Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde And Vundofix Is Not Removing Everything


  • This topic is locked This topic is locked
12 replies to this topic

#1 Lemming64

Lemming64

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 10 July 2008 - 05:47 PM

Have also tried spybot and ad-aware with no success, Spybot seems to be able to temporarily remove it, but it always returns after a reboot. It is still interfering with internet browsing and system performance. Thanks for any help, here is my log:

Deckard's System Scanner v20071014.68
Run by Jon on 2008-07-10 23:34:23
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
84: 2008-07-10 22:34:39 UTC - RP421 - Deckard's System Scanner Restore Point
83: 2008-07-10 20:46:20 UTC - RP420 - Made by Registry Mechanic
82: 2008-07-10 19:33:08 UTC - RP419 - Installed Ad-Aware
81: 2008-07-10 16:36:56 UTC - RP418 - Installed iTunes
80: 2008-07-10 16:06:42 UTC - RP417 - Last known good configuration


-- First Restore Point --
1: 2008-07-10 16:06:03 UTC - RP338 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Jon.exe) -------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-10 23:37:30
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\wamp\Apache2\bin\httpd.exe
C:\wamp\mysql\bin\mysqld-nt.exe
C:\wamp\Apache2\bin\httpd.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\wamp\wampmanager.exe
E:\Downloads\dss.exe
E:\Install Files\Anti-Spyware\Jon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {235497FB-FEE7-4E1C-9D6E-BDB2DCA276D2} - blank (file missing)
O2 - BHO: {066ba046-f130-a2ea-a974-5c913975da43} - {34ad5793-19c5-479a-ae2a-031f640ab660} - C:\WINDOWS\system32\yttxkk.dll
O2 - BHO: (no name) - {430F01CB-BBC4-4A17-949A-7BA7012393D2} - blank (file missing)
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - blank (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7CE5F89B-2360-4185-BD8B-E3470E7E605E} - C:\WINDOWS\system32\cbXRHwvw.dll (file missing)
O2 - BHO: (no name) - {873A38E9-23CC-461F-8539-DCB627424B5C} - C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\YZIF2345\3077ahntdksr[1].dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C5E84927-CFF0-4CA3-A068-02E7C01C1E7C} - C:\WINDOWS\system32\awttqqRi.dll
O2 - BHO: (no name) - {E3B5FFF3-CBE7-4DBA-8487-EAEBE2E8A00D} - (no file)
O2 - BHO: (no name) - {ECFDD416-C63B-4716-9D47-C02F8CA2D6F8} - blank (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: WampServer.lnk = C:\wamp\wampmanager.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: awttqqRi - C:\WINDOWS\system32\awttqqRi.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Apache Software Foundation - C:\wamp\Apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - C:\wamp\mysql\bin\mysqld-nt.exe


--
End of file - 7198 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe",2


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 gdrv - c:\windows\gdrv.sys <Not Verified; Windows ® 2000 DDK provider; Windows ® 2000 DDK driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 wampapache - "c:\wamp\apache2\bin\httpd.exe" -k runservice <Not Verified; Apache Software Foundation; Apache HTTP Server>
R2 wampmysqld - c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&33FA2670&0&00
Manufacturer: NVIDIA
Name: NVIDIA nForce Networking Controller
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&33FA2670&0&00
Service: NVENETFD


-- Scheduled Tasks -------------------------------------------------------------

2008-07-10 17:27:22 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-10 and 2008-07-10 -----------------------------

