Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winfixer/virtumonde Trojan


  • This topic is locked This topic is locked
3 replies to this topic

#1 jcmindeed

jcmindeed

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 AM

Posted 08 August 2008 - 12:37 PM

A pop-up titled gpedits flashes every couple of seconds and says:

"Patch applied successfully! If your software is still trial maybe you need to install it before patch it."

Also ran Windows Defender and came up with two Trojan files that can't be removed:

Trojan:Win32/Conhook.I
TrojanDownloader:Win32/Zlob.gen!GX

This is the log file DSS made although it did not make extra.txt only main.txt:

Deckard's System Scanner v20071014.68
Run by JCMINDEED on 2008-08-08 13:23:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as JCMINDEED.exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:24:05 PM, on 8/8/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Windows Defender\MSASCui.exe
c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Maxtor\OneTouch Status\MaxMenuMgr.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Windows\explorer.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\notepad.exe
C:\Users\JCMINDEED\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JCMIND~1.EXE
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...n&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: HP Print Clips - {FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7} - c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O3 - Toolbar: FireShot - {6E6E744E-4D20-4ce3-9A7A-26DFFFE22F68} - C:\Users\JCMINDEED\AppData\Roaming\Mozilla\Firefox\Profiles\w4qxg47u.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\library\fsaddin-0.55.dll
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] gpedits.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: OpenOffice.org 2.4.lnk = C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: HP Smart Select - {58ECB495-38F0-49cb-A538-10282ABF65E7} - c:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u...ows-i586-jc.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 13611 bytes

