Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Trojan


  • Please log in to reply
31 replies to this topic

#1 james42519

james42519

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:pulaski ky
  • Local time:04:49 AM

Posted 07 August 2008 - 06:51 PM

really don't know what i am doing. all i know is that i can't remove the dll with that program. it sais failed and makes me restart. scanes again and same thing happens. sorry if i am doing this wrong. i couldn't get the dss to work on my computer so copied the hijackthis thing. i disabled Antispyware 2008 XP in the msconfig to make computer usable. thanks for help

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:37 PM, on 8/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [lphce8bj0etav] C:\WINDOWS\system32\lphce8bj0etav.exe
O4 - HKLM\..\Run: [SMrhca8bj0etav] C:\Program Files\rhca8bj0etav\rhca8bj0etav.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BM3f9da545] Rundll32.exe "C:\WINDOWS\system32\qvdsomph.dll",s
O4 - HKLM\..\Run: [3cae96d9] rundll32.exe "C:\WINDOWS\system32\kplrnbwd.dll",b
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216687203171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216687267687
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...354/mcfscan.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 3754 bytes

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:49 AM

Posted 07 August 2008 - 07:06 PM

Hello james42519,

Welcome to Bleeping Computer :thumbsup:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

You need to get an AntiVirus on that thing. Do you have one in mind?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 james42519

james42519
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:pulaski ky
  • Local time:04:49 AM

Posted 07 August 2008 - 07:38 PM

i tried to download those that and when i click on it it asks what to open it with. the download is called 687474703a2f2f646f776e6c6f61642e626c656570696e67636f6d70757465722e636f6d2f735542732f436f6d626f4669782e657865

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:49 AM

Posted 08 August 2008 - 01:12 AM

Did it get downloaded at all? :thumbsup: Your statement was kind of confusing.

Try this one:

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 james42519

james42519
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:pulaski ky
  • Local time:04:49 AM

Posted 08 August 2008 - 07:51 AM

fingered out why the other thing wouldn't download. i was going through myproxy.ca and guess it didn't like that. the only reason i noticed was because majorgeek told me it can't download through it. ok i scanned with mbam. it restarted. here is the log. i was going to checkmark stuff in hijack this and clikc fix but though i would wait to see what's going on.

Malwarebytes' Anti-Malware 1.24
Database version: 1032
Windows 5.1.2600 Service Pack 3

8:41:23 AM 8/8/2008
mbam-log-8-8-2008 (08-41-23).txt

Scan type: Quick Scan
Objects scanned: 42933
Time elapsed: 6 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 21
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 17
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kplrnbwd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qoMfEXoo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qvdsomph.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\efcDWQig.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ftmoli.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1a62dd89-9cb2-4f4c-840e-7428a823fe1f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1a62dd89-9cb2-4f4c-840e-7428a823fe1f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2c1dd46-8579-4e1f-9396-b251edb7c5fc} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d2c1dd46-8579-4e1f-9396-b251edb7c5fc} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e525b124-28e1-4d57-b784-b2aabfbbfa66} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e525b124-28e1-4d57-b784-b2aabfbbfa66} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\labelcommand.labelcommand (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\labelcommand.labelcommand.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18cb1a7b-94cd-4582-8022-ada16851e44b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winhdn32 (Dialer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3cae96d9 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm3f9da545 (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{e525b124-28e1-4d57-b784-b2aabfbbfa66} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lphce8bj0etav (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smrhca8bj0etav (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomfexoo -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomfexoo -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\James\Application Data\rhca8bj0etav (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\rhca8bj0etav\Quarantine (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\rhca8bj0etav\Quarantine\Autorun (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\rhca8bj0etav\Quarantine\Autorun\HKCU (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\rhca8bj0etav\Quarantine\Autorun\HKCU\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\rhca8bj0etav\Quarantine\Autorun\HKLM (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\rhca8bj0etav\Quarantine\Autorun\HKLM\RunOnce (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\rhca8bj0etav\Quarantine\Autorun\StartMenuAllUsers (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\rhca8bj0etav\Quarantine\Autorun\StartMenuCurrentUser (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\rhca8bj0etav\Quarantine\BrowserObjects (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Application Data\rhca8bj0etav\Quarantine\Packages (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ftmoli.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\qoMfEXoo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ooXEfMoq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ooXEfMoq.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kplrnbwd.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\dwbnrlpk.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qrogwqpe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\epqwgorq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qvdsomph.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\efcDWQig.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\drvjob.dll (Trojan.Fakealert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nxgrvcxi.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xqcanqtl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\2F6HDULA\kb671231[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\2F6HDULA\CAPSM9DR (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\2F6HDULA\8579[1].dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\3V6XKY0W\CAR6ETRV (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\U7Z3S8LM\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\U7Z3S8LM\CAXCQ1X7 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\UX5OWXMO\CA3MC3VP (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\UX5OWXMO\kb65666[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\UX5OWXMO\kb767887[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080807091342734.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080807114853625.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080807115449359.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080807150158906.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080807164659203.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080807165307390.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080807174859468.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080807183436109.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ (Dialer) -> Delete on reboot.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM3f9da545.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM3f9da545.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\services\services.dll (Trojan.Agent) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:30 AM, on 8/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {2D3F17AF-31E6-4CF4-B2EC-E8B5E1A2D6C5} - C:\WINDOWS\system32\efcBuuVL.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {748EC4E9-1F8F-4218-9F67-69F3E30D1B00} - C:\WINDOWS\system32\geBtQjJD.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7C8C2287-0010-4255-82EC-C6427FE56066} - C:\WINDOWS\system32\ddcDtSki.dll (file missing)
O2 - BHO: (no name) - {EA44AC86-651C-4702-8C9D-D2C7776617F3} - C:\WINDOWS\system32\uyvdqsab.dll (file missing)
O2 - BHO: (no name) - {F564113F-D43A-47DE-8BE2-21CFD7445BA2} - C:\WINDOWS\system32\qoMfEXoo.dll (file missing)
O2 - BHO: (no name) - {FA341834-8ED5-4389-8895-35FD7DE62793} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216687203171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216687267687
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...354/mcfscan.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 4219 bytes

