Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Virtumonde (fighting 12 Hrs And Counting)


  • This topic is locked This topic is locked
5 replies to this topic

#1 layladee

layladee

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Columbia, MO
  • Local time:03:16 PM

Posted 04 August 2008 - 05:43 PM

I've never posted on a help board before, so I hope I include everything needed. At about 10pm Sunday night my computer started fussing at me, (wanting to change the registry constantly) and this was followed by massive pop-ups. I keep my computer in good shape (I thought), so I knew right away something got me. At that time I was using Avast Antivirus and Spyware Search & Destroy. Both programs didn't find anything, however a program I didn't even know I had found lots....luckily I was suspicious of that and stayed away because I found out later that was actually part of the virus.

I installed McAfee (and uninstalled the other 2) ...still nothing found.
Installed various other programs, including the VundoFix, which picked up 3 instances but couldn't keep them away.
I saw a lot of people were having good luck with Spyware Doctor, so I dl that and after the search came up positive I bought the program (I was desperate and it was now 3am). This program keeps coming up with 1 threat and 39 infections but after I restart they essentially come back.

Here are some specific problems i'm having:
"userinit.exe error...the application failed to initialize properly.." after starting up, I don't see the startbar or icons, just the background. I use CTRL+ALT+DLT to bring up task manager and run explorer and any other prgms.
"rundll32.exe" error when I attempt to turn on firewall, or do anything related to firewall (through control panel or networking)

I managed to stop a few .dlls from starting up from msconfig, I wasn't too sure about the Services though.
After running Kaspersky I deleted everything that came up infected except edniuj.dll...I have yet to be able to delete this one, It must be the one that is in use.
I haven't restarted since DSS, I just wanted to get this post out and going...this problem is very frustrating. I can't think of anything to add, the logs are as follows.

Thanks in advance for any help anyone can give!
-Layla

Deckard's System Scanner v20071014.68
Run by Layla on 2008-08-04 17:10:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
95: 2008-08-04 22:10:24 UTC - RP570 - Deckard's System Scanner Restore Point
94: 2008-08-04 22:09:20 UTC - RP569 - Spyware Doctor: Cleaning Threats
93: 2008-08-04 20:19:33 UTC - RP568 - Spyware Doctor: Cleaning Threats
92: 2008-08-04 19:01:13 UTC - RP567 - Spyware Doctor: Cleaning Threats
91: 2008-08-04 10:52:18 UTC - RP566 - Spyware Doctor: Cleaning Threats


-- First Restore Point --
1: 2008-08-04 03:27:59 UTC - RP476 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Layla.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:33 PM, on 8/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Layla\Desktop\dss(3).exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Layla.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {C1C2C936-E189-40ED-AF26-260DFD8CA19E} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179937524250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187969977359
O20 - AppInit_DLLs: edniuj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 7853 bytes

-- File Associations -----------------------------------------------------------

.txt - txtfile - DefaultIcon - C:\WINDOWS\Icons\Windows-Black\Windows Black.icl,26


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ANIO (ANIO Service) - c:\windows\system32\anio.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>
R3 AtcL001 (NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Adapter) - c:\windows\system32\drivers\atl01_xp.sys <Not Verified; Attansic Technology corporation.; Attansic L1 Gigabit Ethernet Controller>

S3 pgfilter - c:\program files\peerguardian2\pgfilter.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ANIWZCSdService (ANIWZCSd Service) - c:\program files\ani\aniwzcs2 service\aniwzcsds.exe <Not Verified; Alpha Networks Inc.; ANIWZCS2 Service Launcher (NT)>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-04 17:01:46 312 --a------ C:\WINDOWS\Tasks\GlaryInitialize.job
2008-08-04 02:41:37 332 --a------ C:\WINDOWS\Tasks\McQcTask.job
2008-08-04 02:41:37 340 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2008-08-02 12:29:02 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-08-01 17:15:00 390 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job
2008-07-26 13:23:51 436 --a------ C:\WINDOWS\Tasks\EasyShare Registration Task.job


