Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde As Well? Gets Around Eh?


  • This topic is locked This topic is locked
3 replies to this topic

#1 WickedGirl

WickedGirl

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 06 August 2008 - 05:32 PM

Hello! I have tried today to avoid bugging you by reading all the other posts on this topic and trying to follow steps as listed using the tools mentioned. Starting last night, I began getting anti-virus warnings about Virtumonde. I am now so tired, that I don't know if I am clean or not, so I thought I would give in and ask for help. I have been an AVG user, religiously updated for a few years with a hardware firewall in place, but I still seem to have gotten "bugs". Blech! :)

Today, I have run Hijack This, Sophos Antivirus and Rootkit, AVG Antivirus and Rootkit, SuperAntispyware, _OTMoveIt, ComboFix, and I attempted to run Kasperky's Online virus scan, but it was moving too slowly and I have to be able to use my PC this afternoon and evening. I have now finished up with a run of Deckard, and I have posted the main.txt below and attached extra.txt and moved.txt.

One other thing.....regardless of what is now found in the logs of the scanners, I did a reboot a few minutes ago and noticed something. Perhaps this is normal, but I saw msiexec.exe firing up a whole bunch of things as the computer was getting to its desktop but still loading. I have a program called "What's Running" that I use to monitor my processes, and this is where I saw msiexec.exe going to town. Is this anything to be concerned about?

Thank you all so much in advance! :thumbsup:

Deckard's System Scanner v20071014.68
Run by XXXXXX on 2008-08-06 17:38:22
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.

-- Last 1 Restore Point(s) --
1: 2008-08-06 21:38:30 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as XXXXXX.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:02 PM, on 8/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Documents and Settings\XXXXXX\Desktop\Deckards System Scanner.exe
C:\PROGRA~1\HIJACK~1\XXXXXX.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\shdocvw.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Windows Installer (MSIServer) - Unknown owner - C:\WINDOWS\system32\msiexec.exe (file missing)
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
--
End of file - 2199 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20080805-152311-299 O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20080805-152311-508 O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...031/CTSUEng.cab
backup-20080805-152311-519 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080805-152311-602 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080805-152311-694 O4 - HKCU\..\Run: [MtdAcqu] "C:\Program Files\Creative\MediaSource5\MtdAcqu.exe" /s
backup-20080805-152311-767 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
backup-20080805-152312-247 O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
backup-20080805-152312-545 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
backup-20080805-152313-128 O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
backup-20080805-152313-228 O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
backup-20080805-152313-752 O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
backup-20080805-152313-772 O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20080805-152313-803 O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15034/CTPID.cab
backup-20080805-152313-853 O23 - Service: ASN - Unknown owner - C:\DOCUME~1\XXXXXX\LOCALS~1\Temp\ASN.exe (file missing)
backup-20080805-152313-923 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
backup-20080806-170230-220 O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
backup-20080806-170230-267 O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
backup-20080806-170230-304 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080806-170230-513 O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
backup-20080806-170230-524 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
backup-20080806-170230-530 O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
backup-20080806-170230-607 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
backup-20080806-170230-699 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
backup-20080806-170230-712 O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
backup-20080806-170230-775 O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
backup-20080806-170230-790 O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
backup-20080806-170230-844 O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
backup-20080806-170230-861 O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
backup-20080806-170230-917 O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*
.ini - UltraEdit.ini - DefaultIcon - unable to read value
.ini - UltraEdit.ini - shell\open\command - notepad.exe %1
.js - UltraEdit.js - DefaultIcon - unable to read value
.js - UltraEdit.js - shell\open\command - "C:\Program Files\IDM Computer Solutions\UltraEdit-32\uedit32.exe" "%1"
.txt - UltraEdit.txt - DefaultIcon - unable to read value
.txt - UltraEdit.txt - shell\open\command - notepad.exe %1

