Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Virtumonde Virus!


  • This topic is locked This topic is locked
18 replies to this topic

#1 downset

downset

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 07 August 2008 - 07:18 PM

I have been searching the net for a removal tool for the Virtumonde Virus but I can't seem to shake it. I have used VundoFix, VirtumondoBeGone, Spybot Seek and Destroy, and Avast!. First I used Spybot and it said the virus was gone. I rebooted, ran it again, and it picked up the virus again. I have had detections of random dll's that pop up in Avast! and I saved them to the chest(quarantined) and deleted them. I ran VundoFix and it locked up so I had to reboot. After reboot it didn't detect the virus. Then I ran Spybot again and there it was again. After searching the net again I downloaded VirtumondoBeGone and it ran a scan and didn't detect anything. I'm unsure if the virus is still there or not or what I need to delete in HijackThis. This is my HijackThis log:

Attached File  hijackthis.log   6.58KB   11 downloads

BC AdBot (Login to Remove)

 


#2 downset

downset
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 08 August 2008 - 04:01 PM

I haven't had any responses to my last post, so I guess I'll ask for help again. I have, or believe to still have, the virtumonde virus. I have tried VundoFix, VirtumondoBeGone, and SpyBot S&D. I have Avast! antivirus as well, which has been popping up with random dll files. I ran Spybot and it told me I had the Virtumonde Virus and I tried to fix it. Well I rebooted after the "fix" and it showed up again. First time I ran VundoFix it froze, so I rebooted. After reboot I ran it again. No virus. I thought that's cool, but I was wrong. I ran Spybot again and there it was and I received more random dll's from Avast!. Next I downloaded VirtumondoBeGone and I said no virus was found. I'm sure it's still there. I ran HijackThis and this is what I have:

Attached File  hijackthis.log   6.58KB   32 downloads

Please help!!

#3 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 08 August 2008 - 05:09 PM

Hi

Yes your log shows evidence of a vundo trojan ...

Download Deckard's System Scanner (formerly Comboscan) to your Desktop.

Note: You must be logged onto an account with administrator privileges.

1. Close all applications and windows.
2. Double-click on dss.exe to run it, and follow the prompts.
3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your next reply.
5. Then do the same with extra.txt

Note: you'll find extra.txt here :- C:\Deckard\System Scanner\extra.txt

Please remember to post both txt files ...


Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

THEN ..

Please run a Kaspersky Online Scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan: Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt
THEN ...

Please Download Malwarebytes' Anti-Malware from Here :-

http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html

or here :-

http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy and Paste the entire report in your next reply.


steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#4 downset

downset
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 08 August 2008 - 05:39 PM

Deckard's System Scanner v20071014.68
Run by Derek on 2008-08-08 18:28:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
58: 2008-08-08 22:29:03 UTC - RP58 - Deckard's System Scanner Restore Point
57: 2008-08-08 21:17:01 UTC - RP57 - System Checkpoint
56: 2008-08-07 00:36:46 UTC - RP56 - System Checkpoint
55: 2008-08-04 20:06:42 UTC - RP55 - Last known good configuration
54: 2008-08-04 20:05:11 UTC - RP54 - System Checkpoint


-- First Restore Point --
1: 2008-08-04 20:04:07 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Derek.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:58 PM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\WINDOWS\system32\RunDll32.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Program Files\CursorXP\CursorXP.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\WINDOWS\system32\IoctlSvc.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\Documents and Settings\Derek\My Documents\Downloads\Programs\dss.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\Derek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.mini20.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {A23CA8A9-47D8-4DB1-AE46-0AA018CC576E} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {B733BD5F-B57D-4B0C-AB6E-9AF2DDE3EFF7} - D:\WINDOWS\system32\khfEWPFv.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] D:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [20281c23] rundll32.exe "D:\WINDOWS\system32\clmwjler.dll",b
O4 - HKCU\..\Run: [ATI Remote Control] D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [CursorXP] D:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [IDMan] D:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: ssqRIXQG - D:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - D:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - D:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - D:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 6533 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

All drivers whitelisted.


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PLFlash DeviceIoControl Service - d:\windows\system32\ioctlsvc.exe <Not Verified; Prolific Technology Inc.; IoctlSvc Application>

S3 NBService - d:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 VundoFixSvc (VundoFix Service) - vundofixsvc.exe <Not Verified; Atribune.org; Vundofix Service>
S3 x10nets (X10 Device Network Service) - d:\progra~1\atimul~1\remctrl\x10nets.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-07-08 and 2008-08-08 -----------------------------