-- Files created between 2008-07-04 and 2008-08-04 -----------------------------

2008-08-04 17:12:19 0 d-------- C:\Program Files\Trend Micro
2008-08-04 13:46:48 0 d-------- C:\Program Files\Enigma Software Group
2008-08-04 05:01:51 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-08-04 04:52:56 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-04 04:52:45 0 d-------- C:\Program Files\Spyware Doctor
2008-08-04 04:52:45 0 d-------- C:\Documents and Settings\Layla\Application Data\PC Tools
2008-08-04 03:29:34 0 d-------- C:\VundoFix Backups
2008-08-04 02:47:07 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-04 02:47:00 0 d-------- C:\Program Files\Security Task Manager
2008-08-04 02:42:09 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-08-04 02:42:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-08-04 01:06:42 0 d-------- C:\Program Files\SiteAdvisor
2008-08-04 01:06:42 0 d-------- C:\Documents and Settings\Layla\Application Data\SiteAdvisor
2008-08-04 01:06:42 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-04 01:01:13 0 d-------- C:\Program Files\McAfee.com
2008-08-04 01:00:48 0 d-------- C:\Program Files\Common Files\McAfee
2008-08-04 01:00:41 0 d-------- C:\Program Files\McAfee
2008-08-04 00:02:57 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-03 22:29:11 100864 -----n--- C:\WINDOWS\system32\edniuj.dll
2008-08-03 22:27:48 5916 --ahs---- C:\WINDOWS\system32\MmUvxyay.ini2
2008-08-03 22:19:42 0 d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-03 22:17:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Secure Solutions
2008-08-02 12:34:20 0 d-------- C:\Program Files\iPod
2008-08-02 12:34:16 0 d-------- C:\Program Files\iTunes
2008-07-26 13:29:28 0 d-------- C:\Program Files\Bonjour
2008-07-26 13:28:24 0 d-------- C:\Program Files\QuickTime
2008-07-23 20:40:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Advanced Chemistry Development
2008-07-23 20:39:05 0 d-------- C:\Program Files\ACDFREE11


-- Find3M Report ---------------------------------------------------------------

2008-08-04 17:11:29 0 d-------- C:\Program Files\BOINC
2008-08-04 04:32:29 0 d-------- C:\Documents and Settings\Layla\Application Data\GetRightToGo
2008-08-04 04:32:29 0 d-------- C:\Documents and Settings\Layla\Application Data\Azureus
2008-08-04 01:00:48 0 d-------- C:\Program Files\Common Files
2008-08-04 00:48:08 0 d-------- C:\Program Files\Alwil Software
2008-08-03 23:49:47 0 d-------- C:\Program Files\PeerGuardian2
2008-07-19 18:44:14 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-19 18:41:34 0 d-------- C:\Documents and Settings\Layla\Application Data\NCH Swift Sound
2008-07-12 23:32:51 3532 --a------ C:\drmHeader.bin
2008-07-03 23:43:07 0 d-------- C:\Program Files\Azureus
2008-06-28 12:47:52 0 d-------- C:\Documents and Settings\Layla\Application Data\Skinux
2008-06-28 12:45:32 0 d-------- C:\Program Files\Common Files\Kodak
2008-06-27 19:29:29 0 d-------- C:\Program Files\Xvid
2008-06-27 14:37:19 0 d-------- C:\Program Files\DivX
2008-06-18 21:11:38 68224 --a------ C:\logfile
2008-06-13 11:08:43 0 d-------- C:\Documents and Settings\Layla\Application Data\Xfire
2008-06-13 10:55:04 0 d---s---- C:\Program Files\Xfire
2008-06-13 00:27:02 0 dr-h----- C:\Documents and Settings\Layla\Application Data\SecuROM
2008-06-13 00:14:11 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-13 00:13:54 0 d-------- C:\Program Files\Atari
2008-06-06 21:40:16 0 d-------- C:\Program Files\AC3Filter
2008-06-05 12:16:01 104400 --a------ C:\Documents and Settings\Layla\Application Data\GDIPFONTCACHEV1.DAT
2008-06-04 22:00:17 0 d-------- C:\Program Files\JAlbumWin
2008-05-30 18:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 18:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 18:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 18:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 18:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-22 17:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 17:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 17:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 17:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-04 14:05:41 1555 --a------ C:\Documents and Settings\Layla\Application Data\WWB7_32.DAT


-- Registry Dump ---------------------------------------------------------------



-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

6775 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-04 17:13:29 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 2047.17 MiB / 1438.59 MiB
Pagefile Memory (total/avail): 3943.65 MiB / 3166.52 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1920.14 MiB

