the Combofix log, (Hijackthis log follows later in this message). Please tell me what to do, in simple terms, the simpler the better!

Thanks....

ComboFix 08-07-07.3 - Byron 2008-07-08 18:52:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.136 [GMT 1:00]
Running from: L:\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Anna\Start Menu\Programs\Adzgalore Games Collection
C:\Documents and Settings\Anna\Start Menu\Programs\Internet Speed Monitor
C:\Program Files\VnrPack
C:\Program Files\VnrPack\dicts.gz
C:\Program Files\VnrPack\ilaupd.exe
C:\Program Files\VnrPack\trgts.gz
C:\Program Files\VnrPack\VnrPack15.exe
C:\Program Files\VnrPack\VnrPack16.exe
C:\WINDOWS\BM8fb2215f.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aGMnonnn.ini
C:\WINDOWS\system32\aGMnonnn.ini2
C:\WINDOWS\system32\ayvwjfcp.ini
C:\WINDOWS\system32\bljubqnd.dll
C:\WINDOWS\system32\fxeilopu.ini
C:\WINDOWS\system32\gpeykyec.dll
C:\WINDOWS\system32\gvdbfcvq.dll
C:\WINDOWS\system32\gxoynvea.dll
C:\WINDOWS\system32\hijilnmp.ini
C:\WINDOWS\system32\hijilnmp.ini2
C:\WINDOWS\system32\hjrulyir.dll
C:\WINDOWS\system32\ihdjywfs.dll
C:\WINDOWS\system32\iiqobelh.ini
C:\WINDOWS\system32\iQAcdfii.ini
C:\WINDOWS\system32\iQAcdfii.ini2
C:\WINDOWS\system32\jekggrbm.ini
C:\WINDOWS\system32\khfCtuTl.dll
C:\WINDOWS\system32\ljJCtQGA.dll
C:\WINDOWS\system32\lTutCfhk.ini
C:\WINDOWS\system32\lTutCfhk.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mmSuvGgh.ini
C:\WINDOWS\system32\mmSuvGgh.ini2
C:\WINDOWS\system32\msnbyalq.dll
C:\WINDOWS\system32\myndukun.dll
C:\WINDOWS\system32\nfbmcm.dll
C:\WINDOWS\system32\NTCcefii.ini
C:\WINDOWS\system32\NTCcefii.ini2
C:\WINDOWS\system32\oklgbqsr.dll
C:\WINDOWS\system32\pWGikUtv.ini
C:\WINDOWS\system32\pWGikUtv.ini2
C:\WINDOWS\system32\qjfudpnv.ini
C:\WINDOWS\system32\rbtyfwnx.dll
C:\WINDOWS\system32\rwwdijyw.dll
C:\WINDOWS\system32\sckavady.dll
C:\WINDOWS\system32\sthhfewk.ini
C:\WINDOWS\system32\stststwa.ini
C:\WINDOWS\system32\stststwa.ini2
C:\WINDOWS\system32\taekldyq.ini
C:\WINDOWS\system32\tnluen.dll
C:\WINDOWS\system32\udpsplvi.dll
C:\WINDOWS\system32\uEgQYcdd.ini
C:\WINDOWS\system32\uEgQYcdd.ini2
C:\WINDOWS\system32\uojmxuxn.dll
C:\WINDOWS\system32\uprvlhno.ini
C:\WINDOWS\system32\utjgflje.ini
C:\WINDOWS\system32\vtonle.dll
C:\WINDOWS\system32\vvgemwcx.ini
C:\WINDOWS\system32\wdncfnwq.dll
C:\WINDOWS\system32\wvbxkdxy.dll
C:\WINDOWS\system32\wvvacqke.dll
C:\WINDOWS\system32\xFeLoUtv.ini
C:\WINDOWS\system32\xFeLoUtv.ini2
C:\WINDOWS\system32\XHjllnmp.ini
C:\WINDOWS\system32\XHjllnmp.ini2
C:\WINDOWS\system32\xxcubiuo.ini
C:\WINDOWS\winhelp.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-08 to 2008-07-08 )))))))))))))))))))))))))))))))
.