2008-08-07 19:53:25 0 d-------- D:\Program Files\Trend Micro
2008-08-07 17:19:48 24576 --a------ D:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-08-07 17:05:41 0 d-------- D:\VundoFix Backups
2008-08-06 19:09:19 2048 --a------ D:\WINDOWS\system32\otloqnvr.exe
2008-08-05 19:21:35 0 d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-05 19:20:59 83456 --a------ D:\WINDOWS\system32\clmwjler.dll
2008-08-05 19:15:01 102400 --a------ D:\WINDOWS\system32\htfmyr.dll
2008-08-05 19:14:59 102400 --a------ D:\WINDOWS\system32\baivjsfc.dll
2008-08-04 19:23:09 0 d---s---- D:\Documents and Settings\Derek\UserData
2008-08-04 16:03:55 882082 --ahs---- D:\WINDOWS\system32\vFPWEfhk.ini2
2008-07-28 13:46:41 0 --a------ D:\WINDOWS\ativpsrm.bin
2008-07-28 13:43:25 0 d-------- D:\ATI
2008-07-28 13:36:41 0 d-------- D:\Program Files\XviD
2008-07-28 13:36:25 120320 --a------ D:\WINDOWS\system32\apexchanger.exe
2008-07-28 13:36:25 109568 --a------ D:\WINDOWS\system32\apex3gp.exe
2008-07-28 13:36:24 626688 --a------ D:\WINDOWS\system32\NCTImageFile.dll <Not Verified; Online Media Technologies Ltd.; NCTImageFile ActiveX DLL>
2008-07-28 13:36:24 61440 --a------ D:\WINDOWS\system32\cygz.dll
2008-07-28 13:36:24 1295582 --a------ D:\WINDOWS\system32\cygwin1.dll <Not Verified; Red Hat; Cygwin>
2008-07-28 13:36:24 4755968 --a------ D:\WINDOWS\system32\apexconverter.exe
2008-07-28 13:36:24 86016 --a------ D:\WINDOWS\system32\AddiTunes.exe
2008-07-28 13:36:23 780288 --a------ D:\WINDOWS\system32\NCTVideoCompress.dll <Not Verified; NCT Company Ltd.; NCTVideoCompress ActiveX DLL>
2008-07-28 13:36:23 90112 --a------ D:\WINDOWS\system32\NCTAudioFormatSettings3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFormatSettings3 Module>
2008-07-28 13:36:22 215552 --a------ D:\WINDOWS\system32\NCTWMVFile.dll <Not Verified; NCT Company Ltd.; NCTWMVFile ActiveX DLL>
2008-07-28 13:36:22 312320 --a------ D:\WINDOWS\system32\NCTVideoView.dll <Not Verified; Online Media Technologies Ltd.; NCTVideoView ActiveX DLL>
2008-07-28 13:36:22 188416 --a------ D:\WINDOWS\system32\NCTVideoFile.dll <Not Verified; NCT Company Ltd.; NCTVideoFile ActiveX DLL>
2008-07-28 13:36:22 2846720 --a------ D:\WINDOWS\system32\NCTAudioCompress3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress3 Module>
2008-07-28 13:36:22 778240 --a------ D:\WINDOWS\system32\NCTAudioCompress2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress2 Module>
2008-07-28 13:36:21 237568 --a------ D:\WINDOWS\system32\lame_enc.dll
2008-07-28 13:36:19 81920 --a------ D:\WINDOWS\system32\viscomwave.dll <Not Verified; Viscom Software; >
2008-07-28 13:36:19 147456 --a------ D:\WINDOWS\system32\viscomqtenc.dll <Not Verified; Viscom Software www.viscomsoft.com; >
2008-07-28 13:36:19 139264 --a------ D:\WINDOWS\system32\viscomqtde.dll <Not Verified; Viscom Software www.viscomsoft.com; >
2008-07-28 13:36:19 0 d-------- D:\WINDOWS\system32\RMBin
2008-07-28 13:36:17 0 d-------- D:\Program Files\Apex
2008-07-28 13:26:21 0 d-------- D:\Documents and Settings\Derek\Application Data\WebCompiler3
2008-07-28 13:26:01 0 d-------- D:\Program Files\TV
2008-07-21 12:57:05 0 d-------- D:\Program Files\Picasa2
2008-07-21 11:20:36 0 d-------- D:\Program Files\ConvertHelper
2008-07-19 09:09:40 0 d-------- D:\Program Files\Sun
2008-07-14 13:04:12 69632 --a------ D:\WINDOWS\system32\FREGSHEX.DLL <Not Verified; FUJIFILM; FUJIFILM Fregshave>
2008-07-14 13:04:12 45056 --a------ D:\WINDOWS\system32\FINFCOPY.dll <Not Verified; FUJIFILM; FUJIFILM FINFCOPY>
2008-07-14 13:04:12 65536 --a------ D:\WINDOWS\system32\FINFCHECK.dll <Not Verified; FUJIFILM; FUJIFILM FINFCHECK>
2008-07-14 13:04:12 45056 --a------ D:\WINDOWS\system32\FCLKBTN.DLL <Not Verified; FUJIFILM; FUJIFILM FCLKBTN>
2008-07-14 13:04:12 0 d-------- D:\Program Files\REGSHAVE
2008-07-13 15:21:22 12736 --ah----- D:\WINDOWS\system32\mlfcache.dat
2008-07-11 18:05:56 0 d-------- D:\Documents and Settings\Derek\Application Data\mIRC


-- Find3M Report ---------------------------------------------------------------

2008-08-08 18:28:12 0 d-------- D:\Documents and Settings\Derek\Application Data\DMCache
2008-08-05 18:24:10 0 d-------- D:\Documents and Settings\Derek\Application Data\Mozilla
2008-08-04 18:42:46 0 d-------- D:\Documents and Settings\Derek\Application Data\Azureus
2008-07-28 13:26:07 0 d-------- D:\Program Files\Common Files
2008-07-19 09:09:29 0 d-------- D:\Program Files\Java
2008-07-17 16:50:24 0 d-------- D:\Program Files\Google
2008-07-14 13:04:12 0 d--h----- D:\Program Files\InstallShield Installation Information
2008-07-14 13:02:18 0 d-------- D:\Documents and Settings\Derek\Application Data\IDM
2008-07-10 20:27:52 0 d-------- D:\Documents and Settings\Derek\Application Data\Macromedia
2008-07-07 19:37:48 0 d-------- D:\Program Files\EA SPORTS
2008-07-03 21:05:00 593920 --a------ D:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-07-03 19:12:30 0 d-------- D:\Program Files\Azureus
2008-07-02 16:57:58 0 d-------- D:\Program Files\Activision Value
2008-07-01 21:27:06 0 d-------- D:\Program Files\Hunting Unlimited 2008
2008-07-01 20:57:54 0 d-------- D:\Documents and Settings\Derek\Application Data\WinRAR
2008-06-30 21:00:03 0 d-------- D:\Program Files\MSXML 4.0
2008-06-30 19:13:50 0 d-------- D:\Program Files\Internet Download Manager
2008-06-26 16:51:02 0 d-------- D:\Documents and Settings\Derek\Application Data\Ahead
2008-06-25 18:55:51 0 d-------- D:\Program Files\Common Files\Ahead
2008-06-23 15:42:34 0 d-------- D:\Documents and Settings\Derek\Application Data\X10 Commander
2008-06-23 15:39:54 0 d-------- D:\Program Files\Nero
2008-06-21 10:43:28 0 d-------- D:\Program Files\Audacity
2008-06-20 19:12:09 0 d-------- D:\Program Files\Messenger
2008-06-20 19:11:55 0 d-------- D:\Program Files\Windows Media Connect 2
2008-06-20 19:11:03 0 d-------- D:\Documents and Settings\Derek\Application Data\Softplicity
2008-06-08 13:37:10 0 d-------- D:\Program Files\Xilisoft
2008-05-25 22:05:25 1160 --a------ D:\WINDOWS\mozver.dat
2008-05-25 21:49:41 664 --a------ D:\WINDOWS\system32\d3d9caps.dat
2008-05-25 21:22:19 0 --a------ D:\WINDOWS\nsreg.dat
2008-05-25 20:41:04 21640 --a------ D:\WINDOWS\system32\emptyregdb.dat
2008-05-25 09:06:55 62 --ahs---- D:\Documents and Settings\Derek\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A23CA8A9-47D8-4DB1-AE46-0AA018CC576E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B733BD5F-B57D-4B0C-AB6E-9AF2DDE3EFF7}]
D:\WINDOWS\system32\khfEWPFv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="D:\WINDOWS\SiSUSBrg.exe" [07/12/2002 06:15 AM]
"ATIPTA"="D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [07/10/2004 09:10 PM]
"@"="" []
"ATI DeviceDetect"="D:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [06/15/2004 10:17 PM]
"avast!"="D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [07/19/2008 10:38 AM]
"Cmaudio"="cmicnfg.cpl" []
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"EPSON Stylus Photo 820 Series"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.exe" [04/10/2002 03:00 AM]
"NWEReboot"="" []
"NeroFilterCheck"="D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [05/28/2008 08:27 AM]
"REGSHAVE"="D:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 10:32 PM]
"20281c23"="D:\WINDOWS\system32\clmwjler.dll" [08/05/2008 07:21 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ATI Launchpad"="" []
"ATI Remote Control"="D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [04/16/2004 06:43 AM]
"CursorXP"="D:\Program Files\CursorXP\CursorXP.exe" [01/19/2005 05:34 PM]
"IDMan"="D:\Program Files\Internet Download Manager\IDMan.exe" [06/03/2008 04:38 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [01/22/2008 11:13 AM]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqRIXQG]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 D:\WINDOWS\system32\khfEWPFv