2008-07-10 22:58:36 577671 --ahs---- C:\WINDOWS\system32\cMUDNXbc.ini2
2008-07-10 22:41:34 0 d-------- C:\VundoFix Backups
2008-07-10 21:33:41 78848 --a------ C:\WINDOWS\system32\bewotpkf.dll
2008-07-10 21:33:37 102912 --a------ C:\WINDOWS\system32\yttxkk.dll
2008-07-10 21:33:37 102912 --a------ C:\WINDOWS\system32\wrteywtj.dll
2008-07-10 21:30:36 589591 --ahs---- C:\WINDOWS\system32\wvwHRXbc.ini2
2008-07-10 20:34:19 0 d-------- C:\Program Files\Ad-Aware
2008-07-10 20:33:56 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 20:24:03 0 dr-h----- C:\Documents and Settings\Jon\Recent
2008-07-10 20:21:11 102912 --a------ C:\WINDOWS\system32\huasxg.dll
2008-07-10 20:21:10 102912 --a------ C:\WINDOWS\system32\vkljrjwm.dll
2008-07-10 20:18:12 78848 --a------ C:\WINDOWS\system32\hvjmfgxp.dll
2008-07-10 20:12:13 91648 --a------ C:\WINDOWS\system32\jvdsycam.dll
2008-07-10 19:48:10 583660 --ahs---- C:\WINDOWS\system32\iSCfMnnn.ini2
2008-07-10 19:25:57 102912 --a------ C:\WINDOWS\system32\lfcuhx.dll
2008-07-10 19:25:57 102912 --a------ C:\WINDOWS\system32\bcvghvhi.dll
2008-07-10 18:46:57 589424 --ahs---- C:\WINDOWS\system32\uEOVCcdd.ini2
2008-07-10 17:39:02 0 d-------- C:\Program Files\iPod
2008-07-10 17:38:54 0 d-------- C:\Program Files\iTunes
2008-07-10 17:35:30 0 d-------- C:\Program Files\Bonjour
2008-07-10 17:27:05 0 d-------- C:\Program Files\Apple Software Update
2008-07-10 17:11:52 78848 --a------ C:\WINDOWS\system32\vahvkvvn.dll
2008-07-10 17:08:59 102912 --a------ C:\WINDOWS\system32\oicfdhrm.dll
2008-07-10 17:08:59 102912 --a------ C:\WINDOWS\system32\mkxrrv.dll
2008-07-10 17:05:52 589018 --ahs---- C:\WINDOWS\system32\WGPpAJlm.ini2
2008-07-08 22:19:53 25088 --a------ C:\WINDOWS\system32\ljJYQHYQ.dll
2008-07-08 22:18:54 25088 --a------ C:\WINDOWS\system32\awttqqRi.dll
2008-07-02 13:56:16 0 d-------- C:\Program Files\Microsoft Silverlight
2008-07-02 01:24:34 0 d-------- C:\Documents and Settings\Jon\Application Data\Google
2008-07-02 01:24:06 0 d-------- C:\Program Files\Google
2008-06-27 02:54:08 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-23 23:41:52 0 d-------- C:\Documents and Settings\Jon\Application Data\SPORE Creature Creator
2008-06-18 12:24:25 0 d-------- C:\Documents and Settings\All Users\Application Data\Kontiki