2008-07-08 19:06 . 2008-07-08 19:06 294 ---hs---- C:\WINDOWS\system32\ayvwjfcp.ini
2008-07-08 18:46 . 2008-07-08 18:46 105,296 --a------ C:\WINDOWS\system32\undaet.dll
2008-07-08 18:46 . 2008-07-08 18:46 105,296 --a------ C:\WINDOWS\system32\ajcmfafd.dll
2008-07-08 18:46 . 2008-07-08 18:46 81,104 --a------ C:\WINDOWS\system32\pcfjwvya.dll
2008-07-08 18:40 . 2008-07-08 18:40 90,880 --a------ C:\WINDOWS\system32\rvpycrro.dll
2008-07-08 15:56 . 2008-07-08 18:03 <DIR> d-------- C:\Program Files\SPYWAREfighter
2008-07-08 15:43 . 2008-07-08 18:48 <DIR> d-------- C:\Program Files\Virgin Broadband
2008-07-08 15:19 . 2002-08-14 06:03 262,144 --a------ C:\WINDOWS\_detmp.2
2008-07-08 15:19 . 2007-05-06 20:58 238,087 --a------ C:\WINDOWS\_detmp.1
2008-07-08 14:20 . 2008-07-08 14:20 <DIR> d-------- C:\Program Files\Lavasoft
2008-07-08 13:10 . 2008-07-08 14:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-07-08 13:07 . 2008-07-08 13:07 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-07-08 13:07 . 2008-07-08 14:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-07-08 12:45 . 2008-07-08 12:45 105,296 --a------ C:\WINDOWS\system32\ucrgda.dll
2008-07-08 12:45 . 2008-07-08 12:45 105,296 --a------ C:\WINDOWS\system32\mcaldtpm.dll
2008-07-08 12:27 . 2008-07-08 12:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-08 11:40 . 2008-07-08 17:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-07-08 10:35 . 2008-07-08 10:35 81,104 --a------ C:\WINDOWS\system32\xhvpwdtj.dll
2008-07-08 10:33 . 2008-07-08 10:33 105,296 --a------ C:\WINDOWS\system32\ixsfsg.dll
2008-07-08 10:33 . 2008-07-08 10:33 105,296 --a------ C:\WINDOWS\system32\easdnwsf.dll
2008-07-07 23:50 . 2008-07-07 23:50 81,216 --a------ C:\WINDOWS\system32\mbrggkej.dll
2008-07-07 22:33 . 2008-07-07 22:33 105,280 --a------ C:\WINDOWS\system32\yaafln.dll
2008-07-07 22:33 . 2008-07-07 22:33 105,280 --a------ C:\WINDOWS\system32\mjjgqhmy.dll
2008-07-07 20:27 . 2008-07-07 20:27 105,280 --a------ C:\WINDOWS\system32\dtqtudtm.dll
2008-07-07 20:24 . 2008-07-07 20:24 90,912 --a------ C:\WINDOWS\system32\wdgdligq.dll
2008-07-07 20:10 . 2008-07-07 20:10 <DIR> d-------- C:\Documents and Settings\Julie\Application Data\InstallShield
2008-07-07 19:27 . 2008-07-07 19:27 105,280 --a------ C:\WINDOWS\system32\sucela.dll
2008-07-07 19:27 . 2008-07-07 19:27 105,280 --a------ C:\WINDOWS\system32\hrudbxsi.dll
2008-07-07 19:21 . 2008-07-07 19:21 90,912 --a------ C:\WINDOWS\system32\evdonlyd.dll
2008-07-07 19:05 . 2008-07-08 18:36 962 --a------ C:\WINDOWS\wininit.ini
2008-07-07 18:15 . 2008-07-07 18:15 <DIR> d-------- C:\Documents and Settings\Byron\Application Data\Freedom
2008-07-07 18:15 . 2008-07-07 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Freedom
2008-07-07 17:30 . 2008-07-07 17:30 105,280 --a------ C:\WINDOWS\system32\vyicvdca.dll
2008-07-07 17:30 . 2008-07-07 17:30 105,280 --a------ C:\WINDOWS\system32\gwdppy.dll
2008-07-07 17:27 . 2008-07-07 17:27 81,216 --a------ C:\WINDOWS\system32\xcwmegvv.dll
2008-07-07 16:40 . 2008-07-07 16:40 105,280 --a------ C:\WINDOWS\system32\gductwdl.dll