-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8940 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-08 18:34:29 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon™ MP
Percentage of Memory in Use: 37%
Physical Memory (total/avail): 767.36 MiB / 481.1 MiB
Pagefile Memory (total/avail): 1878.17 MiB / 1585.46 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.38 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 37.1 GiB free.
D: is Fixed (NTFS) - 279.47 GiB total, 237.57 GiB free.
E: is CDROM (No Media)
F: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - Maxtor 6L300R0 - 279.47 GiB - 1 partition
\PARTITION0 - Installable File System - 279.47 GiB - D:

\\.\PHYSICALDRIVE0 - WDC WD400EB-11CPF0 - 37.27 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.26 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

AV: avast! antivirus 4.8.1229 [VPS 080808-0] v4.8.1229 (ALWIL Software) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\\Program Files\\Azureus\\Azureus.exe"="D:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"D:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe"="D:\\Program Files\\iMesh Applications\\iMesh\\iMesh.exe:*:Enabled:iMesh"
"D:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"="D:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe:*:Enabled:Nero Home"
"D:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"="D:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe:*:Enabled:MSI starter"
"D:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe"="D:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupXu.exe:*:Enabled:Nero ProductSetup"
"D:\\Documents and Settings\\Derek\\Local Settings\\Temp\\Nero Web\\SetupXu.exe"="D:\\Documents and Settings\\Derek\\Local Settings\\Temp\\Nero Web\\SetupXu.exe:*:Enabled:MSI starter"
"D:\\Program Files\\mIRC\\mirc.exe"="D:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=D:\Documents and Settings\All Users
APPDATA=D:\Documents and Settings\Derek\Application Data
CLIENTNAME=Console
CommonProgramFiles=D:\Program Files\Common Files
COMPUTERNAME=HOME
ComSpec=D:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=D:
HOMEPATH=\Documents and Settings\Derek
LOGONSERVER=\\HOME
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=D:\WINDOWS\system32;D:\WINDOWS;D:\WINDOWS\System32\Wbem;D:\Program Files\ATI Technologies\ATI Control Panel
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=D:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=D:
SystemRoot=D:\WINDOWS
TEMP=D:\DOCUME~1\Derek\LOCALS~1\Temp
TMP=D:\DOCUME~1\Derek\LOCALS~1\Temp
USERDOMAIN=HOME
USERNAME=Derek
USERPROFILE=D:\Documents and Settings\Derek
windir=D:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Derek (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> D:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> D:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> D:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> D:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> D:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> D:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) --> MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player ActiveX --> D:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader 8.1.2 Security Update 1 (KB403742) -->
Adobe Shockwave Player --> D:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE D:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apex Free 3GP Video Converter 6.45 --> "D:\Program Files\Apex\Apex Free 3GP Video Converter\unins000.exe"
ATI Control Panel --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Decoder --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{EDE28287-D32C-415E-9C97-2BF9F9260150} /l1033
ATI Display Driver --> rundll32 D:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HYDRAVISION --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI Multimedia Center 9.01 --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{8988F5D0-C83F-41F4-B41B-86031F9B37F5} /l1033
ATI Remote Wonder 2.3 --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3347F781-9C89-4C9B-B471-B1FFC3BC4A84} /l1033
avast! Antivirus --> D:\Program Files\Alwil Software\Avast4\aswRunDll.exe "D:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AVI to DVD Converter --> D:\Program Files\Xilisoft\AVI to DVD Converter\Uninstall.exe
Azureus Vuze --> D:\Program Files\Azureus\uninstall.exe
C-Media 3D Audio --> D:\WINDOWS\CMIUnInstall.exe
Cabela's Trophy Bucks --> MsiExec.exe /I{D17C4B85-A12C-442F-81A6-21EAB64F014A}
ConvertHelper 2.1 --> "D:\Program Files\ConvertHelper\unins000.exe"
CursorXP --> D:\Program Files\CursorXP\CurXPUtil.exe -u
DAO --> D:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{C88E49AA-41C5-4420-A08D-BE1B6C5A3A74}
EA SPORTS online 2008 --> D:\Program Files\EA SPORTS\EA SPORTS online\EASOUNInstaller.exe
EPSON Printer Software --> D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
EPSON Web-To-Page --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{7F14F68C-17FA-4F88-B3FD-7F449C1EBF32}\Setup.exe" -l0x9 -anything
FUJIFILM USB Driver --> RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{5490882C-6961-11D5-BAE5-00E0188E010B}\Setup.exe"
Google Earth --> MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Updater --> "D:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
HijackThis 2.0.2 --> "D:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "D:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hunting Unlimited 2008 1.0 --> D:\Program Files\Hunting Unlimited 2008\uninst.exe
Internet Download Manager --> D:\Program Files\Internet Download Manager\Uninstall.exe
Java™ 6 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
Java™ 6 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
K-Lite Codec Pack 3.9.0 Full --> "D:\Program Files\K-Lite Codec Pack\unins000.exe"
Madden NFL 08 --> D:\Program Files\EA Sports\Madden NFL 08\EAUninstall.exe
Microsoft Compression Client Pack 1.0 for Windows XP --> "D:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "D:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (3.0.1) --> D:\Program Files\Mozilla Firefox\uninstall\helper.exe
Nero 7 Essentials --> MsiExec.exe /X{F90D6825-8F1F-4E3A-9E42-A9C8A9DD1033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
OpenOffice.org Installer 1.0 --> MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
Picasa 2 --> "D:\Program Files\Picasa2\Uninstall.exe"
Spybot - Search & Destroy --> "D:\Program Files\Spybot - Search & Destroy\unins000.exe"
TV --> D:\Program Files\TV\Uninstall.EXE /u:"TV"
Windows Media Format 11 runtime --> "D:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR --> "D:\WINDOWS\WinRAR\uninstall.exe" "/U:D:\Program Files\WinRAR\Uninstall\uninstall.xml"
XviD MPEG-4 Codec --> "D:\Program Files\XviD\UninstXviD.exe"


