Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection/popups


  • This topic is locked This topic is locked
10 replies to this topic

#1 superbeast_87

superbeast_87

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 10 August 2008 - 12:16 AM

Spybot S & D reported a virtumonde infection says it removed it but didnt. Getting annyoying popups for "removal software" and advertisements and who knows what else its doing in the background. Microsoft update is reporting that it is off even know it is switched on in its menu and attempts to turn it back on do nothing. DSS scan and Kaspersky attached.


Deckard's System Scanner v20071014.68
Run by Justin on 2008-08-10 13:50:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Justin.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:35 PM, on 8/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
E:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\rundll32.exe
E:\Program Files\UltraMon\UltraMon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
E:\Program Files\UltraMon\UltraMonTaskbar.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\Program Files\Logitech\QuickCam10\Quickcam.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe
C:\Documents and Settings\Justin\Desktop\dss.exe
E:\PROGRA~1\TRENDM~1\HIJACK~1\Justin.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1ABBACD8-927E-4796-A6EA-CC43B1AEE18D} - C:\WINDOWS\system32\yayArRlJ.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: (no name) - {E525B124-28E1-4D57-B784-B2AABFBBFA66} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [UltraMon] "E:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: qlock.lnk = E:\Program Files\Qlock\qlock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: qlock.lnk = E:\Program Files\Qlock\qlock.exe (User 'Default user')
O4 - Startup: qlock.lnk = E:\Program Files\Qlock\qlock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1202949563417
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202958156609
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://plugin.driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: McAfee Application Installer Cleanup (0040641218303075) (0040641218303075mcinstcleanup) - McAfee, Inc. - C:\DOCUME~1\Justin\LOCALS~1\Temp\004064~1.EXE
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - E:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12629 bytes

-- Files created between 2008-07-10 and 2008-08-10 -----------------------------

2008-08-10 08:13:46 2048 --a------ C:\WINDOWS\system32\hkvojqkh.exe
2008-08-10 02:30:29 0 d-------- C:\Program Files\McAfee.com
2008-08-10 02:30:18 0 d-------- C:\Program Files\Common Files\McAfee
2008-08-10 02:30:14 0 d-------- C:\WINDOWS\LastGood
2008-08-10 02:30:09 0 d-------- C:\Program Files\McAfee
2008-08-09 23:14:16 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-09 22:04:13 0 dr-h----- C:\Documents and Settings\Justin\Recent
2008-08-09 13:10:08 0 d-------- C:\Program Files\Panda Security
2008-08-09 11:48:15 0 d-------- C:\VundoFix Backups
2008-08-09 01:57:21 0 d-------- C:\Program Files\Common Files\3DO Shared
2008-08-09 01:57:21 0 d-------- C:\Program Files\3DO
2008-08-08 14:46:29 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 08:07:11 386936 --ahs---- C:\WINDOWS\system32\JlRrAyay.ini2
2008-08-08 08:07:05 246784 --a------ C:\WINDOWS\system32\yayArRlJ.dll
2008-08-08 08:03:52 0 d-------- C:\Documents and Settings\Justin\Application Data\Realtime Soft
2008-08-08 08:03:32 0 d-------- C:\Program Files\Common Files\Realtime Soft
2008-08-08 08:03:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-08-05 07:41:45 0 d-------- C:\Documents and Settings\Justin\Application Data\Logitech
2008-08-04 21:04:12 0 d-------- C:\Program Files\SystemRequirementsLab
2008-08-04 00:05:57 0 d-------- C:\Program Files\Common Files\xing shared
2008-08-04 00:05:43 0 d-------- C:\Program Files\Common Files\Real
2008-08-04 00:05:40 0 d-------- C:\Documents and Settings\Justin\Application Data\Real
2008-08-03 01:26:28 0 d-------- C:\Program Files\iPod
2008-08-03 01:25:26 0 d-------- C:\Program Files\Bonjour
2008-08-03 01:23:50 30464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys <Not Verified; Apple, Inc.; Apple Mobile Device USB Driver>
2008-08-01 19:02:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-08-01 19:02:25 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-08-01 18:58:20 0 d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-07-26 20:35:24 0 d-------- C:\Documents and Settings\Justin\Application Data\FrostWire
2008-07-26 12:41:01 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-25 12:39:06 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-24 15:07:49 0 d-------- C:\Documents and Settings\Justin\Application Data\Windows Search
2008-07-23 20:31:50 0 d-------- C:\Documents and Settings\Justin\Application Data\Windows Desktop Search
2008-07-23 20:31:24 0 d-------- C:\WINDOWS\system32\GroupPolicy
2008-07-23 20:31:24 0 d-------- C:\Program Files\Windows Desktop Search
2008-07-20 09:45:34 0 d-------- C:\Documents and Settings\Justin\Pinnacle
2008-07-20 00:29:45 0 d-------- C:\Documents and Settings\Justin\Application Data\acccore
2008-07-20 00:28:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-20 00:28:37 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-07-20 00:28:37 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-20 00:28:18 0 d-------- C:\Program Files\Common Files\AOL
2008-07-20 00:28:08 0 d-------- C:\Program Files\AIM6
2008-07-19 17:49:36 49904 -ra------ C:\WINDOWS\system32\drivers\BVRPMPR5.SYS <Not Verified; Avanquest Software; BVRPNDIS Rawether for Windows>
2008-07-19 17:04:14 0 d-------- C:\Netgear
2008-07-16 19:46:27 0 d-------- C:\Documents and Settings\Justin\Application Data\Keyhole