-- Files created between 2008-07-08 and 2008-08-08 -----------------------------

2008-08-08 13:09:31 0 d-------- C:\Program Files\Trend Micro
2008-08-08 12:19:52 0 d-------- C:\Users\All Users\Lavasoft
2008-08-08 12:19:52 0 d-------- C:\Program Files\Lavasoft
2008-08-08 12:19:13 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-07 14:44:20 0 d-------- C:\Program Files\QuickTime
2008-08-07 13:44:16 0 d-------- C:\VundoFix Backups
2008-08-07 00:48:27 0 d-------- C:\Windows\system32\QuickTime
2008-08-07 00:48:22 0 d-------- C:\Program Files\3ivx
2008-08-06 20:41:44 0 d-------- C:\Program Files\OpenOffice.org 2.4
2008-08-06 20:37:43 0 d-------- C:\Program Files\Open Office
2008-08-06 20:11:37 0 d-------- C:\Users\All Users\ALM
2008-08-06 19:59:36 0 d-------- C:\Users\All Users\FLEXnet
2008-08-06 19:39:56 0 d-------- C:\Program Files\Bonjour
2008-08-06 19:08:15 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2008-08-06 18:46:49 0 d-------- C:\Users\All Users\Maxtor
2008-08-06 18:46:49 0 d-------- C:\Program Files\Maxtor
2008-08-06 00:29:51 0 d--hs---- C:\System Volume Information
2008-08-05 23:57:08 0 d-------- C:\Program Files\uTorrent
2008-08-05 22:59:23 0 d-------- C:\Users\All Users\AOL OCP
2008-08-05 22:59:20 0 d-------- C:\Users\All Users\AOL
2008-08-05 21:56:31 0 d-------- C:\Windows\Application Data
2008-08-05 21:03:29 1069056 --a------ C:\Windows\system32\gpedits.exe
2008-08-05 21:03:26 37888 --a------ C:\Windows\system32\rar.exe <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
2008-08-05 21:03:25 10 --a------ C:\Windows\system32\ciadvss.exe
2008-08-05 21:03:25 10 --a------ C:\Windows\system32\ciadvs.exe
2008-08-05 21:03:25 7680 --a------ C:\Windows\system32\chkdskss.exe
2008-08-05 21:03:25 7680 --a------ C:\Windows\system32\chkdsks.exe
2008-08-05 20:59:58 0 d-------- C:\Program Files\WinAce
2008-08-05 20:39:53 0 d-------- C:\Users\JCMINDEED\Incomplete
2008-08-05 20:36:34 0 d-------- C:\Program Files\LimeWire
2008-08-05 19:53:07 0 dr------- C:\Users\JCMINDEED\Searches
2008-08-05 19:52:51 0 dr------- C:\Users\JCMINDEED\Contacts
2008-08-05 19:52:41 81 --a------ C:\Windows\system32\LOG
2008-08-05 19:52:38 44 --a------ C:\Windows\system\hpsysdrv.dat
2008-08-05 19:45:27 0 d-------- C:\Program Files\Yahoo!
2008-08-05 19:43:54 0 d-------- C:\Users\All Users\Electronic Arts
2008-08-05 19:39:52 0 d-------- C:\Program Files\Electronic Arts
2008-08-05 19:37:43 0 d-------- C:\Users\JCMINDEED\Videos
2008-08-05 19:37:43 0 d--hs---- C:\Users\JCMINDEED\Templates
2008-08-05 19:37:43 0 d--hs---- C:\Users\JCMINDEED\Start Menu
2008-08-05 19:37:43 0 d--hs---- C:\Users\JCMINDEED\SendTo
2008-08-05 19:37:43 0 dr------- C:\Users\JCMINDEED\Saved Games
2008-08-05 19:37:43 0 d--hs---- C:\Users\JCMINDEED\Recent
2008-08-05 19:37:43 0 d--hs---- C:\Users\JCMINDEED\PrintHood
2008-08-05 19:37:43 0 d-------- C:\Users\JCMINDEED\Pictures
2008-08-05 19:37:43 1572864 --ahs---- C:\Users\JCMINDEED\NTUSER.DAT
2008-08-05 19:37:43 0 d--hs---- C:\Users\JCMINDEED\NetHood
2008-08-05 19:37:43 0 d--hs---- C:\Users\JCMINDEED\My Documents
2008-08-05 19:37:43 0 d-------- C:\Users\JCMINDEED\Music
2008-08-05 19:37:43 0 d--hs---- C:\Users\JCMINDEED\Local Settings
2008-08-05 19:37:43 0 dr------- C:\Users\JCMINDEED\Links
2008-08-05 19:37:43 0 dr------- C:\Users\JCMINDEED\Favorites
2008-08-05 19:37:43 0 d-------- C:\Users\JCMINDEED\Downloads
2008-08-05 19:37:43 0 d-------- C:\Users\JCMINDEED\Documents
2008-08-05 19:37:43 0 dr------- C:\Users\JCMINDEED\Desktop
2008-08-05 19:37:43 0 d--hs---- C:\Users\JCMINDEED\Cookies
2008-08-05 19:37:43 0 d--hs---- C:\Users\JCMINDEED\Application Data
2008-08-05 19:37:43 0 d--h----- C:\Users\JCMINDEED\AppData
2008-08-05 19:10:40 0 d-------- C:\Program Files\Common Files\Adobe
2008-08-05 19:08:59 0 d-a------ C:\Users\All Users\TEMP
2008-08-05 19:08:46 0 d-------- C:\Program Files\Spyware Doctor
2008-08-05 19:07:54 0 d-------- C:\Users\All Users\Mozilla
2008-08-05 19:07:25 0 d-------- C:\Program Files\Picasa2
2008-08-05 19:07:15 0 d-------- C:\Windows\system32\runtime
2008-08-05 19:06:58 0 d-------- C:\Program Files\Norton Security Scan
2008-08-05 19:05:33 0 d-------- C:\Users\All Users\Google
2008-08-05 19:05:08 0 d-------- C:\Users\All Users\Google Updater
2008-08-05 19:05:07 0 d-------- C:\Program Files\Google
2008-08-05 17:29:38 0 d-------- C:\Program Files\MSXML 4.0