-- Application Event Log -------------------------------------------------------

Event Record #/Type713 / Error
Event Submitted/Written: 08/08/2008 06:33:15 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This network connection does not exist.

Event Record #/Type712 / Error
Event Submitted/Written: 08/08/2008 06:32:43 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type711 / Error
Event Submitted/Written: 08/08/2008 06:30:49 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type710 / Error
Event Submitted/Written: 08/08/2008 06:30:19 PM
Event ID/Source: 8 / crypt32
Event Description:
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.

Event Record #/Type672 / Error
Event Submitted/Written: 08/06/2008 10:10:51 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.6.0.30, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type5541 / Error
Event Submitted/Written: 08/07/2008 08:43:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type5483 / Warning
Event Submitted/Written: 08/07/2008 07:14:39 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00115B793317. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type5482 / Warning
Event Submitted/Written: 08/07/2008 07:13:54 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00115B793317. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type5481 / Warning
Event Submitted/Written: 08/07/2008 07:12:29 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00115B793317. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type5480 / Warning
Event Submitted/Written: 08/07/2008 07:09:35 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00115B793317. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.



-- End of Deckard's System Scanner: finished at 2008-08-08 18:34:29 ------------

#5 downset

downset
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 08 August 2008 - 05:44 PM

Sorry I messed up, I thought I was suppose to disconnect from the net, I will run test again.

#6 downset

downset
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 08 August 2008 - 06:03 PM

now i can't find the extra file, i did a search and it came up with nothing. i deleted the program and downloaded it again but it still won't give me an extra.txt.

#7 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 08 August 2008 - 06:11 PM

Hi

That's OK ... you will only get an "extra.txt" the first time you run DSS ... I can see all I need from those logs, please run the other programs now :thumbsup:

steam

Edited by steamwiz, 08 August 2008 - 06:20 PM.
to correct spelling

MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#8 downset

downset
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 09 August 2008 - 08:56 AM

Here is the Malwarebytes report:

Malwarebytes' Anti-Malware 1.24
Database version: 1034
Windows 5.1.2600 Service Pack 2

9:49:39 AM 8/9/2008
mbam-log-8-9-2008 (09-49-39).txt

Scan type: Quick Scan
Objects scanned: 39455
Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 10
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
D:\WINDOWS\system32\clmwjler.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a23ca8a9-47d8-4db1-ae46-0aa018cc576e} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a23ca8a9-47d8-4db1-ae46-0aa018cc576e} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\20281c23 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a23ca8a9-47d8-4db1-ae46-0aa018cc576e} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
D:\Program Files\OneStepSearch (Adware.OneStepSearch) -> Quarantined and deleted successfully.

Files Infected:
D:\WINDOWS\system32\clmwjler.dll (Trojan.Vundo) -> Delete on reboot.
D:\WINDOWS\system32\reljwmlc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\system32\otloqnvr.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
D:\WINDOWS\BMeb89a291.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\WINDOWS\BMeb89a291.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#9 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 09 August 2008 - 03:51 PM

Hi

Looking better :thumbsup: but there is still more to do ...

Please try to post the Kaspersky Online Scanner report ... it may take several hours to complete ... this is normal.

THEN ...

Please follow these directions to run Combofix & post a log.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#10 downset

downset
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 09 August 2008 - 06:10 PM

Kaspersky Scan:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, August 9, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 09, 2008 00:14:55
Records in database: 1070682
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 29878
Threat name: 2
Infected objects: 18
Suspicious objects: 0
Duration of the scan: 13:18:06


File name / Threat name / Threats count
D:\WINDOWS\system32\clmwjler.dll/D:\WINDOWS\system32\clmwjler.dll Infected: Trojan.Win32.Monder.dkc 16
D:\Documents and Settings\Derek\Application Data\mIRC\downloads\MIRC.v6.32.Incl.KeyMaker.and.AuthPatch-DVT.rar Infected: not-a-virus:Client-IRC.Win32.mIRC.632 1
D:\WINDOWS\system32\clmwjler.dll Infected: Trojan.Win32.Monder.dkc 1

The selected area was scanned.

#11 downset

downset
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 09 August 2008 - 07:01 PM

I just ran the combofix and i don't believe this is normal, but my computer rebooted itself. The log file just states that combo fix created a new restore point. Should I try to run it again? It got all the way through the stages and it said something else below it but while i was reading it, the computer rebooted.