C: is Fixed (NTFS) - 232.88 GiB total, 153.64 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - WDC WD2500JS-19NCB1 - 232.88 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 232.88 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe:*:Enabled:Kodak Software Updater"
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"="C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe:*:Enabled:EasyShare"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe:*:Enabled:Age of Empires 3"
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windows® NetMeeting®"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*:Enabled:Neverwinter Nights 2 Main"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*:Enabled:Neverwinter Nights 2 AMD"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*:Enabled:Neverwinter Nights 2 Updater"
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe"="C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*:Enabled:Neverwinter Nights 2 Server"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"


-- Environment Variables -------------------------------------------------------



-- User Profiles ---------------------------------------------------------------

Layla (admin)


-- Add/Remove Programs ---------------------------------------------------------



-- Application Event Log -------------------------------------------------------

Event Record #/Type3057 / Warning
Event Submitted/Written: 08/04/2008 05:08:34 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{685755F8-C74B-4613-8137-C90AF458228D}', feature 'Main' failed during request for component '{F8E3F37E-A31A-4749-92E4-C2D60EB20E31}'

Event Record #/Type3056 / Warning
Event Submitted/Written: 08/04/2008 05:08:34 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{685755F8-C74B-4613-8137-C90AF458228D}', feature 'Main', component '{754DC844-047B-4AD7-ACD0-4CC04383D7A6}' failed. The resource 'C:\Program Files\ATI Technologies\ATI.ACE\dsktop.shr' does not exist.

Event Record #/Type3054 / Warning
Event Submitted/Written: 08/04/2008 05:08:31 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{685755F8-C74B-4613-8137-C90AF458228D}', feature 'Main' failed during request for component '{F8E3F37E-A31A-4749-92E4-C2D60EB20E31}'

Event Record #/Type3053 / Warning
Event Submitted/Written: 08/04/2008 05:08:31 AM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{685755F8-C74B-4613-8137-C90AF458228D}', feature 'Main', component '{754DC844-047B-4AD7-ACD0-4CC04383D7A6}' failed. The resource 'C:\Program Files\ATI Technologies\ATI.ACE\dsktop.shr' does not exist.

Event Record #/Type3051 / Warning
Event Submitted/Written: 08/04/2008 05:08:24 AM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{685755F8-C74B-4613-8137-C90AF458228D}', feature 'Main' failed during request for component '{F8E3F37E-A31A-4749-92E4-C2D60EB20E31}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type8637 / Warning
Event Submitted/Written: 08/04/2008 02:05:39 PM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Event Record #/Type8599 / Error
Event Submitted/Written: 08/04/2008 05:00:44 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type8595 / Error
Event Submitted/Written: 08/04/2008 04:52:17 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service McNASvc with arguments ""
in order to run the server:
{24F616A1-B755-4053-8018-C3425DC8B68A}

Event Record #/Type8594 / Error
Event Submitted/Written: 08/04/2008 04:52:16 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service McNASvc with arguments ""
in order to run the server:
{24F616A1-B755-4053-8018-C3425DC8B68A}

Event Record #/Type8593 / Error
Event Submitted/Written: 08/04/2008 04:50:20 AM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}



-- End of Deckard's System Scanner: finished at 2008-08-04 17:13:29 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 layladee

layladee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Columbia, MO
  • Local time:03:16 PM

Posted 04 August 2008 - 08:15 PM

Not sure if anyone is going to have a go with this one but I have made some progress with it myself....so I thought I would update, and perhaps offer advice if anyone happens to be in the same boat.

I booted from my WinXP disk and went into DOS in order to delete that one file that I couldn't (edniuj.dll) After starting back up I just about screamed because I didn't get those userinit.exe errors. :thumbsup: I also saw the startbar and icons pop up. I have yet to get any rundll32.exe errors so I got the firewall going. The only thing that looks off is after a minute or two the desktop background disappears and is replaced with what looks like the inside of an explorer folder, complete with a couple extra clickable icons.

I also went into regedit and searched for anything with MS Juan, found a couple hits, deleted those.
I am currently running Kaspersky again, so far...at 35%, nothing.

I would certainly appreciate any other insight on getting rid or clearing up other places this bug might be hiding.
I imagine i'm not out of the woods yet?