-- Find3M Report ---------------------------------------------------------------

2008-08-10 12:05:21 0 d-------- C:\Documents and Settings\Justin\Application Data\Free Download Manager
2008-08-10 02:30:18 0 d-------- C:\Program Files\Common Files
2008-08-10 02:21:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-10 00:56:04 103862 --a------ C:\WINDOWS\system32\nvModes.dat
2008-08-09 22:46:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-06 23:58:20 0 d-------- C:\Documents and Settings\Justin\Application Data\uTorrent
2008-08-05 08:38:48 0 d-------- C:\Program Files\GemMaster
2008-08-05 08:26:13 0 d-------- C:\Documents and Settings\Justin\Application Data\Apple Computer
2008-08-04 23:28:42 0 d-------- C:\Documents and Settings\Justin\Application Data\Atari
2008-08-03 01:26:48 0 d-------- C:\Program Files\iTunes
2008-08-02 22:11:16 0 d-------- C:\Documents and Settings\Justin\Application Data\LimeWire
2008-08-02 19:29:38 0 d-------- C:\Program Files\Google
2008-07-26 12:40:13 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-26 11:55:11 0 d-------- C:\Documents and Settings\Justin\Application Data\VersionTracker Pro
2008-07-16 02:10:03 0 d-------- C:\Documents and Settings\Justin\Application Data\Uniblue
2008-07-09 21:34:09 0 d-------- C:\Program Files\MSXML 4.0
2008-06-30 14:52:27 0 d-------- C:\Program Files\Yahoo!
2008-06-30 14:51:56 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-30 14:51:37 0 d-------- C:\Program Files\Windows Live
2008-06-26 11:06:44 0 d-------- C:\Program Files\Free Download Manager
2008-06-22 16:14:55 0 d-------- C:\Documents and Settings\Justin\Application Data\Help
2008-06-19 15:21:27 64 --a------ C:\xx
2008-06-17 06:50:22 0 d-------- C:\Program Files\Dell Support Center
2008-06-16 15:58:47 0 d-------- C:\Program Files\Azureus
2008-06-16 14:20:07 0 d-------- C:\Program Files\CyberLink
2008-06-16 13:54:35 0 d-------- C:\Program Files\TechTracker
2008-06-16 13:19:52 0 d-------- C:\Documents and Settings\Justin\Application Data\Tunebite
2008-06-16 13:19:01 0 d-------- C:\Program Files\PixiePack Codec Pack
2008-06-16 13:10:34 0 d-------- C:\Program Files\QuickTime
2008-06-16 13:05:58 0 d-------- C:\Program Files\DivX
2008-06-16 02:05:42 0 d-------- C:\Program Files\The Weather Channel FW
2008-06-13 02:40:49 0 d-------- C:\Program Files\Java
2008-06-13 02:38:33 0 d-------- C:\Program Files\Trend Micro
2008-05-31 08:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-31 08:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-05-31 08:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-05-31 08:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-05-31 08:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-23 07:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-23 07:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-23 07:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-23 07:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-12 04:54:50 21504 --a------ C:\WINDOWS\jestertb.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
06/11/2008 10:33 PM 75128 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1ABBACD8-927E-4796-A6EA-CC43B1AEE18D}]
08/08/2008 08:07 AM 246784 --a------ C:\WINDOWS\system32\yayArRlJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E525B124-28E1-4D57-B784-B2AABFBBFA66}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [10/09/2007 05:18 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [10/09/2007 05:13 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/14/2007 08:46 AM]
"nwiz"="nwiz.exe" [12/14/2007 08:46 AM C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [12/14/2007 08:46 AM C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [05/11/2007 01:22 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/09/2006 03:48 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/14/2007 08:46 AM]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [03/20/2002 06:30 AM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [02/29/2008 03:12 AM C:\WINDOWS\KHALMNPR.Exe]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UltraMon"="E:\Program Files\UltraMon\UltraMon.exe" [10/12/2006 09:27 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Justin\Start Menu\Programs\Startup\
qlock.lnk - E:\Program Files\Qlock\qlock.exe [3/20/2006 6:04:32 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [5/18/2007 6:43:18 AM]
Logitech SetPoint.lnk - E:\Program Files\Logitech\SetPoint\SetPoint.exe [8/5/2008 7:39:10 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [05/26/2008 10:19 PM 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
C:\WINDOWS\system32\ackpbsc.dll 05/16/2007 05:08 AM 112640 C:\WINDOWS\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll 05/16/2007 05:08 AM 281088 C:\Program Files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 05/02/2008 02:42 AM 72208 c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yayArRlJ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
Auto\command- setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{766a703c-ddde-11dc-a664-806d6172696f}]
PlayWithPowerDVD\Command- "C:\Program Files\CyberLink\PowerDVD\PowerDVD.exe" "%l"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b36bbabe-f318-11dc-a6be-0015c5b1d0df}]
AutoRun\command- F:\ATTPreCopy.exe -d:OPETNAEXPCI