#12 downset

downset
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 09 August 2008 - 08:27 PM

I went ahead and ran it again. This time it said it was rebooting and gave me this log.txt:

ComboFix 08-08-09.02 - Derek 2008-08-09 21:14:18.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.479 [GMT -4:00]
Running from: D:\Documents and Settings\Derek\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
D:\WINDOWS\system32\drivers\beep.sys
D:\WINDOWS\system32\lodwtgpw.ini
D:\WINDOWS\system32\mcrh.tmp
D:\WINDOWS\system32\vFPWEfhk.ini
D:\WINDOWS\system32\vFPWEfhk.ini2
D:\WINDOWS\system32\xbkkulfl.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 09:40 . 2008-08-09 09:40 <DIR> d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 09:40 . 2008-08-09 09:40 <DIR> d-------- D:\Documents and Settings\Derek\Application Data\Malwarebytes
2008-08-09 09:40 . 2008-08-09 09:40 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 09:40 . 2008-07-30 20:15 38,472 --a------ D:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 09:40 . 2008-07-30 20:15 17,144 --a------ D:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 09:28 . 2008-08-09 21:18 <DIR> d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-08-09 09:28 . 2004-03-09 00:00 1,081,616 --a------ D:\WINDOWS\system32\MSCOMCTL.OCX
2008-08-08 18:28 . 2008-08-08 18:28 <DIR> d-------- D:\Deckard
2008-08-07 19:53 . 2008-08-07 19:53 <DIR> d-------- D:\Program Files\Trend Micro
2008-08-07 17:19 . 2008-08-07 17:19 24,576 --a------ D:\WINDOWS\system32\VundoFixSVC.exe
2008-08-07 17:05 . 2008-08-07 17:36 <DIR> d-------- D:\VundoFix Backups
2008-08-05 19:21 . 2008-08-05 19:21 <DIR> d-------- D:\Program Files\Spybot - Search & Destroy
2008-08-05 19:21 . 2008-08-05 20:09 <DIR> d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-04 19:23 . 2008-08-04 19:23 <DIR> d---s---- D:\Documents and Settings\Derek\UserData
2008-07-28 16:53 . 2004-08-03 23:08 26,496 --a--c--- D:\WINDOWS\system32\dllcache\usbstor.sys
2008-07-28 13:46 . 2008-07-28 13:46 0 --a------ D:\WINDOWS\ativpsrm.bin
2008-07-28 13:43 . 2008-07-28 13:43 <DIR> d-------- D:\ATI
2008-07-28 13:36 . 2008-07-28 13:36 <DIR> d-------- D:\Program Files\XviD
2008-07-28 13:36 . 2008-07-28 13:36 <DIR> d-------- D:\Program Files\Apex
2008-07-28 13:26 . 2008-07-28 13:26 <DIR> d-------- D:\Program Files\TV
2008-07-28 13:26 . 2008-07-28 13:26 <DIR> d-------- D:\Documents and Settings\Derek\Application Data\WebCompiler3
2008-07-21 12:57 . 2008-07-28 19:30 <DIR> d-------- D:\Program Files\Picasa2
2008-07-21 12:57 . 2006-10-04 22:42 2,560 --a------ D:\WINDOWS\system32\drivers\cdralw2k.sys
2008-07-21 12:57 . 2006-10-04 22:42 2,432 --a------ D:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-07-21 11:20 . 2008-07-21 11:20 <DIR> d-------- D:\Program Files\ConvertHelper
2008-07-20 09:17 . 2008-08-08 18:51 5,120 --ahs---- D:\WINDOWS\system32\Thumbs.db
2008-07-19 09:09 . 2008-07-19 09:09 <DIR> d-------- D:\Program Files\Sun
2008-07-14 13:04 . 2008-07-14 13:04 <DIR> d-------- D:\Program Files\REGSHAVE
2008-07-14 13:04 . 2001-11-25 07:11 81,924 --a------ D:\WINDOWS\system32\drivers\VC4CB104.SYS
2008-07-14 13:04 . 2002-02-05 12:33 69,632 --a------ D:\WINDOWS\system32\FREGSHEX.DLL
2008-07-14 13:04 . 2002-02-27 07:27 65,536 --a------ D:\WINDOWS\system32\FINFCHECK.dll
2008-07-14 13:04 . 2002-06-25 10:06 45,056 --a------ D:\WINDOWS\system32\FINFCOPY.dll
2008-07-14 13:04 . 2002-02-13 06:00 45,056 --a------ D:\WINDOWS\system32\FCLKBTN.DLL
2008-07-13 15:21 . 2008-07-13 15:21 12,736 --ah----- D:\WINDOWS\system32\mlfcache.dat
2008-07-11 18:05 . 2008-08-04 15:53 <DIR> d-------- D:\Documents and Settings\Derek\Application Data\mIRC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-10 01:18 --------- d-----w D:\Documents and Settings\Derek\Application Data\DMCache
2008-08-09 00:59 --------- d-----w D:\Documents and Settings\All Users\Application Data\Google Updater
2008-08-04 22:42 --------- d-----w D:\Documents and Settings\Derek\Application Data\Azureus
2008-07-19 13:09 --------- d-----w D:\Program Files\Java
2008-07-17 20:50 --------- d-----w D:\Program Files\Google
2008-07-14 17:04 --------- d--h--w D:\Program Files\InstallShield Installation Information
2008-07-14 17:02 --------- d-----w D:\Documents and Settings\Derek\Application Data\IDM
2008-07-07 23:37 --------- d-----w D:\Program Files\EA SPORTS
2008-07-04 06:33 3,230,720 ----a-w D:\WINDOWS\system32\drivers\ati2mtag.sys
2008-07-04 03:48 9,490,432 ----a-w D:\WINDOWS\system32\atioglx2.dll
2008-07-04 03:25 421,888 ----a-w D:\WINDOWS\system32\ATIDEMGX.dll
2008-07-04 03:23 309,248 ----a-w D:\WINDOWS\system32\ati2dvag.dll
2008-07-04 03:14 26,112 ----a-w D:\WINDOWS\system32\Ati2mdxx.exe
2008-07-04 03:14 184,320 ----a-w D:\WINDOWS\system32\atipdlxx.dll
2008-07-04 03:14 143,360 ----a-w D:\WINDOWS\system32\Oemdspif.dll
2008-07-04 03:13 43,520 ----a-w D:\WINDOWS\system32\ati2edxx.dll
2008-07-04 03:13 139,264 ----a-w D:\WINDOWS\system32\ati2evxx.dll
2008-07-04 03:12 561,152 ----a-w D:\WINDOWS\system32\ati2evxx.exe
2008-07-04 03:10 53,248 ----a-w D:\WINDOWS\system32\ATIDDC.DLL
2008-07-04 03:06 253,952 ----a-w D:\WINDOWS\system32\atiok3x2.dll
2008-07-04 03:00 3,786,144 ----a-w D:\WINDOWS\system32\ati3duag.dll
2008-07-04 02:55 307,200 ----a-w D:\WINDOWS\system32\atiiiexx.dll
2008-07-04 02:49 2,140,672 ----a-w D:\WINDOWS\system32\ativvaxx.dll
2008-07-04 02:34 48,640 ----a-w D:\WINDOWS\system32\amdpcom32.dll
2008-07-04 02:30 348,160 ----a-w D:\WINDOWS\system32\atikvmag.dll
2008-07-04 02:29 32,768 ----a-w D:\WINDOWS\system32\atiadlxx.dll
2008-07-04 02:28 53,248 ----a-w D:\WINDOWS\system32\drivers\ati2erec.dll
2008-07-04 02:28 17,408 ----a-w D:\WINDOWS\system32\atitvo32.dll
2008-07-04 02:25 5,439,488 ----a-w D:\WINDOWS\system32\atioglxx.dll
2008-07-04 02:22 565,248 ----a-w D:\WINDOWS\system32\ati2cqag.dll
2008-07-04 01:05 593,920 ----a-w D:\WINDOWS\system32\ati2sgag.exe
2008-07-03 23:12 --------- d-----w D:\Program Files\Azureus
2008-07-02 21:04 --------- d-----w D:\Documents and Settings\All Users\Application Data\Cabela's Trophy Bucks Saves
2008-07-02 20:57 --------- d-----w D:\Program Files\Activision Value
2008-07-02 01:27 --------- d-----w D:\Program Files\Hunting Unlimited 2008
2008-07-01 01:00 --------- d-----w D:\Program Files\MSXML 4.0
2008-06-30 23:13 --------- d-----w D:\Program Files\Internet Download Manager
2008-06-26 20:51 --------- d-----w D:\Documents and Settings\Derek\Application Data\Ahead
2008-06-25 22:57 --------- d-----w D:\Documents and Settings\All Users\Application Data\Ahead
2008-06-25 22:55 --------- d-----w D:\Program Files\Common Files\Ahead
2008-06-25 22:53 --------- d-----w D:\Documents and Settings\All Users\Application Data\Nero
2008-06-23 19:42 --------- d-----w D:\Documents and Settings\Derek\Application Data\X10 Commander
2008-06-23 19:39 --------- d-----w D:\Program Files\Nero
2008-06-21 14:43 --------- d-----w D:\Program Files\Audacity
2008-06-20 23:11 --------- d-----w D:\Program Files\Windows Media Connect 2
2008-06-20 23:11 --------- d-----w D:\Documents and Settings\Derek\Application Data\Softplicity
2008-06-20 17:41 245,248 ----a-w D:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w D:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w D:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w D:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w D:\WINDOWS\system32\drivers\bthport.sys
2001-11-23 04:08 712,704 ----a-r D:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Remote Control"="D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [2004-04-16 06:43 196608]
"CursorXP"="D:\Program Files\CursorXP\CursorXP.exe" [2005-01-19 17:34 128000]
"IDMan"="D:\Program Files\Internet Download Manager\IDMan.exe" [2008-06-03 16:38 2594224]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 11:13 152872]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
"RegistryMechanic"="D:\Program Files\Registry Mechanic\RegMech.exe" [2008-07-08 16:41 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="D:\WINDOWS\SiSUSBrg.exe" [2002-07-12 06:15 106496]
"ATIPTA"="D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-10 21:10 339968]
"ATI DeviceDetect"="D:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [2004-06-15 22:17 69705]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"EPSON Stylus Photo 820 Series"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE" [2002-04-10 03:00 74240]
"NeroFilterCheck"="D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-28 08:27 570664]
"REGSHAVE"="D:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.XVID"= xvid.dll
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\Program Files\\Azureus\\Azureus.exe"=
"D:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"D:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