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:49 AM

Posted 08 August 2008 - 03:05 PM

Hello,

Go ahead and run ComboFix anyway, please. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 james42519

james42519
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:pulaski ky
  • Local time:04:49 AM

Posted 08 August 2008 - 04:22 PM

ok ran combofix. some reason it made the spybot teatimer restart and was asking if i wanted to alow or deny changes. i allowed everything and hope that was the right thing. i was denying stuff every time the teatimer came up and maybe it was messing with stuff getting removed. i know i need a anti virus and don't have one in mind. combofix did not restart computer. don't know if it was supposed to. going to install antivir unless you cna think of something better.

ComboFix 08-08-08.05 - James 2008-08-08 17:11:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.120 [GMT -4:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\James\Application Data\macromedia\Flash Player\#SharedObjects\U44TC5T7\interclick.com
C:\Documents and Settings\James\Application Data\macromedia\Flash Player\#SharedObjects\U44TC5T7\interclick.com\ud.sol
C:\Documents and Settings\James\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\James\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\WINDOWS\system32\mcrh.tmp

.
((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-08 08:32 . 2008-08-08 08:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-08 08:32 . 2008-08-08 08:32 <DIR> d-------- C:\Documents and Settings\James\Application Data\Malwarebytes
2008-08-08 08:32 . 2008-08-08 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-08 08:32 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-08 08:32 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-07 20:16 . 2008-08-07 20:16 75,856 --a------ C:\WINDOWS\system32\kplrnbwd.rar
2008-08-07 20:15 . 2008-08-07 20:15 86,861 --a------ C:\WINDOWS\system32\qvdsomph.rar
2008-08-07 18:10 . 2008-08-07 18:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-07 17:41 . 2008-08-07 17:41 <DIR> d-------- C:\Deckard
2008-08-07 16:10 . 2008-08-07 18:56 <DIR> d-------- C:\VundoFix Backups
2008-08-07 15:33 . 2008-08-07 15:33 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-07 15:26 . 2008-08-07 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-08-07 15:23 . 2008-08-07 15:23 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-08-07 15:23 . 2008-08-07 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-08-07 15:07 . 2008-08-07 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-07 11:54 . 2008-08-07 11:54 145 --a------ C:\WINDOWS\system32\winver.bat
2008-08-07 11:48 . 2008-08-08 08:43 26 --a------ C:\WINDOWS\iTouch.ini
2008-08-07 10:06 . 2008-08-07 13:32 385 --a------ C:\WINDOWS\wininit.ini
2008-08-07 09:23 . 2008-08-07 09:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-07 09:23 . 2008-08-07 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-07 09:13 . 2008-08-08 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-05 22:56 . 2008-08-05 22:56 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-08-05 16:19 . 2008-08-05 16:19 <DIR> d-------- C:\Program Files\Foxit Software
2008-08-03 15:23 . 2008-08-03 15:23 <DIR> d-------- C:\Temp
2008-08-03 15:23 . 2008-08-03 15:23 <DIR> d-------- C:\Program Files\Cheetah Burner
2008-08-03 15:23 . 2002-01-05 07:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-08-02 13:19 . 2008-08-02 19:29 <DIR> d-------- C:\Program Files\VideoLAN
2008-07-30 11:02 . 2008-07-30 11:05 <DIR> d-------- C:\Program Files\SlySoft
2008-07-29 19:48 . 2008-07-29 19:48 <DIR> d-------- C:\Program Files\Logitech
2008-07-29 19:48 . 2008-07-29 19:48 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-07-29 19:48 . 2002-01-05 04:38 54,784 --a------ C:\WINDOWS\system32\MSVCI70.DLL
2008-07-29 19:48 . 2004-03-03 09:50 37,887 --------- C:\WINDOWS\system32\drivers\Lhidusb.sys
2008-07-29 19:48 . 2004-03-03 09:50 14,095 --------- C:\WINDOWS\system32\drivers\LCCFLTR.SYS
2008-07-29 19:48 . 2004-03-10 13:42 12,953 --a------ C:\WINDOWS\system32\drivers\itchfltr.sys
2008-07-29 08:16 . 2008-07-29 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-29 06:27 . 2008-07-29 06:28 <DIR> d-------- C:\WINDOWS\nview
2008-07-29 06:27 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-29 06:27 . 2008-08-08 08:43 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
2008-07-29 06:27 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-29 06:26 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-29 06:04 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-29 06:03 . 2008-07-29 06:04 <DIR> d-------- C:\Program Files\Java