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b58221d8-dd94-11dc-9a01-0015c5b1d0df}]
Auto\command- setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

*Newly Created Service* - IPFILTERDRIVER
*Newly Created Service* - MCMSCSVC
*Newly Created Service* - MCNASVC
*Newly Created Service* - MCODS
*Newly Created Service* - MCPROXY
*Newly Created Service* - MCSHIELD
*Newly Created Service* - MCSYSMON
*Newly Created Service* - MFEAVFK
*Newly Created Service* - MFEBOPK
*Newly Created Service* - MFEHIDK
*Newly Created Service* - MFERKDK
*Newly Created Service* - MFESMFK
*Newly Created Service* - MPFP
*Newly Created Service* - MPFSERVICE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe



-- End of Deckard's System Scanner: finished at 2008-08-10 13:51:30 ------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 10, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 10, 2008 03:42:06
Records in database: 1077503
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 106279
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 01:25:08


File name / Threat name / Threats count
C:\RECYCLER\S-1-5-21-823518204-1450960922-682003330-1003\Dc3\System Scanner\20080809131830\backup\DOCUME~1\Justin\LOCALS~1\Temp\SPAKCSHY.0LL Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:52 PM

Posted 11 August 2008 - 01:34 PM

Hello superbeast_87,

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh DSS Main.txt log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 superbeast_87

superbeast_87
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 11 August 2008 - 11:09 PM