R1 aswSP;avast! Self Protection;D:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 10:35]
R2 aswFsBlk;aswFsBlk;D:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 10:37]
.
- - - - ORPHANS REMOVED - - - -

BHO-{A23CA8A9-47D8-4DB1-AE46-0AA018CC576E} - (no file)
BHO-{B733BD5F-B57D-4B0C-AB6E-9AF2DDE3EFF7} - D:\WINDOWS\system32\khfEWPFv.dll
HKCU-Run-ATI Launchpad - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
HKLM-Run-NWEReboot - (no file)
Notify-ssqRIXQG - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - D:\Documents and Settings\Derek\Application Data\Mozilla\Firefox\Profiles\7u4r1qg3.default\
FF -: plugin - D:\Program Files\Google\Google Updater\2.2.1229.1533\npCIDetect11.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 21:18:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
D:\WINDOWS\system32\ati2evxx.exe
D:\WINDOWS\system32\ati2evxx.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\WINDOWS\system32\IoctlSvc.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-08-09 21:20:34 - machine was rebooted [Derek]
ComboFix-quarantined-files.txt 2008-08-10 01:20:28

Pre-Run: 255,002,148,864 bytes free
Post-Run: 254,939,656,192 bytes free

192 --- E O F --- 2008-07-08 20:53:00

#13 steamwiz

steamwiz

  • Members
  • 1,039 posts
  • OFFLINE
  •  
  • Local time:02:40 PM

Posted 10 August 2008 - 03:57 PM

Hi

It's normal for Combofix to reboot in order to delete files ... & the same for Malwarebytes' Anti-Malware ...

WE have a little puzzle ...

Malwarebytes' Anti-Malware found this :-

Memory Modules Infected:
D:\WINDOWS\system32\clmwjler.dll (Trojan.Vundo) -> Delete on reboot.

Files Infected:
D:\WINDOWS\system32\clmwjler.dll (Trojan.Vundo) -> Delete on reboot.

Did you reboot after running Malwarebytes' Anti-Malware ?

Because it should have been removed ... but the KASPERSKY ONLINE SCAN shows :-

D:\WINDOWS\system32\clmwjler.dll/D:\WINDOWS\system32\clmwjler.dll Infected: Trojan.Win32.Monder.dkc 16

D:\WINDOWS\system32\clmwjler.dll Infected: Trojan.Win32.Monder.dkc 1

THEN ... I would have expected Combofix to remove it, but Combofix doesn't show it, in Fact the Combofix log is clean :thumbsup:

-
Please run Malwarebytes' Anti-Malware again & post the new log ...