-- Find3M Report ---------------------------------------------------------------

2008-07-10 23:32:28 0 d-------- C:\Documents and Settings\Jon\Application Data\Skype
2008-07-10 20:29:39 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 20:27:48 0 d-------- C:\Documents and Settings\Jon\Application Data\Lavasoft
2008-07-10 17:33:46 0 d-------- C:\Program Files\QuickTime
2008-07-10 00:35:10 0 d-------- C:\Documents and Settings\Jon\Application Data\uTorrent
2008-07-08 17:43:35 0 d-------- C:\Documents and Settings\Jon\Application Data\LimeWire
2008-06-27 02:56:06 0 d-------- C:\Program Files\Windows Media Connect 2
2008-06-26 23:24:00 0 d-------- C:\Documents and Settings\Jon\Application Data\Adobe
2008-06-23 23:39:33 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-23 03:24:16 0 d-------- C:\Program Files\LimeWire
2008-06-19 20:22:11 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-06-18 12:24:41 0 d-------- C:\Program Files\Kontiki
2008-06-18 12:22:00 0 d-------- C:\Documents and Settings\Jon\Application Data\Mozilla
2008-06-16 11:49:25 0 d-------- C:\Program Files\The GodFather
2008-05-27 00:06:03 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-27 00:04:53 0 d-------- C:\Documents and Settings\Jon\Application Data\AdobeUM
2008-05-25 12:19:10 0 d-------- C:\Program Files\MSN Messenger
2008-05-25 12:18:52 0 d-------- C:\Program Files\Windows Live
2008-05-25 12:18:23 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-25 12:18:17 0 d-------- C:\Program Files\Common Files
2008-05-24 00:13:43 2536 --a------ C:\WINDOWS\unins000.dat
2008-05-24 00:11:52 691545 --a------ C:\WINDOWS\unins000.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{235497FB-FEE7-4E1C-9D6E-BDB2DCA276D2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34ad5793-19c5-479a-ae2a-031f640ab660}]
10/07/2008 21:33 102912 --a------ C:\WINDOWS\system32\yttxkk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{430F01CB-BBC4-4A17-949A-7BA7012393D2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7CE5F89B-2360-4185-BD8B-E3470E7E605E}]
C:\WINDOWS\system32\cbXRHwvw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{873A38E9-23CC-461F-8539-DCB627424B5C}]
10/07/2008 20:20 88576 --------- C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\YZIF2345\3077ahntdksr[1].dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5E84927-CFF0-4CA3-A068-02E7C01C1E7C}]
08/07/2008 22:18 25088 --a------ C:\WINDOWS\system32\awttqqRi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3B5FFF3-CBE7-4DBA-8487-EAEBE2E8A00D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ECFDD416-C63B-4716-9D47-C02F8CA2D6F8}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [17/09/2007 02:07]
"nwiz"="nwiz.exe" [17/09/2007 02:07 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [27/05/2006 03:47 C:\WINDOWS\RTHDCPL.EXE]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [03/08/2004 22:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 22:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [03/08/2004 22:32]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [17/09/2007 02:07]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [03/07/2008 02:23]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [09/07/2008 13:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [25/05/2008 12:25]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [18/12/2006 18:32]

C:\Documents and Settings\Jon\Start Menu\Programs\Startup\
WampServer.lnk - C:\wamp\wampmanager.exe [27/06/2004 21:57:36]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=01000000
"NoSharedDocuments"=01000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C5E84927-CFF0-4CA3-A068-02E7C01C1E7C}"= C:\WINDOWS\system32\awttqqRi.dll [08/07/2008 22:18 25088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttqqRi]
awttqqRi.dll 08/07/2008 22:18 25088 C:\WINDOWS\system32\awttqqRi.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\cbXNDUMc

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"AlcWzrd"=ALCWZRD.EXE
"b04fbff4"=rundll32.exe "C:\WINDOWS\system32\bewotpkf.dll",b
"BMb37c8c68"=Rundll32.exe "C:\WINDOWS\system32\qqldkyxs.dll",s
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
"SkyTel"=SkyTel.EXE




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8784 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-10 23:40:58 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:22 AM

Posted 11 July 2008 - 12:17 AM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Lemming64

Lemming64
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 11 July 2008 - 06:16 PM

Hi, firstly thanks for your help.

Here are the new logs attached:

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:22 AM

Posted 11 July 2008 - 11:55 PM

Hi,

Please don't attach your logs but copy and paste them in the thread instead.

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Lemming64

Lemming64
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 12 July 2008 - 06:12 AM

oki doki, have run combofix and here is the log from that and hijackthis:

ComboFix 08-07-11.1 - Jon 2008-07-12 11:53:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.602 [GMT 1:00]
Running from: C:\Documents and Settings\Jon\Desktop\infected\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\akuanlgu.ini
C:\WINDOWS\system32\aubjqvtf.ini
C:\WINDOWS\system32\cMUDNXbc.ini
C:\WINDOWS\system32\cMUDNXbc.ini2
C:\WINDOWS\system32\fkptoweb.ini
C:\WINDOWS\system32\iSCfMnnn.ini
C:\WINDOWS\system32\iSCfMnnn.ini2
C:\WINDOWS\system32\jvdsycam.dll
C:\WINDOWS\system32\nvvkvhav.ini
C:\WINDOWS\system32\pxgfmjvh.ini
C:\WINDOWS\system32\SstsAcdd.ini
C:\WINDOWS\system32\SstsAcdd.ini2
C:\WINDOWS\system32\uEOVCcdd.ini
C:\WINDOWS\system32\uEOVCcdd.ini2
C:\WINDOWS\system32\WGPpAJlm.ini
C:\WINDOWS\system32\WGPpAJlm.ini2
C:\WINDOWS\system32\wvwHRXbc.ini
C:\WINDOWS\system32\wvwHRXbc.ini2