Here are the new logs


Deckard's System Scanner v20071014.68
Run by Justin on 2008-08-12 13:08:08
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Justin.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:16 PM, on 8/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
C:\Program Files\ActivIdentity\ActivClient\accoca.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
E:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
E:\Program Files\Logitech\SetPoint\SetPoint.exe
E:\Program Files\Qlock\qlock.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Justin\Desktop\dss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
E:\PROGRA~1\TRENDM~1\HIJACK~1\Justin.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - E:\Program Files\rpbrowserrecordplugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: (no name) - {E525B124-28E1-4D57-B784-B2AABFBBFA66} - (no file)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: qlock.lnk = E:\Program Files\Qlock\qlock.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: qlock.lnk = E:\Program Files\Qlock\qlock.exe (User 'Default user')
O4 - Startup: qlock.lnk = E:\Program Files\Qlock\qlock.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = E:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab3.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1202949563417
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202958156609
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - http://plugin.driveragent.com/files/driveragent.cab
O20 - Winlogon Notify: ackpbsc - C:\WINDOWS\system32\ackpbsc.dll
O20 - Winlogon Notify: acunlock - C:\Program Files\ActivIdentity\ActivClient\acunlock.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - E:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ActivClient Auto-Update Service (acautoup) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\acautoup.exe
O23 - Service: ActivClient Middleware Service (accoca) - ActivIdentity - C:\Program Files\ActivIdentity\ActivClient\accoca.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - E:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 12021 bytes

-- Files created between 2008-07-12 and 2008-08-12 -----------------------------

2008-08-12 11:30:59 0 dr-h----- C:\Documents and Settings\Justin\Recent
2008-08-12 11:29:23 0 d-------- C:\Documents and Settings\Justin\Application Data\Malwarebytes
2008-08-12 11:29:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-10 18:48:19 0 d-------- C:\Documents and Settings\Justin\Application Data\UHS Reader
2008-08-10 02:30:29 0 d-------- C:\Program Files\McAfee.com
2008-08-10 02:30:18 0 d-------- C:\Program Files\Common Files\McAfee
2008-08-10 02:30:09 0 d-------- C:\Program Files\McAfee
2008-08-09 23:14:16 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-08-09 13:10:08 0 d-------- C:\Program Files\Panda Security
2008-08-09 11:48:15 0 d-------- C:\VundoFix Backups
2008-08-09 01:57:21 0 d-------- C:\Program Files\Common Files\3DO Shared
2008-08-09 01:57:21 0 d-------- C:\Program Files\3DO
2008-08-08 14:46:29 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 08:03:52 0 d-------- C:\Documents and Settings\Justin\Application Data\Realtime Soft
2008-08-08 08:03:32 0 d-------- C:\Program Files\Common Files\Realtime Soft
2008-08-08 08:03:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Realtime Soft
2008-08-05 07:41:45 0 d-------- C:\Documents and Settings\Justin\Application Data\Logitech
2008-08-04 21:04:12 0 d-------- C:\Program Files\SystemRequirementsLab
2008-08-04 00:05:57 0 d-------- C:\Program Files\Common Files\xing shared
2008-08-04 00:05:43 0 d-------- C:\Program Files\Common Files\Real
2008-08-04 00:05:40 0 d-------- C:\Documents and Settings\Justin\Application Data\Real
2008-08-03 01:26:28 0 d-------- C:\Program Files\iPod
2008-08-03 01:25:26 0 d-------- C:\Program Files\Bonjour
2008-08-03 01:23:50 30464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys <Not Verified; Apple, Inc.; Apple Mobile Device USB Driver>
2008-08-01 19:02:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-08-01 19:02:25 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-08-01 18:58:20 0 d-------- C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-07-26 20:35:24 0 d-------- C:\Documents and Settings\Justin\Application Data\FrostWire
2008-07-26 12:41:01 0 d-------- C:\Program Files\Common Files\Adobe AIR
2008-07-25 12:39:06 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-07-24 15:07:49 0 d-------- C:\Documents and Settings\Justin\Application Data\Windows Search
2008-07-23 20:31:50 0 d-------- C:\Documents and Settings\Justin\Application Data\Windows Desktop Search
2008-07-23 20:31:24 0 d-------- C:\WINDOWS\system32\GroupPolicy
2008-07-23 20:31:24 0 d-------- C:\Program Files\Windows Desktop Search
2008-07-20 09:45:34 0 d-------- C:\Documents and Settings\Justin\Pinnacle
2008-07-20 00:29:45 0 d-------- C:\Documents and Settings\Justin\Application Data\acccore
2008-07-20 00:28:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-20 00:28:37 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL
2008-07-20 00:28:37 0 d-------- C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-07-20 00:28:18 0 d-------- C:\Program Files\Common Files\AOL
2008-07-20 00:28:08 0 d-------- C:\Program Files\AIM6
2008-07-19 17:49:36 49904 -ra------ C:\WINDOWS\system32\drivers\BVRPMPR5.SYS <Not Verified; Avanquest Software; BVRPNDIS Rawether for Windows>
2008-07-19 17:04:14 0 d-------- C:\Netgear
2008-07-16 19:46:27 0 d-------- C:\Documents and Settings\Justin\Application Data\Keyhole