-- Find3M Report ---------------------------------------------------------------

2008-08-08 12:19:13 0 d-------- C:\Program Files\Common Files
2008-08-08 00:28:54 27715 --a------ C:\Users\JCMINDEED\AppData\Roaming\nvModes.001
2008-08-08 00:01:15 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\LimeWire
2008-08-07 14:27:37 0 d-------- C:\Program Files\Java
2008-08-07 13:06:58 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\OpenOffice.org2
2008-08-07 03:09:43 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\Adobe
2008-08-07 02:33:21 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\uTorrent
2008-08-06 19:17:30 27715 --a------ C:\Users\JCMINDEED\AppData\Roaming\nvModes.dat
2008-08-06 18:49:31 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-06 16:50:26 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\Mozilla
2008-08-06 15:51:51 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\MSNInstaller
2008-08-05 22:59:42 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\acccore
2008-08-05 20:35:08 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\Google
2008-08-05 19:54:59 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\Hewlett-Packard
2008-08-05 19:53:40 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\Symantec
2008-08-05 19:52:54 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\Identities
2008-08-05 19:47:52 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\WildTangent
2008-08-05 19:47:10 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\Macromedia
2008-08-05 19:45:50 0 dr------- C:\Program Files\Online Services
2008-08-05 19:11:51 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\Talkback
2008-08-05 19:08:46 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\PC Tools
2008-08-05 19:05:10 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\Yahoo!
2008-08-05 18:36:38 0 d-------- C:\Users\JCMINDEED\AppData\Roaming\CyberLink
2008-08-05 17:58:38 0 d-------- C:\Program Files\Norton Internet Security
2008-08-05 17:58:37 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-05 17:54:57 0 d-------- C:\Program Files\Symantec
2008-08-05 17:35:31 0 d-------- C:\Program Files\Windows Mail


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 10:51 PM 316784 --a------ c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
08/05/2008 05:53 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFFFFFFF-FF12-44C5-91EC-068E3AA1B2D7}]
08/31/2007 02:32 PM 177504 --a------ c:\Program Files\HP\Smart Web Printing\hpswp_framework.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [09/19/2007 04:05 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [09/19/2007 04:05 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [09/19/2007 04:05 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [01/18/2008 07:31 AM]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [12/19/2007 10:27 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [09/19/2007 05:31 PM]
"OnScreenDisplay"="C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [09/04/2007 04:54 PM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [01/20/2008 10:23 PM]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM]
"hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" [08/22/2007 07:31 PM]
"HP Health Check Scheduler"="[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" []
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [05/08/2007 07:24 PM]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [09/13/2007 11:47 AM]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [01/08/2007 06:53 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [08/05/2008 07:05 PM]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [02/01/2008 12:55 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [09/06/2007 02:53 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisor"="C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [10/01/2007 07:10 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [01/20/2008 10:25 PM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/05/2008 07:05 PM]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [07/13/2007 10:36 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [01/20/2008 10:25 PM]

C:\Users\JCMINDEED\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [6/18/2008 2:46:56 PM]
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 4:41:28 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableUIADesktopToggle"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"Windows Printing Driver"=gpedits.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE Mcx2Svc WebClient SstpSvc
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{acfd5b39-63f1-11dd-bc6a-001e685617b5}]
AutoRun\command- .\Encryption Tool\MaxtorEncryption.exe

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- End of Deckard's System Scanner: finished at 2008-08-08 13:24:43 ------------

BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:12 PM

Posted 18 August 2008 - 02:58 AM

Hi

If you still need help with this please post a fresh hjt log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 jcmindeed

jcmindeed
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:12 AM

Posted 18 August 2008 - 09:50 AM

actually i managed to fix it but thank you anyways

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:12:12 PM

Posted 18 August 2008 - 12:52 PM

Since this issue appears to be resolved ... this Topic has been closed.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users