I will post the resulting logs here when they are done.
-Layla

#3 layladee

layladee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Columbia, MO
  • Local time:03:16 PM

Posted 05 August 2008 - 10:42 PM

This is my most recent scan, I think I have removed the Vundo from my system. Earlier today Kaspersky reported Spyware doctor had a backdoor with klg.dat, so I deleted file, uninstalled Spyware Doctor and cleaned reg.
I reinstalled Spyware Doctor and it seems there is the same problem. Is this a false positive or something I should be concerned with?

I am not going to alter my computer or mess with anything else until I hear from someone.
Thank you,
Layla


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, August 5, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, August 06, 2008 01:38:15
Records in database: 1058727
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Layla\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 79934
Threat name: 1
Infected objects: 47
Suspicious objects: 0
Duration of the scan: 01:38:25


File name / Threat name / Threats count
C:\Program Files\Spyware Doctor\klg.dat/C:\Program Files\Spyware Doctor\klg.dat Infected: Backdoor.Win32.Hupigon.dcvh 46
C:\Program Files\Spyware Doctor\klg.dat Infected: Backdoor.Win32.Hupigon.dcvh 1

The selected area was scanned.



Deckard's System Scanner v20071014.68
Run by Layla on 2008-08-05 22:32:24
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Layla.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:32:51 PM, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_S5R4_6.04_windows_intelx86.exe
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_5.27_windows_intelx86.exe
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_S5R4_6.04_windows_intelx86_1.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Layla\Local Settings\Temp\jkos-Layla\binaries\ScanningProcess.exe
C:\Documents and Settings\Layla\Local Settings\Temp\jkos-Layla\binaries\ScanningProcess.exe
C:\Documents and Settings\Layla\Desktop\Downloaded From Foxfire\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Layla.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1179937524250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1187969977359
O20 - AppInit_DLLs: ,
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O24 - Desktop Component 0: Privacy Protection - (no file)

--
End of file - 8404 bytes

-- Files created between 2008-07-05 and 2008-08-05 -----------------------------

2008-08-05 20:01:42 0 d-------- C:\WINDOWS\LastGood
2008-08-05 16:43:48 0 d-------- C:\Program Files\Spyware Doctor
2008-08-05 16:43:48 0 d-------- C:\Documents and Settings\Layla\Application Data\PC Tools
2008-08-05 01:42:27 520192 -----n--- C:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-08-05 01:42:00 0 d-------- C:\Program Files\ATI Technologies
2008-08-04 21:24:45 0 d-------- C:\ATI
2008-08-04 17:12:19 0 d-------- C:\Program Files\Trend Micro
2008-08-04 13:46:48 0 d-------- C:\Program Files\Enigma Software Group
2008-08-04 05:01:51 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-08-04 04:52:56 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-04 02:47:07 0 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-08-04 02:47:00 0 d-------- C:\Program Files\Security Task Manager
2008-08-04 02:42:09 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-08-04 02:42:09 0 d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2008-08-04 01:06:42 0 d-------- C:\Program Files\SiteAdvisor
2008-08-04 01:06:42 0 d-------- C:\Documents and Settings\Layla\Application Data\SiteAdvisor
2008-08-04 01:06:42 0 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-04 01:01:13 0 d-------- C:\Program Files\McAfee.com
2008-08-04 01:00:48 0 d-------- C:\Program Files\Common Files\McAfee
2008-08-04 01:00:41 0 d-------- C:\Program Files\McAfee
2008-08-04 00:02:57 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-08-03 22:27:48 5916 --ahs---- C:\WINDOWS\system32\MmUvxyay.ini2
2008-08-03 22:19:42 0 d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-03 22:17:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Secure Solutions
2008-08-02 12:34:20 0 d-------- C:\Program Files\iPod
2008-08-02 12:34:16 0 d-------- C:\Program Files\iTunes
2008-07-26 13:29:28 0 d-------- C:\Program Files\Bonjour
2008-07-26 13:28:24 0 d-------- C:\Program Files\QuickTime
2008-07-23 20:40:05 0 d-------- C:\Documents and Settings\All Users\Application Data\Advanced Chemistry Development