-- Find3M Report ---------------------------------------------------------------

2008-08-12 11:30:22 0 d-------- C:\Documents and Settings\Justin\Application Data\Free Download Manager
2008-08-12 02:57:44 103806 --a------ C:\WINDOWS\system32\nvModes.dat
2008-08-10 02:30:18 0 d-------- C:\Program Files\Common Files
2008-08-10 02:21:20 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-09 22:46:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-08-06 23:58:20 0 d-------- C:\Documents and Settings\Justin\Application Data\uTorrent
2008-08-05 08:38:48 0 d-------- C:\Program Files\GemMaster
2008-08-05 08:26:13 0 d-------- C:\Documents and Settings\Justin\Application Data\Apple Computer
2008-08-04 23:28:42 0 d-------- C:\Documents and Settings\Justin\Application Data\Atari
2008-08-03 01:26:48 0 d-------- C:\Program Files\iTunes
2008-08-02 22:11:16 0 d-------- C:\Documents and Settings\Justin\Application Data\LimeWire
2008-08-02 19:29:38 0 d-------- C:\Program Files\Google
2008-07-26 12:40:13 0 d-------- C:\Program Files\Common Files\Adobe
2008-07-26 11:55:11 0 d-------- C:\Documents and Settings\Justin\Application Data\VersionTracker Pro
2008-07-16 02:10:03 0 d-------- C:\Documents and Settings\Justin\Application Data\Uniblue
2008-07-09 21:34:09 0 d-------- C:\Program Files\MSXML 4.0
2008-06-30 14:52:27 0 d-------- C:\Program Files\Yahoo!
2008-06-30 14:51:56 0 d-------- C:\Program Files\Windows Live Safety Center
2008-06-30 14:51:37 0 d-------- C:\Program Files\Windows Live
2008-06-26 11:06:44 0 d-------- C:\Program Files\Free Download Manager
2008-06-22 16:14:55 0 d-------- C:\Documents and Settings\Justin\Application Data\Help
2008-06-19 15:21:27 64 --a------ C:\xx
2008-06-17 06:50:22 0 d-------- C:\Program Files\Dell Support Center
2008-06-16 15:58:47 0 d-------- C:\Program Files\Azureus
2008-06-16 14:20:07 0 d-------- C:\Program Files\CyberLink
2008-06-16 13:54:35 0 d-------- C:\Program Files\TechTracker
2008-06-16 13:19:52 0 d-------- C:\Documents and Settings\Justin\Application Data\Tunebite
2008-06-16 13:19:01 0 d-------- C:\Program Files\PixiePack Codec Pack
2008-06-16 13:10:34 0 d-------- C:\Program Files\QuickTime
2008-06-16 13:05:58 0 d-------- C:\Program Files\DivX
2008-06-16 02:05:42 0 d-------- C:\Program Files\The Weather Channel FW
2008-06-13 02:40:49 0 d-------- C:\Program Files\Java
2008-06-13 02:38:33 0 d-------- C:\Program Files\Trend Micro
2008-05-31 08:22:48 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-05-31 08:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX>
2008-05-31 08:22:48 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX>
2008-05-31 08:22:46 815104 --a------ C:\WINDOWS\system32\divx_xx0a.dll <Not Verified; DivX, Inc.; DivX>
2008-05-31 08:22:46 683520 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX>
2008-05-23 07:22:18 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-23 07:19:46 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-05-23 07:19:46 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-05-23 07:18:54 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-12 04:54:50 21504 --a------ C:\WINDOWS\jestertb.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
06/11/2008 10:33 PM 75128 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E525B124-28E1-4D57-B784-B2AABFBBFA66}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [10/09/2007 05:18 AM]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [10/09/2007 05:13 AM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [12/14/2007 08:46 AM]
"nwiz"="nwiz.exe" [12/14/2007 08:46 AM C:\WINDOWS\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [12/14/2007 08:46 AM C:\WINDOWS\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [05/11/2007 01:22 AM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/09/2006 03:48 AM]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [12/14/2007 08:46 AM]
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [03/20/2002 06:30 AM]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [02/29/2008 03:12 AM C:\WINDOWS\KHALMNPR.Exe]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [11/01/2007 07:12 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\Justin\Start Menu\Programs\Startup\
qlock.lnk - E:\Program Files\Qlock\qlock.exe [3/20/2006 6:04:32 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [5/18/2007 6:43:18 AM]
Logitech SetPoint.lnk - E:\Program Files\Logitech\SetPoint\SetPoint.exe [8/5/2008 7:39:10 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [05/26/2008 10:19 PM 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ackpbsc]
C:\WINDOWS\system32\ackpbsc.dll 05/16/2007 05:08 AM 112640 C:\WINDOWS\system32\ackpbsc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\acunlock]
C:\Program Files\ActivIdentity\ActivClient\acunlock.dll 05/16/2007 05:08 AM 281088 C:\Program Files\ActivIdentity\ActivClient\acunlock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll 05/02/2008 02:42 AM 72208 c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b36bbabe-f318-11dc-a6be-0015c5b1d0df}]
AutoRun\command- F:\ATTPreCopy.exe -d:OPETNAEXPCI

