Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde - 2 Trojans


  • This topic is locked This topic is locked
3 replies to this topic

#1 moxley777

moxley777

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 25 September 2008 - 07:59 PM

Spybot finds two trojans (Virtumonde) that it says it repairs but upon rebooting and rescanning, it finds them again. Also spybot asks for a reboot every time I run it (not sure if this is part of Virtumonde or not).

Google Chrome seems unaffected, but firefox and probably other browsers definitely affected.

Here's my log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:56:03, on 9/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Emily Moxley\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\SSH Communications Security\SSH Secure Shell\SshClient.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Documents and Settings\Emily Moxley\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Emily Moxley\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Emily Moxley\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Documents and Settings\Emily Moxley\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Emily Moxley\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Emily Moxley\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Emily Moxley\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [fc738f33] rundll32.exe "C:\WINDOWS\system32\bvsbiffl.dll",b
O4 - HKLM\..\Run: [BMff40bcaf] Rundll32.exe "C:\WINDOWS\system32\cbewqxok.dll",s
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Emily Moxley\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /H
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.6.26.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1221354460140
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: reifbj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

--
End of file - 8540 bytes

BC AdBot (Login to Remove)

 


m

#2 moxley777

moxley777
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 25 September 2008 - 08:24 PM

I saw on some other posts to run combofix and post the log. I have done that, and am attaching the output file and pasting it below.


ComboFix 08-09-25.03 - Emily Moxley 2008-09-25 18:06:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1055 [GMT -7:00]
Running from: C:\Documents and Settings\Emily Moxley\My Documents\Downloads\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMff40bcaf.txt
C:\WINDOWS\BMff40bcaf.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cxpghnyw.dll
C:\WINDOWS\system32\geBqNDwX.dll
C:\WINDOWS\system32\IkUwGfhk.ini
C:\WINDOWS\system32\IkUwGfhk.ini2
C:\WINDOWS\system32\jixinlnm.ini
C:\WINDOWS\system32\khfGwUkI.dll
C:\WINDOWS\system32\lffibsvb.ini
C:\WINDOWS\system32\njeofkyt.ini
C:\WINDOWS\system32\qicnpjfo.ini
C:\WINDOWS\system32\vphuyooe.ini

.
((((((((((((((((((((((((( Files Created from 2008-08-26 to 2008-09-26 )))))))))))))))))))))))))))))))
.