.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-11 12:31 . 2008-07-11 12:31 <DIR> d-------- C:\Program Files\Avira
2008-07-11 12:31 . 2008-07-11 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-11 00:37 . 2008-07-11 00:37 78,848 --a------ C:\WINDOWS\system32\uglnauka.VIR
2008-07-11 00:34 . 2008-07-11 00:34 318,976 --a------ C:\WINDOWS\system32\ddcAstsS.dll_old
2008-07-10 23:34 . 2008-07-10 23:34 <DIR> d-------- C:\Deckard
2008-07-10 20:34 . 2008-07-10 20:37 <DIR> d-------- C:\Program Files\Ad-Aware
2008-07-10 20:33 . 2008-07-10 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 17:54 . 2008-07-11 11:54 1,600 --a------ C:\WINDOWS\wininit.ini
2008-07-10 17:39 . 2008-07-10 17:39 <DIR> d-------- C:\Program Files\iPod
2008-07-10 17:38 . 2008-07-10 17:39 <DIR> d-------- C:\Program Files\iTunes
2008-07-10 17:35 . 2008-07-10 17:35 <DIR> d-------- C:\Program Files\Bonjour
2008-07-10 17:27 . 2008-07-10 17:27 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-10 17:07 . 2008-07-11 11:22 110,442 --a------ C:\WINDOWS\BMb37c8c68.xml
2008-07-08 22:18 . 2008-07-08 22:18 25,088 --a------ C:\WINDOWS\system32\awttqqRi.VIR
2008-07-02 13:56 . 2008-07-02 13:56 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-07-02 01:24 . 2008-07-02 01:24 <DIR> d-------- C:\Program Files\Google
2008-06-27 02:54 . 2008-06-27 02:54 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-23 23:41 . 2008-06-25 23:40 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\SPORE Creature Creator
2008-06-18 12:24 . 2008-06-18 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 11:02 --------- d-----w C:\Documents and Settings\Jon\Application Data\Skype
2008-07-12 00:31 --------- d-----w C:\Documents and Settings\Jon\Application Data\LimeWire
2008-07-11 11:41 --------- d-----w C:\Documents and Settings\Jon\Application Data\uTorrent
2008-07-10 19:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 19:27 --------- d-----w C:\Documents and Settings\Jon\Application Data\Lavasoft
2008-07-10 16:33 --------- d-----w C:\Program Files\QuickTime
2008-07-03 01:12 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-27 01:56 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-23 22:41 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-23 22:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-23 02:24 --------- d-----w C:\Program Files\LimeWire
2008-06-18 11:24 --------- d-----w C:\Program Files\Kontiki
2008-06-16 10:49 --------- d-----w C:\Program Files\The GodFather
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-26 23:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-26 23:04 --------- d-----w C:\Documents and Settings\Jon\Application Data\AdobeUM
2008-05-25 11:19 --------- d-----w C:\Program Files\MSN Messenger
2008-05-25 11:18 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-25 11:18 --------- d-----w C:\Program Files\Windows Live
2008-05-25 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-23 23:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-23 23:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-23 23:11 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-05-16 10:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2008-05-25 12:25 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32 25365032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 02:07 8491008]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 02:07 81920]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-03 02:23 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-09 13:30 289064]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"nwiz"="nwiz.exe" [2007-09-17 02:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-27 03:47 16208384 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\Jon\Start Menu\Programs\Startup\
WampServer.lnk.disabled [2007-02-20 18:18:14 1358]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"AlcWzrd"=ALCWZRD.EXE
"SkyTel"=SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"E:\\Install Files\\File Transfer\\utorrent.exe"=
"C:\\Games\\Civ 4\\Civilization4.exe"=
"C:\\Games\\Civ 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Games\\Civ 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2006-07-18 13:02]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2006-07-18 13:02]
R2 wampapache;wampapache;c:\wamp\apache2\bin\httpd.exe [2007-01-10 00:17]
R2 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2006-10-22 05:30]
S3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2006-11-27 08:45]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-10 16:27:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{235497FB-FEE7-4E1C-9D6E-BDB2DCA276D2} - blank
BHO-{430F01CB-BBC4-4A17-949A-7BA7012393D2} - blank
BHO-{7CE5F89B-2360-4185-BD8B-E3470E7E605E} - C:\WINDOWS\system32\cbXRHwvw.dll
BHO-{873A38E9-23CC-461F-8539-DCB627424B5C} - C:\Documents and Settings\Jon\Local Settings\Temporary Internet Files\Content.IE5\YZIF2345\3077ahntdksr[1].dll
BHO-{D22BD202-FDAA-45AA-AA77-0737CF5E7452} - C:\WINDOWS\system32\ddcAstsS.dll
BHO-{ECFDD416-C63B-4716-9D47-C02F8CA2D6F8} - blank
BHO-{f156f334-5aa6-4798-b321-65b60cc8ef53} - C:\WINDOWS\system32\sieqnr.dll
Notify-awttqqRi - awttqqRi.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 12:00:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-12 12:06:27 - machine was rebooted [Jon]
ComboFix-quarantined-files.txt 2008-07-12 11:06:20