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b58221d8-dd94-11dc-9a01-0015c5b1d0df}]
Auto\command- setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{61E3FE32-07B9-4563-A3E0-2DE2D620FE10}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe



-- End of Deckard's System Scanner: finished at 2008-08-12 13:08:40 ------------

Malwarebytes' Anti-Malware 1.24
Database version: 1043
Windows 5.1.2600 Service Pack 3

11:41:32 AM 8/12/2008
mbam-log-8-12-2008 (11-41-32).txt

Scan type: Quick Scan
Objects scanned: 44952
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 11
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\yayArRlJ.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2b1384d2-a1ad-4910-905f-86c0cbfa0675} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b1384d2-a1ad-4910-905f-86c0cbfa0675} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayarrlj -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\yayarrlj -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\yayArRlJ.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\JlRrAyay.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\JlRrAyay.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ocgsufyu.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qerdgldb.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hkvojqkh.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Justin\Local Settings\Temporary Internet Files\Content.IE5\T5FCLBKC\kb65666[1] (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mcrh.tmp (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\pskt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM8ba95bd8.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM8ba95bd8.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:52 PM

Posted 12 August 2008 - 12:59 AM

Hi superbeast_87,


You have some suspicious files we need to check.

You will need to see hidden files, so follow these directions:

Go to My Computer and double-click C.
Go to the Tools menu and select 'Folder Options'.
On the 'View' tab select 'show hidden files and folders',
deselect (uncheck) 'hide protected operating system files (recommended)', and
deselect (uncheck) "Hide extensions for known file types.'


Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\xx

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next file:

C:\WINDOWS\jestertb.dll


Once scanned, copy and paste the results also in your next reply.