THEN run DSS again & post the main.txt

The clmwjler.dll file has been disabled from running (if not deleted) so your computer should be running OK now .. is it ?

steam
MICROSOFT MVP - Windows Security 2004/9
member of ASAP since 2004
member of U.N.I.T.E

If I have helped you, please consider a small donation to help me continue my online fight in the war against malware Posted Image

#14 downset

downset
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 10 August 2008 - 08:30 PM

ok here is the Malwarebytes log again, i will reboot now and then run DSS:

Malwarebytes' Anti-Malware 1.24
Database version: 1034
Windows 5.1.2600 Service Pack 2

9:27:20 PM 8/10/2008
mbam-log-8-10-2008 (21-27-20).txt

Scan type: Quick Scan
Objects scanned: 38479
Time elapsed: 4 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a23ca8a9-47d8-4db1-ae46-0aa018cc576e} (Trojan.Vundo) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 downset

downset
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:10:40 AM

Posted 10 August 2008 - 08:38 PM

Here is the DSS log:

Deckard's System Scanner v20071014.68
Run by Derek on 2008-08-10 21:33:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Derek.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:52 PM, on 8/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
D:\Program Files\CursorXP\CursorXP.exe
D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\WINDOWS\system32\rundll32.exe
D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
D:\WINDOWS\system32\IoctlSvc.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
D:\Program Files\Internet Download Manager\IEMonitor.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Documents and Settings\Derek\My Documents\Downloads\Programs\dss.exe
D:\PROGRA~1\TRENDM~1\HIJACK~1\Derek.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.mini20.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - D:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O5 "LPT1:" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] D:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [ATI Remote Control] D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe
O4 - HKCU\..\Run: [CursorXP] D:\Program Files\CursorXP\CursorXP.exe
O4 - HKCU\..\Run: [IDMan] D:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [RegistryMechanic] D:\Program Files\Registry Mechanic\RegMech.exe /H
O8 - Extra context menu item: Download all links with IDM - D:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - D:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - D:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - D:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - D:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - D:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 6671 bytes

-- Files created between 2008-07-10 and 2008-08-10 -----------------------------

2008-08-09 19:51:56 68096 --a------ D:\WINDOWS\zip.exe
2008-08-09 19:51:56 49152 --a------ D:\WINDOWS\VFind.exe
2008-08-09 19:51:56 212480 --a------ D:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-08-09 19:51:56 136704 --a------ D:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-08-09 19:51:56 161792 --a------ D:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-08-09 19:51:56 98816 --a------ D:\WINDOWS\sed.exe
2008-08-09 19:51:56 80412 --a------ D:\WINDOWS\grep.exe
2008-08-09 19:51:56 89504 --a------ D:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-08-09 19:28:53 0 d-------- D:\WINDOWS\setup.pss
2008-08-09 19:28:41 0 d-------- D:\WINDOWS\setupupd
2008-08-09 09:40:37 0 d-------- D:\Documents and Settings\Derek\Application Data\Malwarebytes
2008-08-09 09:40:32 0 d-------- D:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 09:40:32 0 d-------- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 09:28:52 0 d-a------ D:\Documents and Settings\All Users\Application Data\TEMP
2008-08-07 19:53:25 0 d-------- D:\Program Files\Trend Micro
2008-08-07 17:19:48 24576 --a------ D:\WINDOWS\system32\VundoFixSVC.exe <Not Verified; Atribune.org; Vundofix Service>
2008-08-07 17:05:41 0 d-------- D:\VundoFix Backups
2008-08-05 19:21:35 0 d-------- D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-04 19:23:09 0 d---s---- D:\Documents and Settings\Derek\UserData
2008-07-28 13:46:41 0 --a------ D:\WINDOWS\ativpsrm.bin
2008-07-28 13:43:25 0 d-------- D:\ATI
2008-07-28 13:36:41 0 d-------- D:\Program Files\XviD
2008-07-28 13:36:25 120320 --a------ D:\WINDOWS\system32\apexchanger.exe
2008-07-28 13:36:25 109568 --a------ D:\WINDOWS\system32\apex3gp.exe
2008-07-28 13:36:24 626688 --a------ D:\WINDOWS\system32\NCTImageFile.dll <Not Verified; Online Media Technologies Ltd.; NCTImageFile ActiveX DLL>
2008-07-28 13:36:24 61440 --a------ D:\WINDOWS\system32\cygz.dll
2008-07-28 13:36:24 1295582 --a------ D:\WINDOWS\system32\cygwin1.dll <Not Verified; Red Hat; Cygwin>
2008-07-28 13:36:24 4755968 --a------ D:\WINDOWS\system32\apexconverter.exe
2008-07-28 13:36:24 86016 --a------ D:\WINDOWS\system32\AddiTunes.exe
2008-07-28 13:36:23 780288 --a------ D:\WINDOWS\system32\NCTVideoCompress.dll <Not Verified; NCT Company Ltd.; NCTVideoCompress ActiveX DLL>
2008-07-28 13:36:23 90112 --a------ D:\WINDOWS\system32\NCTAudioFormatSettings3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioFormatSettings3 Module>
2008-07-28 13:36:22 215552 --a------ D:\WINDOWS\system32\NCTWMVFile.dll <Not Verified; NCT Company Ltd.; NCTWMVFile ActiveX DLL>
2008-07-28 13:36:22 312320 --a------ D:\WINDOWS\system32\NCTVideoView.dll <Not Verified; Online Media Technologies Ltd.; NCTVideoView ActiveX DLL>
2008-07-28 13:36:22 188416 --a------ D:\WINDOWS\system32\NCTVideoFile.dll <Not Verified; NCT Company Ltd.; NCTVideoFile ActiveX DLL>
2008-07-28 13:36:22 2846720 --a------ D:\WINDOWS\system32\NCTAudioCompress3.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress3 Module>
2008-07-28 13:36:22 778240 --a------ D:\WINDOWS\system32\NCTAudioCompress2.dll <Not Verified; Online Media Technologies Ltd.; NCTAudioCompress2 Module>
2008-07-28 13:36:21 237568 --a------ D:\WINDOWS\system32\lame_enc.dll
2008-07-28 13:36:19 81920 --a------ D:\WINDOWS\system32\viscomwave.dll <Not Verified; Viscom Software; >
2008-07-28 13:36:19 147456 --a------ D:\WINDOWS\system32\viscomqtenc.dll <Not Verified; Viscom Software www.viscomsoft.com; >
2008-07-28 13:36:19 139264 --a------ D:\WINDOWS\system32\viscomqtde.dll <Not Verified; Viscom Software www.viscomsoft.com; >
2008-07-28 13:36:19 0 d-------- D:\WINDOWS\system32\RMBin
2008-07-28 13:36:17 0 d-------- D:\Program Files\Apex
2008-07-28 13:26:21 0 d-------- D:\Documents and Settings\Derek\Application Data\WebCompiler3
2008-07-28 13:26:01 0 d-------- D:\Program Files\TV
2008-07-21 12:57:05 0 d-------- D:\Program Files\Picasa2
2008-07-21 11:20:36 0 d-------- D:\Program Files\ConvertHelper
2008-07-19 09:09:40 0 d-------- D:\Program Files\Sun
2008-07-14 13:04:12 69632 --a------ D:\WINDOWS\system32\FREGSHEX.DLL <Not Verified; FUJIFILM; FUJIFILM Fregshave>
2008-07-14 13:04:12 45056 --a------ D:\WINDOWS\system32\FINFCOPY.dll <Not Verified; FUJIFILM; FUJIFILM FINFCOPY>
2008-07-14 13:04:12 65536 --a------ D:\WINDOWS\system32\FINFCHECK.dll <Not Verified; FUJIFILM; FUJIFILM FINFCHECK>
2008-07-14 13:04:12 45056 --a------ D:\WINDOWS\system32\FCLKBTN.DLL <Not Verified; FUJIFILM; FUJIFILM FCLKBTN>
2008-07-14 13:04:12 0 d-------- D:\Program Files\REGSHAVE
2008-07-13 15:21:22 12736 --ah----- D:\WINDOWS\system32\mlfcache.dat
2008-07-11 18:05:56 0 d-------- D:\Documents and Settings\Derek\Application Data\mIRC