2008-07-29 06:03 . 2008-07-29 06:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-29 01:12 . 2008-07-29 01:14 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-07-29 01:12 . 2008-07-29 01:12 <DIR> d-------- C:\WINDOWS\Logs
2008-07-28 18:00 . 2008-07-28 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-07-27 19:27 . 2008-07-29 04:09 <DIR> d-------- C:\Program Files\TrackMania Nations ESWC
2008-07-25 16:48 . 2008-07-25 16:48 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-07-25 16:48 . 2008-07-25 16:48 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-07-25 16:43 . 2008-07-25 16:48 <DIR> d-------- C:\WINDOWS\system32\Defaults
2008-07-25 16:43 . 1995-01-13 14:10 149,504 --a------ C:\WINDOWS\system32\MFCANS32.DLL
2008-07-25 16:43 . 1995-01-13 14:10 108,032 --a------ C:\WINDOWS\system32\MFCUIA32.DLL
2008-07-25 16:43 . 2008-07-25 16:48 11 --a------ C:\WINDOWS\SBWIN.INI
2008-07-25 16:42 . 2008-07-25 16:48 <DIR> d-------- C:\WINDOWS\system32\Data
2008-07-25 16:42 . 1999-09-22 23:18 2,259,067 --a------ C:\WINDOWS\system32\default.ecw
2008-07-25 16:42 . 2002-07-19 10:56 270,336 --a------ C:\WINDOWS\system32\SFMS32.DLL
2008-07-25 16:42 . 2001-08-17 22:36 98,304 --a--c--- C:\WINDOWS\system32\dllcache\a3d.dll
2008-07-25 16:42 . 2002-07-19 10:43 65,536 --a------ C:\WINDOWS\system32\a3d.dll
2008-07-25 16:42 . 2002-07-19 11:07 53,248 --a------ C:\WINDOWS\system32\AC3API.DLL
2008-07-25 16:40 . 2008-07-25 16:48 <DIR> d-------- C:\Program Files\Creative
2008-07-25 16:14 . 2008-07-25 16:22 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-25 16:14 . 2005-02-24 23:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-25 16:13 . 2008-06-13 07:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-25 16:13 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-24 07:42 . 2008-07-24 07:42 297 --a------ C:\WINDOWS\EReg072.dat
2008-07-24 07:39 . 1998-05-01 13:39 299,008 --a------ C:\WINDOWS\uninst.exe
2008-07-24 07:38 . 2008-07-24 07:38 <DIR> d-------- C:\Documents and Settings\James\WINDOWS
2008-07-24 07:38 . 1998-07-30 12:51 305,152 --a------ C:\WINDOWS\IsUninst.exe
2008-07-24 06:08 . 2008-07-24 06:43 <DIR> d-------- C:\INTRPLAY
2008-07-24 04:14 . 2008-07-24 04:14 56 --a------ C:\WINDOWS\NP8CD.INI
2008-07-23 01:20 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-07-22 22:01 . 2008-07-22 22:01 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-07-22 22:01 . 2008-05-29 12:33 27,672 -ra------ C:\WINDOWS\system32\drivers\Entech.sys
2008-07-22 22:00 . 2008-07-22 22:00 <DIR> d-------- C:\WINDOWS\Sun
2008-07-22 15:49 . 2008-08-03 15:23 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-07-22 15:48 . 2008-07-28 17:57 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-07-22 00:13 . 2008-07-22 00:13 0 --a------ C:\WINDOWS\iPlayer.INI
2008-07-21 23:47 . 2008-07-21 23:47 <DIR> d-------- C:\Documents and Settings\James\Application Data\CyberLink
2008-07-21 23:47 . 2008-07-21 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-21 23:46 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-21 23:45 . 2008-07-22 15:49 <DIR> d-------- C:\Program Files\CyberLink
2008-07-21 23:45 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-07-21 23:45 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-07-21 23:39 . 2008-07-21 23:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-07-21 21:27 . 2008-07-21 21:27 1,160 --a------ C:\WINDOWS\mozver.dat
2008-07-21 20:41 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-21 20:41 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-21 20:01 . 2008-07-21 20:01 <DIR> d---s---- C:\Documents and Settings\James\UserData
2008-07-21 20:00 . 2008-08-08 08:41 <DIR> d-------- C:\Program Files\mIRC
2008-07-21 17:32 . 2008-07-21 17:32 335 --a------ C:\WINDOWS\mozregistry.dat
2008-07-21 17:16 . 2008-07-21 17:16 <DIR> d-------- C:\Documents and Settings\James\Application Data\Talkback
2008-07-21 17:16 . 2008-07-21 17:16 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-21 08:59 . 2002-07-05 02:54 40,448 -ra------ C:\WINDOWS\system32\drivers\lne100m.sys
2008-07-21 08:44 . 2008-04-14 00:15 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 22:41 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-30 18:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 18:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 18:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 18:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 18:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 18:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 18:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 11:29 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-13 23:42 169984]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-07-07 09:42 2156368 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\install.EXE id= ver=1.0.0.0