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R1 ATITool (ATITool Overclocking Utility) - c:\windows\system32\drivers\atitool.sys <Not Verified; W1zzard; ATITool Driver>
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 vcdrom (Virtual CD-ROM Device Driver) - c:\program files\winxp virtual cd\vcdrom.sys <Not Verified; Microsoft Corporation; VirtualCdRom>
R3 COMMONFX.SYS - c:\windows\system32\drivers\commonfx.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
R3 CTAUDFX.SYS - c:\windows\system32\drivers\ctaudfx.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
R3 CTSBLFX.SYS - c:\windows\system32\drivers\ctsblfx.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>

S2 vsdatant - c:\windows\system32\vsdatant.sys (file missing)
S3 atinevxx (ATI WDM Rage Theater Video NSP) - c:\windows\system32\drivers\atinevxx.sys (file missing)
S3 catchme - c:\combofix\catchme.sys (file missing)
S3 COMMONFX - c:\windows\system32\drivers\commonfx.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 CTAUDFX - c:\windows\system32\drivers\ctaudfx.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 CTERFXFX - c:\windows\system32\drivers\cterfxfx.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 CTERFXFX.SYS - c:\windows\system32\drivers\cterfxfx.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 CTSBLFX - c:\windows\system32\drivers\ctsblfx.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
S3 krnl_akl - c:\windows\system32\drivers\krnl_akl.sys (file missing)
S3 MagicTune - c:\windows\system32\drivers\mtictwl.sys
S3 MEMSWEEP2 - c:\windows\system32\18.tmp (file missing)
S3 pgfilter - c:\program files\peerguardian2\pgfilter.sys

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 MSIServer (Windows Installer) - c:\windows\system32\msiexec.exe /v (file missing)
S2 SAVAdminService (Sophos Anti-Virus status reporter) - "c:\program files\sophos\sophos anti-virus\savadminservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus>
S2 SAVService (Sophos Anti-Virus) - "c:\program files\sophos\sophos anti-virus\savservice.exe" <Not Verified; Sophos Plc; Sophos Anti-Virus>
S2 Sophos AutoUpdate Service - "c:\program files\sophos\autoupdate\alsvc.exe" <Not Verified; Sophos Plc; Sophos AutoUpdate>
S3 PSEXESVC (PsExec) - c:\windows\psexesvc.exe (file missing)
S4 ASN - c:\docume~1\XXXXXX\locals~1\temp\asn.exe (file missing)
S4 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S4 GEARSecurity - c:\windows\system32\gearsec.exe <Not Verified; GEAR Software; gearsec>
S4 Tenable Nessus - "c:\program files\tenable\nessus\nessusd.exe" <Not Verified; Tenable Network Security; Nessus Security Scanner>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
Description: OHCI Compliant IEEE 1394 Host Controller
Device ID: PCI\VEN_1102&DEV_4001&SUBSYS_00101102&REV_04\4&1F7DBC9F&0&12F0
Manufacturer: IEEE 1394 OHCI Compliant Host Controller Vendor
Name: OHCI Compliant IEEE 1394 Host Controller
PNP Device ID: PCI\VEN_1102&DEV_4001&SUBSYS_00101102&REV_04\4&1F7DBC9F&0&12F0
Service: ohci1394

Class GUID: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
Description: Texas Instruments OHCI Compliant IEEE 1394 Host Controller
Device ID: PCI\VEN_104C&DEV_8024&SUBSYS_00000000&REV_00\4&1F7DBC9F&0&50F0
Manufacturer: Texas Instruments
Name: Texas Instruments OHCI Compliant IEEE 1394 Host Controller
PNP Device ID: PCI\VEN_104C&DEV_8024&SUBSYS_00000000&REV_00\4&1F7DBC9F&0&50F0
Service: ohci1394

Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: IDE\CDROMSAMSUNG_CDRW/DVD_SM-348B________________T503____\5&1F2D9038&0&0.0.0
Manufacturer: (Standard CD-ROM drives)
Name: SAMSUNG CDRW/DVD SM-348B
PNP Device ID: IDE\CDROMSAMSUNG_CDRW/DVD_SM-348B________________T503____\5&1F2D9038&0&0.0.0
Service: cdrom