-- Find3M Report ---------------------------------------------------------------

2008-08-10 21:33:20 0 d-------- D:\Documents and Settings\Derek\Application Data\DMCache
2008-08-10 15:22:54 0 d-------- D:\Documents and Settings\Derek\Application Data\Azureus
2008-08-09 21:15:26 0 d-------- D:\Program Files\Common Files
2008-08-05 18:24:10 0 d-------- D:\Documents and Settings\Derek\Application Data\Mozilla
2008-07-19 09:09:29 0 d-------- D:\Program Files\Java
2008-07-17 16:50:24 0 d-------- D:\Program Files\Google
2008-07-14 13:04:12 0 d--h----- D:\Program Files\InstallShield Installation Information
2008-07-14 13:02:18 0 d-------- D:\Documents and Settings\Derek\Application Data\IDM
2008-07-10 20:27:52 0 d-------- D:\Documents and Settings\Derek\Application Data\Macromedia
2008-07-07 19:37:48 0 d-------- D:\Program Files\EA SPORTS
2008-07-03 21:05:00 593920 --a------ D:\WINDOWS\system32\ati2sgag.exe <Not Verified; ; ATI Smart>
2008-07-03 19:12:30 0 d-------- D:\Program Files\Azureus
2008-07-02 16:57:58 0 d-------- D:\Program Files\Activision Value
2008-07-01 21:27:06 0 d-------- D:\Program Files\Hunting Unlimited 2008
2008-07-01 20:57:54 0 d-------- D:\Documents and Settings\Derek\Application Data\WinRAR
2008-06-30 21:00:03 0 d-------- D:\Program Files\MSXML 4.0
2008-06-30 19:13:50 0 d-------- D:\Program Files\Internet Download Manager
2008-06-26 16:51:02 0 d-------- D:\Documents and Settings\Derek\Application Data\Ahead
2008-06-25 18:55:51 0 d-------- D:\Program Files\Common Files\Ahead
2008-06-23 15:42:34 0 d-------- D:\Documents and Settings\Derek\Application Data\X10 Commander
2008-06-23 15:39:54 0 d-------- D:\Program Files\Nero
2008-06-21 10:43:28 0 d-------- D:\Program Files\Audacity
2008-06-20 19:12:09 0 d-------- D:\Program Files\Messenger
2008-06-20 19:11:55 0 d-------- D:\Program Files\Windows Media Connect 2
2008-06-20 19:11:03 0 d-------- D:\Documents and Settings\Derek\Application Data\Softplicity
2008-05-25 22:05:25 1160 --a------ D:\WINDOWS\mozver.dat
2008-05-25 21:49:41 664 --a------ D:\WINDOWS\system32\d3d9caps.dat
2008-05-25 21:22:19 0 --a------ D:\WINDOWS\nsreg.dat
2008-05-25 20:41:04 21640 --a------ D:\WINDOWS\system32\emptyregdb.dat
2008-05-25 09:06:55 62 --ahs---- D:\Documents and Settings\Derek\Application Data\desktop.ini


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="D:\WINDOWS\SiSUSBrg.exe" [07/12/2002 06:15 AM]
"ATIPTA"="D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [07/10/2004 09:10 PM]
"ATI DeviceDetect"="D:\Program Files\ATI Multimedia\main\ATIDtct.EXE" [06/15/2004 10:17 PM]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"EPSON Stylus Photo 820 Series"="D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.exe" [04/10/2002 03:00 AM]
"NeroFilterCheck"="D:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [05/28/2008 08:27 AM]
"REGSHAVE"="D:\Program Files\REGSHAVE\REGSHAVE.exe" [02/04/2002 10:32 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI Remote Control"="D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe" [04/16/2004 06:43 AM]
"CursorXP"="D:\Program Files\CursorXP\CursorXP.exe" [01/19/2005 05:34 PM]
"IDMan"="D:\Program Files\Internet Download Manager\IDMan.exe" [06/03/2008 04:38 PM]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="D:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [01/22/2008 11:13 AM]
"SpybotSD TeaTimer"="D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42 AM]
"RegistryMechanic"="D:\Program Files\Registry Mechanic\RegMech.exe" [07/08/2008 04:41 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC"




-- End of Deckard's System Scanner: finished at 2008-08-10 21:34:47 ------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users