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

BHO-{2D3F17AF-31E6-4CF4-B2EC-E8B5E1A2D6C5} - C:\WINDOWS\system32\efcBuuVL.dll
BHO-{748EC4E9-1F8F-4218-9F67-69F3E30D1B00} - C:\WINDOWS\system32\geBtQjJD.dll
BHO-{7C8C2287-0010-4255-82EC-C6427FE56066} - C:\WINDOWS\system32\ddcDtSki.dll
BHO-{EA44AC86-651C-4702-8C9D-D2C7776617F3} - C:\WINDOWS\system32\uyvdqsab.dll
BHO-{F564113F-D43A-47DE-8BE2-21CFD7445BA2} - C:\WINDOWS\system32\qoMfEXoo.dll
BHO-{FA341834-8ED5-4389-8895-35FD7DE62793} - (no file)
HKLM-Run-AVG7_CC - C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-s9201 - C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\xxxdq4ek.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-08 17:13:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-08 17:14:31
ComboFix-quarantined-files.txt 2008-08-08 21:14:28

Pre-Run: 33,965,039,616 bytes free
Post-Run: 34,267,340,800 bytes free

184 --- E O F --- 2008-07-25 20:23:07

Edited by james42519, 08 August 2008 - 05:11 PM.


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:49 AM

Posted 08 August 2008 - 11:28 PM

Hello,

I use AntiVir too. :thumbsup: Go ahead and install it and run a full scan, then post me up a new HijackThis log. How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 james42519

james42519
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:pulaski ky
  • Local time:04:49 AM

Posted 09 August 2008 - 12:18 AM

it seems to be alright. i quarantined the stuff avira found. kinda wish had more memory because antivirus seems kinda slowish with 256 MB rdram.oh well.



Avira AntiVir Personal
Report file date: Saturday, August 09, 2008 00:51

Scanning for 1542139 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: JAMES-COMPUTER

Version information:
BUILD.DAT : 8.1.0.326 16933 Bytes 7/11/2008 12:57:00
AVSCAN.EXE : 8.1.4.7 315649 Bytes 6/26/2008 14:57:53
AVSCAN.DLL : 8.1.4.0 40705 Bytes 5/26/2008 13:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 6/12/2008 18:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 5/26/2008 13:58:52
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.5.1 8182784 Bytes 6/24/2008 19:54:15
ANTIVIR2.VDF : 7.0.5.207 2316800 Bytes 8/4/2008 04:46:54
ANTIVIR3.VDF : 7.0.5.234 160256 Bytes 8/8/2008 04:46:58
Engineversion : 8.1.1.19
AEVDF.DLL : 8.1.0.5 102772 Bytes 7/9/2008 14:46:50
AESCRIPT.DLL : 8.1.0.63 311673 Bytes 8/9/2008 04:47:22
AESCN.DLL : 8.1.0.23 119156 Bytes 8/9/2008 04:47:20
AERDL.DLL : 8.1.0.20 418165 Bytes 7/9/2008 14:46:50
AEPACK.DLL : 8.1.2.1 364917 Bytes 8/9/2008 04:47:17
AEOFFICE.DLL : 8.1.0.21 192891 Bytes 8/9/2008 04:47:14
AEHEUR.DLL : 8.1.0.47 1368437 Bytes 8/9/2008 04:47:12
AEHELP.DLL : 8.1.0.15 115063 Bytes 7/9/2008 14:46:50
AEGEN.DLL : 8.1.0.35 315764 Bytes 8/9/2008 04:47:07
AEEMU.DLL : 8.1.0.7 430452 Bytes 8/9/2008 04:47:04
AECORE.DLL : 8.1.1.8 172406 Bytes 8/9/2008 04:47:01
AEBB.DLL : 8.1.0.1 53617 Bytes 4/24/2008 14:50:42
AVWINLL.DLL : 1.0.0.12 15105 Bytes 7/9/2008 14:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 5/16/2008 15:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 8/9/2008 04:46:59
AVREG.DLL : 8.0.0.1 33537 Bytes 5/9/2008 17:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 6/12/2008 18:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 6/12/2008 18:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 6/12/2008 19:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 6/27/2008 19:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Saturday, August 09, 2008 00:51