Pre-Run: 24,970,440,704 bytes free
Post-Run: 25,006,411,776 bytes free

176 --- E O F --- 2008-06-28 16:13:07


---------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11:59, on 12/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\wamp\apache2\bin\httpd.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\wamp\apache2\bin\httpd.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jon\Desktop\infected\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: WampServer.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 6560 bytes

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:22 AM

Posted 12 July 2008 - 06:31 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\uglnauka.VIR
C:\WINDOWS\system32\ddcAstsS.dll_old
C:\WINDOWS\BMb37c8c68.xml
C:\WINDOWS\system32\awttqqRi.VIR


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Lemming64

Lemming64
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 12 July 2008 - 04:47 PM

ok done that, here are the new logs:

ComboFix 08-07-11.1 - Jon 2008-07-12 22:26:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575 [GMT 1:00]
Running from: C:\Documents and Settings\Jon\Desktop\infected\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon\Desktop\infected\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMb37c8c68.xml
C:\WINDOWS\system32\awttqqRi.VIR
C:\WINDOWS\system32\ddcAstsS.dll_old
C:\WINDOWS\system32\uglnauka.VIR
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMb37c8c68.xml
C:\WINDOWS\system32\awttqqRi.VIR
C:\WINDOWS\system32\ddcAstsS.dll_old
C:\WINDOWS\system32\uglnauka.VIR

.
((((((((((((((((((((((((( Files Created from 2008-06-12 to 2008-07-12 )))))))))))))))))))))))))))))))
.