NOTE: I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 superbeast_87

superbeast_87
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 12 August 2008 - 03:22 AM

heres those results you asked for. thanks for your help so far



File xx received on 08.12.2008 10:14:41 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/36 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.8.12.0 2008.08.12 -
AntiVir 7.8.1.19 2008.08.12 -
Authentium 5.1.0.4 2008.08.12 -
Avast 4.8.1195.0 2008.08.11 -
AVG 8.0.0.156 2008.08.11 -
BitDefender 7.2 2008.08.12 -
CAT-QuickHeal 9.50 2008.08.11 -
ClamAV 0.93.1 2008.08.12 -
DrWeb 4.44.0.09170 2008.08.12 -
eSafe 7.0.17.0 2008.08.11 -
eTrust-Vet 31.6.6025 2008.08.12 -
Ewido 4.0 2008.08.11 -
F-Prot 4.4.4.56 2008.08.12 -
F-Secure 7.60.13501.0 2008.08.12 -
Fortinet 3.14.0.0 2008.08.11 -
GData 2.0.7306.1023 2008.08.12 -
Ikarus T3.1.1.34.0 2008.08.12 -
K7AntiVirus 7.10.411 2008.08.11 -
Kaspersky 7.0.0.125 2008.08.12 -
McAfee 5358 2008.08.11 -
Microsoft 1.3807 2008.08.12 -
NOD32v2 3347 2008.08.11 -
Norman 5.80.02 2008.08.12 -
Panda 9.0.0.4 2008.08.11 -
PCTools 4.4.2.0 2008.08.11 -
Prevx1 V2 2008.08.12 -
Rising 20.57.11.00 2008.08.12 -
Sophos 4.32.0 2008.08.12 -
Sunbelt 3.1.1542.1 2008.08.12 -
Symantec 10 2008.08.12 -
TheHacker 6.2.96.396 2008.08.12 -
TrendMicro 8.700.0.1004 2008.08.12 -
VBA32 3.12.8.3 2008.08.11 -
ViRobot 2008.8.11.1331 2008.08.11 -
VirusBuster 4.5.11.0 2008.08.11 -
Webwasher-Gateway 6.6.2 2008.08.12 -
Additional information
File size: 64 bytes
MD5...: 6456d36652220045192fb2b53da70d63
SHA1..: 8c3697a6c16f22ee9a7871ff6cd06ca1e8868216
SHA256: 06bcbf53e05cd44da1c9dc7a0737f08eceef318eeab6f4c6743dea34038b62ce
SHA512: 6cbce8f347e8d1b3d3517b27fdc4ee1c71d8406ab54e2335f3a39732fa0009d2
2193c41677d18504e90b4c1138c32e7cc1aa7500597ba99cacd525ef2c44e9dc
PEiD..: -
PEInfo: -