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'mirc.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'RichVideo.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'devldr32.exe' - '1' Module(s) have been scanned
Scan process 'iTouch.exe' - '1' Module(s) have been scanned
Scan process 'PDVDServ.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
25 processes with 25 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '53' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Deckard\System Scanner\20080807174907\backup\WINDOWS\temp\gos8D.tmp
[DETECTION] Is the TR/Crypt.PEC2X.Gen Trojan
[NOTE] The file was moved to '491022de.qua'!
C:\Deckard\System Scanner\20080807174907\backup\WINDOWS\temp\win82.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '490b22e1.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP43\A0005025.dll
[DETECTION] Is the TR/BHO.Gen Trojan
[NOTE] The file was moved to '48cd24ea.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP43\A0005026.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48cd24ee.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP43\A0005282.dll
[DETECTION] Is the TR/BHO.Gen Trojan
[NOTE] The file was moved to '48cd250d.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP44\A0005388.dll
[DETECTION] Is the TR/Crypt.FD.20 Trojan
[NOTE] The file was moved to '48cd251c.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP44\A0006401.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48cd2525.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP44\A0006402.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48cd2527.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP44\A0006403.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48cd252d.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP46\A0009641.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48cd253b.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP46\A0009642.dll
[DETECTION] Is the TR/Crypt.Morphine.Gen Trojan
[NOTE] The file was moved to '48cd253d.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP46\A0009646.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48cd253f.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP46\A0009660.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48cd2541.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP46\A0009661.dll
[DETECTION] Is the TR/Drop.Softomat.AN Trojan
[NOTE] The file was moved to '48cd2544.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP46\A0009662.exe
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48cd2545.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP46\A0009663.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48cd2547.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP46\A0009666.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48cd2549.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP46\A0009667.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48cd254b.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP46\A0009668.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48cd254e.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP46\A0009673.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48cd2550.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP46\A0009674.dll
[DETECTION] Is the TR/Trash.Gen Trojan
[NOTE] The file was moved to '48cd2551.qua'!
C:\System Volume Information\_restore{627B8981-026A-493B-9B1A-98D2CA2EAC33}\RP48\A0009735.exe
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '48cd2557.qua'!
C:\VundoFix Backups\baohyycb.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '490c258b.qua'!
C:\VundoFix Backups\ddcDtSki.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49002590.qua'!
C:\VundoFix Backups\efcBuuVL.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49002594.qua'!
C:\VundoFix Backups\efcDWQig.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '49002596.qua'!
C:\VundoFix Backups\geBtQjJD.dll.bad
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '48df2597.qua'!
C:\VundoFix Backups\lqyssi.dll.bad
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '491625a5.qua'!
C:\VundoFix Backups\swhdryos.dll.bad
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '490525ae.qua'!
C:\VundoFix Backups\uyvdqsab.dll.bad
[DETECTION] Is the TR/Crypt.Morphine.Gen Trojan
[NOTE] The file was moved to '491325b2.qua'!
C:\WINDOWS\system32\kplrnbwd.rar
[0] Archive type: RAR
--> kplrnbwd.dll
[DETECTION] Is the TR/Crypt.XPACK.Gen Trojan
[NOTE] The file was moved to '49092680.qua'!
C:\WINDOWS\system32\qvdsomph.rar
[0] Archive type: RAR
--> qvdsomph.dll
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was moved to '490126a0.qua'!


End of the scan: Saturday, August 09, 2008 01:09
Used time: 18:15 Minute(s)

The scan has been done completely.