2008-07-07 16:40 . 2008-07-07 16:40 105,280 --a------ C:\WINDOWS\system32\afjhtx.dll
2008-07-07 16:34 . 2008-07-08 19:05 110,415 --a------ C:\WINDOWS\BM8fb2215f.xml
2008-07-07 16:34 . 2008-07-07 16:34 90,912 --a------ C:\WINDOWS\system32\dvmctfxm.dll
2008-06-11 16:24 . 2008-05-08 15:02 203,136 --a--c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-11 16:23 . 2008-06-13 12:05 272,128 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-08 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-08 16:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-08 14:38 --------- d-----w C:\Program Files\Broadband rubbish
2008-07-08 14:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-08 14:21 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-05 21:49 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-06-05 21:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-06-05 21:33 --------- d-----w C:\Documents and Settings\Julie\Application Data\Uniblue
2008-06-03 11:23 --------- d-----w C:\Program Files\Apple Software Update
2008-06-01 18:13 --------- d-----w C:\Program Files\Windows Mobile Resources
2008-06-01 18:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-01 09:46 --------- d-----w C:\Program Files\Coochy coo
2008-05-31 10:00 --------- d-----w C:\Program Files\Common Files\Authentium
2008-05-31 09:59 --------- d-----w C:\Program Files\Raxco
2008-05-31 09:59 --------- d-----w C:\Program Files\Common Files\Scanner
2008-05-31 09:59 --------- d-----w C:\Program Files\CA
2008-05-31 09:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2008-05-31 09:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-05-31 09:57 --------- d-----w C:\Documents and Settings\Byron\Application Data\InstallShield
2008-05-27 21:42 --------- d-----w C:\Documents and Settings\Julie\Application Data\Virgin Broadband
2008-05-27 21:42 --------- d-----w C:\Documents and Settings\Byron\Application Data\Virgin Broadband
2008-05-27 21:42 --------- d-----w C:\Documents and Settings\Anna\Application Data\Virgin Broadband
2008-05-10 23:00 --------- d-----w C:\Documents and Settings\Anna\Application Data\Spyware Terminator
2008-05-10 20:50 --------- d-----w C:\Documents and Settings\Thomas\Application Data\Virgin Broadband
2008-05-10 20:50 --------- d-----w C:\Documents and Settings\Nicholas\Application Data\Virgin Broadband
2008-05-10 09:46 49,152 ----a-w C:\WINDOWS\one11111.exe
2008-05-10 09:46 399,943 ----a-w C:\WINDOWS\four444444.exe
2008-05-10 09:46 266,607 ----a-w C:\WINDOWS\two222222.exe
2008-05-10 09:46 136,627 ----a-w C:\WINDOWS\LOT66225.exe
2008-05-10 09:42 --------- d-----w C:\Documents and Settings\Anna\Application Data\LimeWire
2008-05-09 15:00 --------- d-----w C:\Program Files\Garmin
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-08 08:03 --------- d-----w C:\Program Files\Java
2008-05-08 08:02 --------- d-----w C:\Program Files\Common Files\Java
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2008-04-14 00:12 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
.