-- Find3M Report ---------------------------------------------------------------

2008-08-05 22:32:27 0 d-------- C:\Program Files\BOINC
2008-08-05 01:42:44 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-05 01:05:48 0 d-------- C:\Program Files\Common Files\ATI Technologies
2008-08-04 22:55:39 0 d-------- C:\Program Files\Glary Utilities
2008-08-04 04:32:29 0 d-------- C:\Documents and Settings\Layla\Application Data\GetRightToGo
2008-08-04 04:32:29 0 d-------- C:\Documents and Settings\Layla\Application Data\Azureus
2008-08-04 01:00:48 0 d-------- C:\Program Files\Common Files
2008-08-04 00:48:08 0 d-------- C:\Program Files\Alwil Software
2008-08-03 23:49:47 0 d-------- C:\Program Files\PeerGuardian2
2008-07-19 18:44:14 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-19 18:41:34 0 d-------- C:\Documents and Settings\Layla\Application Data\NCH Swift Sound
2008-07-12 23:32:51 3532 --a------ C:\drmHeader.bin
2008-07-03 23:43:07 0 d-------- C:\Program Files\Azureus
2008-07-03 21:34:38 48640 --a------ C:\WINDOWS\system32\amdpcom32.dll <Not Verified; Advanced Micro Devices, Inc.; Advanced Micro Devices, Inc. Radeon PCOM Universal Driver>
2008-06-28 12:47:52 0 d-------- C:\Documents and Settings\Layla\Application Data\Skinux
2008-06-28 12:45:32 0 d-------- C:\Program Files\Common Files\Kodak
2008-06-27 19:29:29 0 d-------- C:\Program Files\Xvid
2008-06-27 14:37:19 0 d-------- C:\Program Files\DivX
2008-06-18 21:11:38 68224 --a------ C:\logfile
2008-06-13 11:08:43 0 d-------- C:\Documents and Settings\Layla\Application Data\Xfire
2008-06-13 10:55:04 0 d---s---- C:\Program Files\Xfire
2008-06-13 00:27:02 0 dr-h----- C:\Documents and Settings\Layla\Application Data\SecuROM
2008-06-13 00:13:54 0 d-------- C:\Program Files\Atari
2008-06-06 21:40:16 0 d-------- C:\Program Files\AC3Filter
2008-06-05 12:16:01 104400 --a------ C:\Documents and Settings\Layla\Application Data\GDIPFONTCACHEV1.DAT
2008-05-30 18:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-30 18:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 18:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 18:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-30 18:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-05-22 17:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 17:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-22 17:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-22 17:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [07/31/2006 11:10 PM C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [05/02/2005 10:43 PM C:\WINDOWS\Alcmtr.exe]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [09/25/2006 09:12 AM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [07/16/2008 09:16 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

C:\Documents and Settings\Layla\Start Menu\Programs\Startup\
BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [7/4/2007 10:06:20 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=,

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\byXOefEx

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM13e75ca8]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"ANIWZCS2Service"=C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"D-Link RangeBooster G WDA-2320"=C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"SkyTel"=SkyTel.EXE
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - IKFILESEC
*Newly Created Service* - IKSYSFLT
*Newly Created Service* - IKSYSSEC
*Newly Created Service* - SDAUXSERVICE
*Newly Created Service* - SDCORESERVICE



-- End of Deckard's System Scanner: finished at 2008-08-05 22:34:23 ------------

#4 layladee

layladee
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Columbia, MO
  • Local time:03:16 PM

Posted 07 August 2008 - 03:35 PM

Okay, I don't see anyone replying to this, ever, and that is okay. I formatted my drive and reinstalled windows, so problem drastically solved. I just couldn't wait for help any longer. I am someone that is at my pc almost all day.

Upon reinstalling Spyware Doctor and my antivirus program (it is now AVG, McAfee was too slow) the same Backdoor trojan (Backdoor.Win32.Hupigon) was found in Spyware Doctor's files, and also the windows system32 csrss.exe file. Since I know that this is impossible I am going to have to rule this as an issue with the Antivirus programs confusing the files (the only other option would be Spyware Doctor is sending out infected copies of its software!) Again, if anyone knows any differently please let me know, but nonetheless those files have been quarantined just in case and I haven't noticed any problems with my system so far (if I had I think either I or the computer would be out the window :thumbsup: ).

-Layla

#5 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:16 PM

Posted 15 August 2008 - 11:55 PM

Hello Layla,

Welcome to Bleeping Computer :)

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:16 PM

Posted 11 September 2008 - 05:17 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users