2635 Scanning directories
79253 Files were scanned
32 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
32 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
79219 Files not concerned
820 Archives were scanned
2 Warnings
32 Notes




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:19 AM, on 8/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - (no file)
O2 - BHO: (no name) - {2D3F17AF-31E6-4CF4-B2EC-E8B5E1A2D6C5} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6fe38668-6458-4ef8-bfbe-886070183e59} - (no file)
O2 - BHO: (no name) - {748EC4E9-1F8F-4218-9F67-69F3E30D1B00} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7C8C2287-0010-4255-82EC-C6427FE56066} - (no file)
O2 - BHO: (no name) - {E525B124-28E1-4D57-B784-B2AABFBBFA66} - (no file)
O2 - BHO: (no name) - {EA44AC86-651C-4702-8C9D-D2C7776617F3} - (no file)
O2 - BHO: (no name) - {FA341834-8ED5-4389-8895-35FD7DE62793} - (no file)
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\RunOnce: [SpybotDeletingB366] command /c del "C:\WINDOWS\system32\efcDWQig.dll"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216687203171
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1216687267687
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...354/mcfscan.cab
O20 - Winlogon Notify: efcDWQig - C:\WINDOWS\
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

--
End of file - 5154 bytes

#10 james42519

james42519
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:pulaski ky
  • Local time:04:49 AM

Posted 09 August 2008 - 12:35 AM

ok i deleted the quarantined files avira found. scaned again and found nothing. there was 2 files each time that it couldn't scan if that is something to worry about.

Edited by james42519, 09 August 2008 - 12:41 AM.


#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:49 AM

Posted 12 August 2008 - 02:44 AM

Hello,

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with the fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident4) Uncheck "Resident TeaTimer" and OK any prompts

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {18CB1A7B-94CD-4582-8022-ADA16851E44B} - (no file)
O2 - BHO: (no name) - {2D3F17AF-31E6-4CF4-B2EC-E8B5E1A2D6C5} - (no file)
O2 - BHO: (no name) - {6fe38668-6458-4ef8-bfbe-886070183e59} - (no file)
O2 - BHO: (no name) - {748EC4E9-1F8F-4218-9F67-69F3E30D1B00} - (no file)
O2 - BHO: (no name) - {7C8C2287-0010-4255-82EC-C6427FE56066} - (no file)
O2 - BHO: (no name) - {E525B124-28E1-4D57-B784-B2AABFBBFA66} - (no file)
O2 - BHO: (no name) - {EA44AC86-651C-4702-8C9D-D2C7776617F3} - (no file)
O2 - BHO: (no name) - {FA341834-8ED5-4389-8895-35FD7DE62793} - (no file)
O4 - HKCU\..\RunOnce: [SpybotDeletingB366] command /c del "C:\WINDOWS\system32\efcDWQig.dll"
O20 - Winlogon Notify: efcDWQig - C:\WINDOWS\
O20 - Winlogon Notify: winhdn32 - C:\WINDOWS\


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. Now let's get a fresh copy:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

How is it running now please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 james42519

james42519
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:pulaski ky
  • Local time:04:49 AM

Posted 12 August 2008 - 06:14 AM

it is running good i think. i kinda missed a steap and stuff though.
Close all browsers and other windows except for HijackThis!, and click "Fix checked".
deleted combofix and qoobox and accidentally deleted hijack this too.
restarted and downloaded combofix, scanned and here is the log.
sorry if i messed up. kinda got confused going back and forth.