File jestertb.dll received on 08.12.2008 10:17:45 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/36 (0%)
Loading server information...
Your file is queued in position: 1.
Estimated start time is between 38 and 55 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.8.12.0 2008.08.12 -
AntiVir 7.8.1.19 2008.08.12 -
Authentium 5.1.0.4 2008.08.12 -
Avast 4.8.1195.0 2008.08.11 -
AVG 8.0.0.156 2008.08.11 -
BitDefender 7.2 2008.08.12 -
CAT-QuickHeal 9.50 2008.08.11 -
ClamAV 0.93.1 2008.08.12 -
DrWeb 4.44.0.09170 2008.08.12 -
eSafe 7.0.17.0 2008.08.11 -
eTrust-Vet 31.6.6023 2008.08.11 -
Ewido 4.0 2008.08.11 -
F-Prot 4.4.4.56 2008.08.12 -
F-Secure 7.60.13501.0 2008.08.12 -
Fortinet 3.14.0.0 2008.08.11 -
GData 2.0.7306.1023 2008.08.12 -
Ikarus T3.1.1.34.0 2008.08.12 -
K7AntiVirus 7.10.411 2008.08.11 -
Kaspersky 7.0.0.125 2008.08.12 -
McAfee 5358 2008.08.11 -
Microsoft 1.3807 2008.08.12 -
NOD32v2 3347 2008.08.11 -
Norman 5.80.02 2008.08.12 -
Panda 9.0.0.4 2008.08.11 -
PCTools 4.4.2.0 2008.08.11 -
Prevx1 V2 2008.08.12 -
Rising 20.57.11.00 2008.08.12 -
Sophos 4.32.0 2008.08.12 -
Sunbelt 3.1.1542.1 2008.08.12 -
Symantec 10 2008.08.12 -
TheHacker 6.2.96.396 2008.08.12 -
TrendMicro 8.700.0.1004 2008.08.12 -
VBA32 3.12.8.3 2008.08.11 -
ViRobot 2008.8.11.1331 2008.08.11 -
VirusBuster 4.5.11.0 2008.08.11 -
Webwasher-Gateway 6.6.2 2008.08.12 -
Additional information
File size: 21504 bytes
MD5...: 56df1b6c087d4b9c0ab2318f226d3040
SHA1..: a818c50a6a34260e42a73eebb1716df73f1532b2
SHA256: 3628e028f807787915691ea74041f9a93fa7fd0f2fe4d1175ad4fd117d00a2e5
SHA512: 9e493204b78d806381fe87246cbec3929412ea04812131a49afbe5574426c585
bea61b6a89f09c77ecaed48266e2bc048e75da54cfa50f90097c323b0633ecca
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x4047e8
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x3840 0x3a00 6.40 4c599c8a273f8f705614b896d62f5594
DATA 0x5000 0xcc 0x200 1.94 db5a50cf900334485962b7400fdb11a7
BSS 0x6000 0x4ed 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0x7000 0x662 0x800 3.79 ac16988faccf8105c91efe309c85dbfa
.edata 0x8000 0x53 0x200 0.84 7d4cbb52a330f2c41ab60e8bda77254f
.reloc 0x9000 0x3dc 0x400 6.46 0b5f1d46b1cd82755103843541193017
.rsrc 0xa000 0x600 0x600 3.27 6aa5035a3e7f0f62b5494d0c4fff9ca0

( 7 imports )
> kernel32.dll: GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, VirtualQuery, lstrlenA, lstrcpynA, lstrcpyA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
> user32.dll: GetKeyboardType, MessageBoxA, CharNextA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: VariantCopyInd, VariantClear, SysFreeString, SysReAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, GetModuleFileNameA
> kernel32.dll: WaitForSingleObject, GetCurrentProcessId, DisableThreadLibraryCalls
> user32.dll: SetWindowLongA, RegisterWindowMessageA, MessageBeep, GetWindowThreadProcessId, FindWindowA, CallWindowProcA

( 1 exports )
WhatsTheBuildNumber

ThreatExpert info: http://www.threatexpert.com/report.aspx?md...ab2318f226d3040

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:52 PM

Posted 12 August 2008 - 12:18 PM

Hi superbeast_87,

Those two files looks OK and your DSS log looks clean. :thumbsup:

How is your computer running?
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 superbeast_87

superbeast_87
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 12 August 2008 - 12:21 PM

Well all has returned to normal as far as windows updates goes. I am no longer getting any popups so all the problems seem to have gone away. Id like to say thank you and i appreciate all your help. Are there any other steps that need to be performed or any sort of clean up? Thanks again!

Edited by superbeast_87, 12 August 2008 - 12:21 PM.


#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:52 PM

Posted 12 August 2008 - 12:47 PM

Hi,


Your very welcome. :thumbsup:

Let's clean your System Restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows.
The files in System Restore are protected to prevent any programs from changing those files.
This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
NOTE: only do this ONCE, NOT on a regular basis

System Restore will now be active again.


Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Please read and follow How did I get infected?, With steps so it does not happen again!
as well as
How to prevent Malware' by miekiemoes


If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 superbeast_87

superbeast_87
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:52 PM

Posted 12 August 2008 - 01:06 PM

All done with that, thanks again!

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:52 PM

Posted 12 August 2008 - 01:11 PM

You're most welcome. :)
And I thank you for taking the time to say thank you! It's amazing just how far those two little words go. :thumbsup:
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:09:52 PM

Posted 19 August 2008 - 12:03 PM

Since your problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users