Class GUID: {8ECC055D-047F-11D1-A537-0000F8753ED1}
Description: sptd
Device ID: ROOT\LEGACY_SPTD\0000
Manufacturer:
Name: sptd
PNP Device ID: ROOT\LEGACY_SPTD\0000
Service: sptd

-- Files created between 2008-07-06 and 2008-08-06 -----------------------------

2008-08-06 14:52:00 0 d-------- C:\Program Files\F-VMonde
2008-08-06 14:10:42 0 --a------ C:\Program Files\dir
2008-08-06 13:22:54 68096 --a------ C:\WINDOWS\zip.exe
2008-08-06 13:22:54 49152 --a------ C:\WINDOWS\VFind.exe
2008-08-06 13:22:54 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-06 13:22:54 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-06 13:22:54 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-06 13:22:54 98816 --a------ C:\WINDOWS\sed.exe
2008-08-06 13:22:54 80412 --a------ C:\WINDOWS\grep.exe
2008-08-06 13:22:54 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-06 08:42:40 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-08-06 00:59:09 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-08-06 00:58:58 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-08-06 00:58:58 0 d-------- C:\Documents and Settings\XXXXXX\Application Data\SUPERAntiSpyware.com
2008-08-05 17:51:26 0 d-------- C:\Program Files\msn gaming zone
2008-08-05 17:28:52 0 dr-h----- C:\Documents and Settings\XXXXXX\Recent
2008-08-05 15:48:11 0 d-------- C:\Program Files\Startup List
2008-08-05 15:15:17 0 d-------- C:\Program Files\HiJack This
2008-08-04 16:06:37 0 d-------- C:\Documents and Settings\XXXXXX\paros
2008-08-04 16:06:24 0 d-------- C:\Program Files\Paros
2008-08-04 13:32:37 0 --a------ C:\WINDOWS\system32\RSUYI
2008-08-04 07:20:14 0 d-------- C:\Program Files\Tenable
2008-08-04 06:09:06 0 d-------- C:\Program Files\Common Files\Cisco Systems
2008-08-04 06:09:00 15872 -----n--- C:\WINDOWS\system32\SophosBootTasks.exe <Not Verified; Sophos Plc; Sophos Anti-Virus>
2008-08-04 06:08:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Sophos
2008-08-04 06:07:41 0 d-------- C:\Program Files\Sophos
2008-08-04 01:05:58 0 d-------- C:\Program Files\Current Ports
2008-08-02 20:52:46 0 d-------- C:\Program Files\IDoser v4
2008-08-02 12:52:56 0 d-------- C:\Documents and Settings\XXXXXX\Application Data\Wireshark
2008-08-02 12:50:58 0 d-------- C:\Program Files\WinPcap
2008-08-01 19:12:03 114688 --a------ C:\WINDOWS\system32\CCGNU32.dll <Not Verified; Open Source Telecom; OST Common C++>
2008-08-01 19:12:00 10752 --a------ C:\WINDOWS\system32\aamd532.dll <Not Verified; Almeida & Andrade Ltda; MD5 Maker DLL>
2008-08-01 19:11:58 137216 --a------ C:\WINDOWS\system32\MSDERUN.DLL <Not Verified; Microsoft Corporation; Microsoft Data Environment Runtime 1.0>
2008-08-01 19:11:58 299008 --a------ C:\WINDOWS\system32\MSDBRPTR.DLL <Not Verified; Microsoft Corporation; MSDataReport>
2008-08-01 14:11:34 0 d-------- C:\Documents and Settings\All Users\Application Data\VMware
2008-08-01 13:38:30 0 d-------- C:\Documents and Settings\XXXXXX\.zenmap
2008-08-01 13:37:40 0 d-------- C:\Program Files\Nmap
2008-08-01 07:04:06 0 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-08-01 06:13:22 0 d-------- C:\WINDOWS\Prefetch
2008-08-01 06:03:14 0 d-------- C:\WINDOWS\system32\scripting
2008-08-01 06:03:14 0 d-------- C:\WINDOWS\system32\en
2008-08-01 06:03:14 0 d-------- C:\WINDOWS\system32\bits
2008-08-01 06:03:14 0 d-------- C:\WINDOWS\l2schemas
2008-08-01 05:59:20 0 d-------- C:\WINDOWS\BLOCKEDServicePackFiles
2008-07-22 20:27:28 0 d-------- C:\Documents and Settings\XXXXXX\dwhelper
2008-07-15 15:17:58 0 d-------- C:\Program Files\Blighty Design
2008-07-06 21:40:28 0 d-------- C:\Program Files\TrueCrypt
2008-07-06 21:39:25 0 d-------- C:\Documents and Settings\XXXXXX\Application Data\TrueCrypt
2008-07-06 20:28:33 0 d-------- C:\Documents and Settings\XXXXXX\Application Data\Ashampoo
2008-07-06 20:23:18 0 d-------- C:\Documents and Settings\All Users\Application Data\ashampoo
2008-07-06 20:23:04 0 d-------- C:\Program Files\Ashampoo