2008-07-11 12:31 . 2008-07-11 12:31 <DIR> d-------- C:\Program Files\Avira
2008-07-11 12:31 . 2008-07-11 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-07-10 23:34 . 2008-07-10 23:34 <DIR> d-------- C:\Deckard
2008-07-10 20:34 . 2008-07-10 20:37 <DIR> d-------- C:\Program Files\Ad-Aware
2008-07-10 20:33 . 2008-07-10 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 17:54 . 2008-07-11 11:54 1,600 --a------ C:\WINDOWS\wininit.ini
2008-07-10 17:39 . 2008-07-10 17:39 <DIR> d-------- C:\Program Files\iPod
2008-07-10 17:38 . 2008-07-10 17:39 <DIR> d-------- C:\Program Files\iTunes
2008-07-10 17:35 . 2008-07-10 17:35 <DIR> d-------- C:\Program Files\Bonjour
2008-07-10 17:27 . 2008-07-10 17:27 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-02 13:56 . 2008-07-02 13:56 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-07-02 01:24 . 2008-07-02 01:24 <DIR> d-------- C:\Program Files\Google
2008-06-27 02:54 . 2008-06-27 02:54 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-06-23 23:41 . 2008-06-25 23:40 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\SPORE Creature Creator
2008-06-18 12:24 . 2008-06-18 12:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-12 11:17 --------- d-----w C:\Program Files\PartyGaming
2008-07-12 11:02 --------- d-----w C:\Documents and Settings\Jon\Application Data\Skype
2008-07-12 00:31 --------- d-----w C:\Documents and Settings\Jon\Application Data\LimeWire
2008-07-11 11:41 --------- d-----w C:\Documents and Settings\Jon\Application Data\uTorrent
2008-07-10 19:29 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-10 19:27 --------- d-----w C:\Documents and Settings\Jon\Application Data\Lavasoft
2008-07-10 16:33 --------- d-----w C:\Program Files\QuickTime
2008-07-03 01:12 32,000 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-27 01:56 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-06-23 22:41 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-06-23 22:39 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-23 02:24 --------- d-----w C:\Program Files\LimeWire
2008-06-18 11:24 --------- d-----w C:\Program Files\Kontiki
2008-06-16 10:49 --------- d-----w C:\Program Files\The GodFather
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-26 23:06 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-26 23:04 --------- d-----w C:\Documents and Settings\Jon\Application Data\AdobeUM
2008-05-25 11:19 --------- d-----w C:\Program Files\MSN Messenger
2008-05-25 11:18 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-25 11:18 --------- d-----w C:\Program Files\Windows Live
2008-05-25 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-23 23:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-23 23:16 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-23 23:11 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-05-16 10:58 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-21 06:56 666,624 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2008-05-25 12:25 5724184]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-12-18 18:32 25365032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-09-17 02:07 8491008]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-09-17 02:07 81920]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-03 02:23 116040]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-09 13:30 289064]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"nwiz"="nwiz.exe" [2007-09-17 02:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-05-27 03:47 16208384 C:\WINDOWS\RTHDCPL.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

C:\Documents and Settings\Jon\Start Menu\Programs\Startup\
WampServer.lnk.disabled [2007-02-20 18:18:14 1358]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"AlcWzrd"=ALCWZRD.EXE
"SkyTel"=SkyTel.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"E:\\Install Files\\File Transfer\\utorrent.exe"=
"C:\\Games\\Civ 4\\Civilization4.exe"=
"C:\\Games\\Civ 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Games\\Civ 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2006-07-18 13:02]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2006-07-18 13:02]
R2 wampapache;wampapache;c:\wamp\apache2\bin\httpd.exe [2007-01-10 00:17]
R2 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe [2006-10-22 05:30]
S3 ZY202_XP;ZyXEL 802.11g XG202 1211 Driver;C:\WINDOWS\system32\DRIVERS\WlanUZXP.sys [2006-11-27 08:45]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-10 16:27:22 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 22:30:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-12 22:32:18
ComboFix-quarantined-files.txt 2008-07-12 21:32:13
ComboFix2.txt 2008-07-12 11:06:29

Pre-Run: 24,754,536,448 bytes free
Post-Run: 24,741,543,936 bytes free

139 --- E O F --- 2008-06-28 16:13:07

---------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:46:33, on 12/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\system32\nvsvc32.exe
c:\wamp\apache2\bin\httpd.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
c:\wamp\mysql\bin\mysqld-nt.exe
C:\wamp\apache2\bin\httpd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Jon\Desktop\infected\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: WampServer.lnk.disabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: wampapache - Apache Software Foundation - c:\wamp\apache2\bin\httpd.exe
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:22 AM

Posted 13 July 2008 - 01:13 AM

Hi,

This looks OK again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Lemming64

Lemming64
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 13 July 2008 - 10:58 AM

seems to be ok now, thanks very much. I am away for 2 days on business now, but I will run a full virus scan etc when I get back on Tuesday and see if anything is still coming up. Will also need to do this for my gf's computer as I am pretty sure she got the same thing I did. Thanks for all the help

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:22 AM

Posted 13 July 2008 - 11:57 AM

Glad I could help. :thumbsup:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Lemming64

Lemming64
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:22 AM

Posted 15 July 2008 - 06:46 PM

Hey again, quick log from the virus scanner which I ran tonight. It found two bad files, does this mean I'm not completely clean or are they part of something else... ? Though it is strange, one is a keygen which has been sitting on my computer for a while, since before I scanned it the last time.