ComboFix 08-08-11.01 - James 2008-08-12 7:04:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.71 [GMT -4:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-09 00:43 . 2008-08-09 00:43 <DIR> d-------- C:\Program Files\Avira
2008-08-09 00:43 . 2008-08-09 00:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-08-08 08:32 . 2008-08-08 08:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-08 08:32 . 2008-08-08 08:32 <DIR> d-------- C:\Documents and Settings\James\Application Data\Malwarebytes
2008-08-08 08:32 . 2008-08-08 08:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-08 08:32 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-08 08:32 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-07 18:10 . 2008-08-07 18:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-07 17:41 . 2008-08-07 17:41 <DIR> d-------- C:\Deckard
2008-08-07 16:10 . 2008-08-09 01:03 <DIR> d-------- C:\VundoFix Backups
2008-08-07 15:33 . 2008-08-07 15:33 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-07 15:26 . 2008-08-07 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-08-07 15:23 . 2008-08-07 15:23 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-08-07 15:23 . 2008-08-07 16:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-08-07 15:07 . 2008-08-07 15:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-08-07 11:54 . 2008-08-07 11:54 145 --a------ C:\WINDOWS\system32\winver.bat
2008-08-07 11:48 . 2008-08-12 07:01 26 --a------ C:\WINDOWS\iTouch.ini
2008-08-07 10:06 . 2008-08-07 13:32 385 --a------ C:\WINDOWS\wininit.ini
2008-08-07 09:23 . 2008-08-07 09:23 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-07 09:23 . 2008-08-07 09:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-07 09:13 . 2008-08-08 08:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
2008-08-05 22:56 . 2008-08-05 22:56 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-08-05 16:19 . 2008-08-05 16:19 <DIR> d-------- C:\Program Files\Foxit Software
2008-08-03 15:23 . 2008-08-03 15:23 <DIR> d-------- C:\Temp
2008-08-03 15:23 . 2008-08-03 15:23 <DIR> d-------- C:\Program Files\Cheetah Burner
2008-08-03 15:23 . 2002-01-05 07:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-08-02 13:19 . 2008-08-02 19:29 <DIR> d-------- C:\Program Files\VideoLAN
2008-07-30 11:02 . 2008-07-30 11:05 <DIR> d-------- C:\Program Files\SlySoft
2008-07-29 19:48 . 2008-07-29 19:48 <DIR> d-------- C:\Program Files\Logitech
2008-07-29 19:48 . 2008-07-29 19:48 <DIR> d-------- C:\Program Files\Common Files\Logitech
2008-07-29 19:48 . 2002-01-05 04:38 54,784 --a------ C:\WINDOWS\system32\MSVCI70.DLL
2008-07-29 19:48 . 2004-03-03 09:50 37,887 --------- C:\WINDOWS\system32\drivers\Lhidusb.sys
2008-07-29 19:48 . 2004-03-03 09:50 14,095 --------- C:\WINDOWS\system32\drivers\LCCFLTR.SYS
2008-07-29 19:48 . 2004-03-10 13:42 12,953 --a------ C:\WINDOWS\system32\drivers\itchfltr.sys
2008-07-29 08:16 . 2008-07-29 08:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-07-29 06:27 . 2008-07-29 06:28 <DIR> d-------- C:\WINDOWS\nview
2008-07-29 06:27 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-29 06:27 . 2008-08-12 07:01 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
2008-07-29 06:27 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-29 06:26 . 2006-10-22 15:06 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-29 06:04 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-29 06:03 . 2008-07-29 06:04 <DIR> d-------- C:\Program Files\Java
2008-07-29 06:03 . 2008-07-29 06:03 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-29 01:12 . 2008-07-29 01:14 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-07-29 01:12 . 2008-07-29 01:12 <DIR> d-------- C:\WINDOWS\Logs
2008-07-28 18:00 . 2008-07-28 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-07-27 19:27 . 2008-07-29 04:09 <DIR> d-------- C:\Program Files\TrackMania Nations ESWC
2008-07-25 16:48 . 2008-07-25 16:48 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-07-25 16:48 . 2008-07-25 16:48 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-07-25 16:43 . 2008-07-25 16:48 <DIR> d-------- C:\WINDOWS\system32\Defaults
2008-07-25 16:43 . 1995-01-13 14:10 149,504 --a------ C:\WINDOWS\system32\MFCANS32.DLL
2008-07-25 16:43 . 1995-01-13 14:10 108,032 --a------ C:\WINDOWS\system32\MFCUIA32.DLL
2008-07-25 16:43 . 2008-07-25 16:48 11 --a------ C:\WINDOWS\SBWIN.INI
2008-07-25 16:42 . 2008-07-25 16:48 <DIR> d-------- C:\WINDOWS\system32\Data
2008-07-25 16:42 . 1999-09-22 23:18 2,259,067 --a------ C:\WINDOWS\system32\default.ecw
2008-07-25 16:42 . 2002-07-19 10:56 270,336 --a------ C:\WINDOWS\system32\SFMS32.DLL
2008-07-25 16:42 . 2001-08-17 22:36 98,304 --a--c--- C:\WINDOWS\system32\dllcache\a3d.dll
2008-07-25 16:42 . 2002-07-19 10:43 65,536 --a------ C:\WINDOWS\system32\a3d.dll
2008-07-25 16:42 . 2002-07-19 11:07 53,248 --a------ C:\WINDOWS\system32\AC3API.DLL
2008-07-25 16:40 . 2008-07-25 16:48 <DIR> d-------- C:\Program Files\Creative
2008-07-25 16:14 . 2008-07-25 16:22 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-25 16:14 . 2005-02-24 23:35 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-25 16:13 . 2008-06-13 07:05 272,128 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-07-25 16:13 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-24 07:42 . 2008-07-24 07:42 297 --a------ C:\WINDOWS\EReg072.dat
2008-07-24 07:39 . 1998-05-01 13:39 299,008 --a------ C:\WINDOWS\uninst.exe
2008-07-24 07:38 . 2008-07-24 07:38 <DIR> d-------- C:\Documents and Settings\James\WINDOWS
2008-07-24 07:38 . 1998-07-30 12:51 305,152 --a------ C:\WINDOWS\IsUninst.exe
2008-07-24 06:08 . 2008-07-24 06:43 <DIR> d-------- C:\INTRPLAY
2008-07-24 04:14 . 2008-07-24 04:14 56 --a------ C:\WINDOWS\NP8CD.INI
2008-07-23 01:20 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2008-07-22 22:01 . 2008-07-22 22:01 <DIR> d-------- C:\WINDOWS\system32\Futuremark
2008-07-22 22:01 . 2008-05-29 12:33 27,672 -ra------ C:\WINDOWS\system32\drivers\Entech.sys
2008-07-22 22:00 . 2008-07-22 22:00 <DIR> d-------- C:\WINDOWS\Sun
2008-07-22 15:49 . 2008-08-03 15:23 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-07-22 15:48 . 2008-07-28 17:57 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-07-22 00:13 . 2008-07-22 00:13 0 --a------ C:\WINDOWS\iPlayer.INI
2008-07-21 23:47 . 2008-07-21 23:47 <DIR> d-------- C:\Documents and Settings\James\Application Data\CyberLink
2008-07-21 23:47 . 2008-07-21 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CyberLink
2008-07-21 23:46 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-07-21 23:45 . 2008-07-22 15:49 <DIR> d-------- C:\Program Files\CyberLink
2008-07-21 23:45 . 2003-03-18 20:14 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2008-07-21 23:45 . 2003-02-21 04:42 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2008-07-21 23:39 . 2008-07-21 23:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SlySoft
2008-07-21 21:27 . 2008-07-21 21:27 1,160 --a------ C:\WINDOWS\mozver.dat
2008-07-21 20:41 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-07-21 20:41 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-07-21 20:01 . 2008-07-21 20:01 <DIR> d---s---- C:\Documents and Settings\James\UserData
2008-07-21 20:00 . 2008-08-12 06:47 <DIR> d-------- C:\Program Files\mIRC
2008-07-21 17:32 . 2008-07-21 17:32 335 --a------ C:\WINDOWS\mozregistry.dat
2008-07-21 17:16 . 2008-07-21 17:16 <DIR> d-------- C:\Documents and Settings\James\Application Data\Talkback
2008-07-21 17:16 . 2008-07-21 17:16 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-21 08:59 . 2002-07-05 02:54 40,448 -ra------ C:\WINDOWS\system32\drivers\lne100m.sys
2008-07-21 08:44 . 2008-04-14 00:15 26,368 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-07 22:41 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-05-30 18:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 18:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 18:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 18:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 18:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 18:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 18:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57 30208]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 11:29 49152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\TrackMania Nations ESWC\\TmNationsESWC.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\install.EXE id= ver=1.0.0.0
.
- - - - ORPHANS REMOVED - - - -