-- Find3M Report ---------------------------------------------------------------

2008-08-06 16:53:19 0 d-------- C:\Program Files\PeerGuardian2
2008-08-06 15:35:03 0 d-------- C:\Program Files\InstallShield Installation Information
2008-08-06 13:26:33 0 d-------- C:\Program Files\Common Files
2008-08-06 00:58:33 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-05 20:56:34 0 d-------- C:\Documents and Settings\XXXXXX\Application Data\AVG7
2008-08-05 12:35:57 0 d-------- C:\Program Files\Creative
2008-08-05 11:19:44 0 d-------- C:\Program Files\PCPCPC
2008-08-04 16:25:49 0 d-------- C:\Program Files\Reg Seeker
2008-08-04 07:02:04 0 d-------- C:\Documents and Settings\XXXXXX\Application Data\gtk-2.0
2008-08-03 23:46:44 0 d-------- C:\Program Files\PWSFPJU
2008-08-02 12:51:08 0 d-------- C:\Program Files\Wireshark
2008-08-01 18:26:37 0 d-------- C:\Program Files\epson
2008-08-01 06:03:51 0 d-------- C:\Program Files\Messenger
2008-08-01 06:03:13 0 d-------- C:\Program Files\Movie Maker
2008-08-01 05:58:56 0 d-------- C:\Program Files\Windows NT
2008-08-01 03:32:07 0 d-------- C:\Program Files\Process Explorer
2008-07-29 19:07:22 0 d-------- C:\Program Files\nLite
2008-07-20 10:05:29 0 d-------- C:\Program Files\EDraw Flowchart
2008-07-08 23:18:19 0 d-------- C:\Program Files\PDF Restrictions Remover
2008-07-07 18:36:38 0 d-------- C:\Program Files\Replay AV 8
2008-07-06 08:57:05 0 d-------- C:\Program Files\Certblaster
2008-07-05 05:31:47 0 d-------- C:\Program Files\THINKFST
2008-07-05 04:42:14 0 d-------- C:\Program Files\TESTOUT
2008-07-05 04:15:34 0 d-------- C:\Program Files\Total Seminars
2008-07-05 04:12:45 0 d-------- C:\Program Files\Secunia Personal Software Inspector
2008-07-05 04:12:29 0 d-------- C:\Program Files\NetMeter
2008-07-05 02:31:02 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
2008-07-05 01:16:11 0 d-------- C:\Program Files\Common Files\xing shared
2008-07-05 01:16:00 0 d-------- C:\Program Files\Common Files\Real
2008-06-30 23:34:57 0 d-------- C:\Documents and Settings\XXXXXX\Application Data\vtc_demo_setup
2008-06-30 23:30:34 0 d-------- C:\Documents and Settings\XXXXXX\Application Data\VTC Preferences Folder
2008-06-30 23:13:10 0 d-------- C:\Documents and Settings\XXXXXX\Application Data\vtcmovies
2008-06-30 23:12:33 0 d-------- C:\Documents and Settings\XXXXXX\Application Data\vtc_language
2008-06-30 14:11:52 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-25 15:42:55 0 d-------- C:\Program Files\Common Files\ODBC
2008-06-22 22:29:52 0 d-------- C:\Program Files\Advanced IP Address Calculator
2008-06-22 21:46:14 0 d-------- C:\Program Files\WildPackets
2008-06-18 12:55:23 0 d-------- C:\Documents and Settings\XXXXXX\Application Data\Sun
2008-06-16 17:45:30 0 d-------- C:\Program Files\doubleTwist
2008-06-16 17:44:44 0 d-------- C:\Program Files\Java
2008-06-16 17:32:13 0 d-------- C:\Program Files\Windows Installer Clean Up
2008-06-16 17:31:58 0 d-------- C:\Program Files\MSECache
2008-06-09 14:03:18 0 d-------- C:\Program Files\Internet Research Scout
2008-06-09 10:51:55 9300 --a------ C:\WINDOWS\mozver.dat
2008-06-08 18:20:57 0 d-------- C:\Program Files\WhatsRunning
2008-06-08 15:06:16 0 d-------- C:\Program Files\Apple Software Update
2008-06-08 15:06:16 0 d-------- C:\Program Files\AIDA32
2008-06-08 15:06:14 0 d-------- C:\Program Files\QuickTime
2008-06-08 15:06:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-06-08 15:06:13 0 d-------- C:\Program Files\Steam
2008-06-01 23:09:51 563712 --a------ C:\WINDOWS\system32\Redemption.dll <Not Verified; Dmitry Streblechenko; Outlook Redemption>
2008-05-07 01:07:00 7481359 --a------ C:\WINDOWS\system32\AppSetup.exe <Not Verified; Creative Technology Ltd; Creative Self-Extracting>