Avira AntiVir Personal
Report file date: 15 July 2008 23:38

Scanning for 1454594 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: LEM

Version information:
BUILD.DAT : 8.1.0.308 16478 Bytes 28/05/2008 17:03:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 18/03/2008 10:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 07/02/2008 09:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 28/02/2008 09:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 21/02/2008 09:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 18/07/2007 11:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 24/06/2008 11:35:15
ANTIVIR2.VDF : 7.0.5.119 1264128 Bytes 15/07/2008 20:34:03
ANTIVIR3.VDF : 7.0.5.120 2048 Bytes 15/07/2008 20:34:04
Engineversion : 8.1.0.68
AEVDF.DLL : 8.1.0.5 102772 Bytes 25/02/2008 10:58:21
AESCRIPT.DLL : 8.1.0.53 303481 Bytes 15/07/2008 20:34:08
AESCN.DLL : 8.1.0.23 119156 Bytes 15/07/2008 20:34:08
AERDL.DLL : 8.1.0.20 418165 Bytes 11/07/2008 11:35:31
AEPACK.DLL : 8.1.2.1 364917 Bytes 15/07/2008 20:34:07
AEOFFICE.DLL : 8.1.0.20 192891 Bytes 11/07/2008 11:35:28
AEHEUR.DLL : 8.1.0.41 1339765 Bytes 15/07/2008 20:34:06
AEHELP.DLL : 8.1.0.15 115063 Bytes 11/07/2008 11:35:24
AEGEN.DLL : 8.1.0.29 307573 Bytes 11/07/2008 11:35:23
AEEMU.DLL : 8.1.0.6 430451 Bytes 11/07/2008 11:35:22
AECORE.DLL : 8.1.0.33 168311 Bytes 15/07/2008 20:34:04
AVWINLL.DLL : 1.0.0.7 14593 Bytes 23/01/2008 18:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 18/02/2008 11:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 16/04/2007 14:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 23/01/2008 18:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 09:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 28/02/2008 09:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 18:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 23/01/2008 18:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 13:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 10/03/2008 15:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 06/03/2008 13:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, E:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 15 July 2008 23:38

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileBackup.exe' - '1' Module(s) have been scanned
Scan process 'SyncServer.exe' - '1' Module(s) have been scanned
Scan process 'distnoted.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceHelper.exe' - '1' Module(s) have been scanned
Scan process 'iTunes.exe' - '1' Module(s) have been scanned
Scan process 'utorrent.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'httpd.exe' - '1' Module(s) have been scanned
Scan process 'mysqld-nt.exe' - '1' Module(s) have been scanned
Scan process 'httpd.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.EXE' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
40 processes with 40 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'E:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '36' files ).


Starting the file scan:

Begin scan in 'C:\' <Windows>
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'E:\' <Big Disk>
E:\Game Files\DOOM 3\Keygen.EXE
[DETECTION] Is the Trojan horse TR/Agent.2657
[NOTE] The file was deleted!
E:\System Volume Information\_restore{DF33534A-F973-4C6A-9A8F-6AB1C2343BA2}\RP1\A0001116.EXE
[DETECTION] Is the Trojan horse TR/Agent.2657
[NOTE] The file was deleted!


End of the scan: 16 July 2008 00:43
Used time: 1:04:46 min

The scan has been done completely.

11532 Scanning directories
304006 Files were scanned
2 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
2 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
304004 Files not concerned
1595 Archives were scanned
2 Warnings
2 Notes

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:22 AM

Posted 16 July 2008 - 01:33 AM

Hi,

What was present is a file located on your E:\ (E:\Game Files\DOOM 3\Keygen.EXE) and a leftover in your System Restore Points. They are deleted now. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:10:22 AM

Posted 23 July 2008 - 12:38 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users