BHO-{2D3F17AF-31E6-4CF4-B2EC-E8B5E1A2D6C5} - (no file)
BHO-{6fe38668-6458-4ef8-bfbe-886070183e59} - (no file)
BHO-{748EC4E9-1F8F-4218-9F67-69F3E30D1B00} - (no file)
BHO-{7C8C2287-0010-4255-82EC-C6427FE56066} - (no file)
BHO-{E525B124-28E1-4D57-B784-B2AABFBBFA66} - (no file)
BHO-{EA44AC86-651C-4702-8C9D-D2C7776617F3} - (no file)
BHO-{FA341834-8ED5-4389-8895-35FD7DE62793} - (no file)
Notify-efcDWQig - (no file)
Notify-winhdn32 - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\xxxdq4ek.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 07:05:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-12 7:07:27
ComboFix-quarantined-files.txt 2008-08-12 11:07:23
ComboFix2.txt 2008-08-12 10:56:24

Pre-Run: 34,073,755,648 bytes free
Post-Run: 34,061,516,800 bytes free

173 --- E O F --- 2008-07-25 20:23:07

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:49 AM

Posted 12 August 2008 - 04:06 PM

Hello,

That's okay....could you get HijackThis again if you haven't already and post a new log? :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 james42519

james42519
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:pulaski ky
  • Local time:04:49 AM

Posted 13 August 2008 - 01:15 AM

Hello,

That's okay....could you get HijackThis again if you haven't already and post a new log? :thumbsup:

Thanks,
tea


i forget where i downloaded it from.

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:49 AM

Posted 13 August 2008 - 11:08 PM

Hi there,

Here you go: http://www.trendsecure.com/portal/en-US/th.../hijackthis.php :thumbsup:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users