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/05/2008 01:05 AM]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/13/2006 02:39 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - C:\Program Files\Sophos\AutoUpdate\ALMon.exe [1/31/2007 11:34:50 AM]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [11/12/2005 2:31:08 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [05/13/2008 10:13 AM 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^XXXXXX^Start Menu^Programs^Startup^TimePanic.lnk]
backup=C:\WINDOWS\pss\TimePanic.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
C:\Program Files\PCPCPC\ET5\GUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
"C:\Program Files\Unlocker\UnlockerAssistant.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"WMPNetworkSvc"=2 (0x2)
"SQLWriter"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"MSSQL$MSSMLBIZ"=2 (0x2)
"iPod Service"=3 (0x3)
"GEARSecurity"=2 (0x2)
"CVPND"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{841cb643-4fb5-11da-9dbb-806d6172696f}]
AutoRun\command- D:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"

-- End of Deckard's System Scanner: finished at 2008-08-06 17:40:53 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 WickedGirl

WickedGirl
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:42 AM

Posted 06 August 2008 - 08:16 PM

Ummm...help? Please? Somebody, anybody? I seem to be getting ignored. :thumbsup:

Here is my latest Malwarebytes log, which shows clean, but I have not rebooted yet to see if anything hidden reinstalls itself. I am concerned about the MSIexec.exe file. Since I have about five of them, uploading them to somewhere for scanning may not be prudent, especially since multiple home scans show it clean?

Do I need to run a scan of some kind in safe mode now?

Please respond, if only briefly. I need to use my PC but I am concerned about entering banking info, etc. onto it.

Thank you!!!

Edited by WickedGirl, 06 August 2008 - 08:18 PM.


#3 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:42 AM

Posted 16 August 2008 - 12:14 PM

Hello, WickedGirl.
:thumbsup: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
Please run Deckard's System Scanner again, this time using these instructions:
(In the event you lost your copy, you can download a new one from here: Deckard's System Scanner)
  • Click on Start, click on Run
  • Copy and paste the following in the open window and then click OK:
    "%userprofile%\desktop\dss.exe" /config
  • This will open up DSS configuration
  • Click on Check All.
  • Click Scan.
    DSS will now run again.
  • Please post back both logs that open in notepad.
    Main.txt and Extra.txt
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:05:42 AM

Posted 19 August 2008 - 09:35 AM

Hello, WickedGirl.
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users