------- Sigcheck -------

2008-04-14 01:12 1033728 e8bc74c3b83b2b159f10a9106229439e C:\WINDOWS\explorer.exe
2007-06-13 12:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 11:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 05:00 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-14 01:12 1033728 e8bc74c3b83b2b159f10a9106229439e C:\WINDOWS\ServicePackFiles\i386\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55a373a4-3df4-46b3-aa18-29e5b5b9f7dd}]
2008-07-08 18:46 105296 --a------ C:\WINDOWS\system32\undaet.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 05:42 212992]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-02-23 04:05 339968]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2004-10-05 23:39 81920]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe" [2004-04-06 11:28 172032]
"HPHUPD06"="C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 05:53 49152]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 13:38 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 05:42 659456]
"Samsung LBP SM"="C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" [2003-04-04 09:40 266240]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 18:44 271672]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"8c8112c3"="C:\WINDOWS\system32\pcfjwvya.dll" [2008-07-08 18:46 81104]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 18:49 2061552]
"BM8fb2215f"="C:\WINDOWS\system32\rvpycrro.dll" [2008-07-08 18:40 90880]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 23:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [4/7/2003 1:42:52 AM 217190]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [5/28/2004 10:31:38 PM 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^STA-AP.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\STA-AP.lnk
backup=C:\WINDOWS\pss\STA-AP.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1254:UDP"= 1254:UDP:Windows Media Format SDK (iexplore.exe)
"1255:UDP"= 1255:UDP:Windows Media Format SDK (iexplore.exe)
"86:TCP"= 86:TCP:BroadCam Web Server
"2142:UDP"= 2142:UDP:Windows Media Format SDK (iexplore.exe)
"2143:UDP"= 2143:UDP:Windows Media Format SDK (iexplore.exe)
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 rseb;rseb;C:\WINDOWS\system32\drivers\rseb.sys [2004-06-02 02:44]
S3 Cap7134;LifeView WDM Video Capture;C:\WINDOWS\system32\DRIVERS\lvcap214.sys [2003-12-09 13:27]
S3 cmudax;C-Media High Definition Audio Interface;C:\WINDOWS\system32\drivers\cmudax.sys [2004-10-01 08:55]
S3 PhTVTune;Philips WDM TVTuner;C:\WINDOWS\system32\DRIVERS\Silicon.sys [2003-12-09 13:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

.
Contents of the 'Scheduled Tasks' folder
"2008-06-25 16:20:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-08 17:41:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-07-08 16:25:02 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe
"2008-07-08 17:40:43 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{8D25DF32-71E9-46FF-8EB0-537E05063A0B} - C:\WINDOWS\system32\pmnlljHX.dll
Toolbar-SITEguard - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-08 19:05:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\pcfjwvya.dll
-> C:\WINDOWS\system32\rvpycrro.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-07-08 19:08:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-08 18:08:45

Pre-Run: 129,337,061,376 bytes free
Post-Run: 129,881,473,024 bytes free

292 --- E O F --- 2008-06-20 11:31:42

Hijackthis log follows:

Logfile of HijackThis v1.99.1
Scan saved at 19:33:12, on 08/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {dd7f9b5b-5e92-81aa-3b64-4fd34a373a55} - {55a373a4-3df4-46b3-aa18-29e5b5b9f7dd} - C:\WINDOWS\system32\undaet.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb11.exe
O4 - HKLM\..\Run: [HPHUPD06] C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [8c8112c3] rundll32.exe "C:\WINDOWS\system32\pcfjwvya.dll",b
O4 - HKLM\..\Run: [BM8fb2215f] Rundll32.exe "C:\WINDOWS\system32\rvpycrro.dll",s
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: UStorage Server Service - Unknown owner - C:\WINDOWS\system32\UStorSrv.exe (file missing)

BC AdBot (Login to Remove)

 


#2 TMacK

TMacK

  • Members
  • 4,672 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:B.C. Canada
  • Local time:02:56 PM

Posted 08 July 2008 - 02:45 PM

Hello Nicenic61,

ComboFix logs should not to be posted outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic in the Am I infected? What do I do? forum, explaining the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed.
The BC Staff/TMacK
Chaos reigns within.
Reflect, repent, and reboot.
Order shall return.

aaaaaaaa a~Suzie Wagner




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users