2008-09-25 18:03 . 2008-09-25 18:03 98,816 --a------ C:\WINDOWS\system32\sxtctxke.dll
2008-09-25 17:59 . 2008-09-25 17:59 88,576 --a------ C:\WINDOWS\system32\eooyuhpv.dll
2008-09-25 17:56 . 2008-09-25 17:56 112,128 --a------ C:\WINDOWS\system32\ylsngw.dll
2008-09-25 17:56 . 2008-09-25 17:56 112,128 --a------ C:\WINDOWS\system32\lndofqps.dll
2008-09-25 17:55 . 2008-09-25 17:55 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-25 17:53 . 2008-09-25 17:53 98,816 --a------ C:\WINDOWS\system32\cbewqxok.dll
2008-09-24 18:18 . 2008-09-24 18:18 <DIR> d-------- C:\VundoFix Backups
2008-09-24 17:55 . 2008-09-24 17:55 116,224 --a------ C:\WINDOWS\system32\reifbj.dll
2008-09-24 17:55 . 2008-09-24 17:55 116,224 --a------ C:\WINDOWS\system32\dhfqaktq.dll
2008-09-24 17:55 . 2008-09-24 17:55 89,600 --a------ C:\WINDOWS\system32\mnlnixij.dll
2008-09-24 17:53 . 2008-09-24 17:53 97,280 --a------ C:\WINDOWS\system32\itudwyrk.dll
2008-09-23 10:07 . 2008-09-23 11:26 <DIR> d-------- C:\Documents and Settings\Emily Moxley\.housecall6.6
2008-09-23 10:06 . 2008-09-23 10:06 <DIR> d-------- C:\WINDOWS\Sun
2008-09-23 09:28 . 2008-09-23 09:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-09-23 09:28 . 2008-09-23 09:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-23 09:28 . 2008-09-23 09:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-09-23 08:51 . 2008-09-25 18:13 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-23 08:23 . 2008-09-23 08:31 3,310 --a------ C:\WINDOWS\system32\tmp.reg
2008-09-23 08:18 . 2008-09-23 08:18 111,616 --a------ C:\WINDOWS\system32\rbxrefkq.dll
2008-09-23 08:18 . 2008-09-23 08:18 111,616 --a------ C:\WINDOWS\system32\funzqy.dll
2008-09-23 08:12 . 2008-09-23 08:12 97,280 --a------ C:\WINDOWS\system32\dkexvocx.dll
2008-09-22 23:06 . 2008-09-23 08:11 <DIR> d-------- C:\Documents and Settings\Emily Moxley\Application Data\skypePM
2008-09-22 23:06 . 2008-09-22 23:06 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-09-22 23:05 . 2008-09-23 12:02 <DIR> d-------- C:\Documents and Settings\Emily Moxley\Application Data\Skype
2008-09-22 23:04 . 2008-09-22 23:04 <DIR> d-------- C:\Program Files\Skype
2008-09-22 23:04 . 2008-09-22 23:04 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-09-22 23:04 . 2008-09-22 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-09-22 21:03 . 2008-09-22 21:03 91 --a------ C:\WINDOWS\wininit.ini
2008-09-22 19:39 . 2008-09-22 19:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-22 19:39 . 2008-09-22 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-22 05:28 . 2008-09-22 05:28 113,152 --a------ C:\WINDOWS\system32\imuiok.dll
2008-09-22 05:28 . 2008-09-22 05:28 113,152 --a------ C:\WINDOWS\system32\fcnxgcvs.dll
2008-09-22 05:28 . 2008-09-22 05:28 99,328 --a------ C:\WINDOWS\system32\afamchma.dll
2008-09-22 05:28 . 2008-09-22 05:28 90,624 --a------ C:\WINDOWS\system32\tykfoejn.dll
2008-09-21 23:26 . 2008-09-21 23:26 113,152 --a------ C:\WINDOWS\system32\qevcxacy.dll
2008-09-21 23:26 . 2008-09-21 23:26 113,152 --a------ C:\WINDOWS\system32\bwcnzl.dll
2008-09-21 23:25 . 2008-09-21 23:25 99,328 --a------ C:\WINDOWS\system32\vkdkaxxk.dll
2008-09-21 23:16 . 2008-09-21 23:16 32 --a------ C:\WINDOWS\MS Office 2007 Pro Plus & Expression Web.INI
2008-09-21 19:45 . 2008-09-21 23:28 <DIR> d-------- C:\Program Files\BitComet
2008-09-21 19:45 . 2008-09-22 21:37 <DIR> d-------- C:\Downloads
2008-09-21 19:39 . 2008-09-21 23:30 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-09-21 19:10 . 2008-04-13 11:45 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-09-21 19:10 . 2008-04-13 11:45 32,128 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-09-21 18:28 . 2008-09-25 04:54 <DIR> d-------- C:\Documents and Settings\Emily Moxley\Application Data\SSH
2008-09-21 00:44 . 2008-09-21 00:44 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-09-20 18:49 . 2008-09-20 18:49 <DIR> d-------- C:\Program Files\Last.fm
2008-09-20 18:49 . 2008-09-20 18:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-09-19 19:53 . 2008-04-13 11:40 43,904 --a------ C:\WINDOWS\system32\drivers\sbp2port.sys
2008-09-19 19:53 . 2008-04-13 11:40 43,904 --a--c--- C:\WINDOWS\system32\dllcache\sbp2port.sys
2008-09-15 16:46 . 2008-09-15 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MiKTeX
2008-09-15 16:38 . 2008-09-15 16:44 <DIR> d-------- C:\Program Files\MiKTeX 2.7
2008-09-15 16:35 . 2008-09-15 16:35 <DIR> d-------- C:\Program Files\TeXnicCenter
2008-09-15 16:35 . 2006-05-28 16:39 1,233,920 --a------ C:\WINDOWS\system32\msxml4.dll
2008-09-15 16:35 . 2006-05-28 16:39 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2008-09-15 16:35 . 2006-05-28 16:39 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-09-15 12:27 . 2008-09-15 12:27 <DIR> d-------- C:\Documents and Settings\Emily Moxley\Application Data\Ahead
2008-09-15 12:25 . 2008-09-15 12:25 <DIR> d-------- C:\Program Files\Nero
2008-09-15 12:25 . 2008-09-15 12:34 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-09-15 12:01 . 2008-09-15 12:01 <DIR> d-------- C:\Documents and Settings\Emily Moxley\Application Data\MathWorks
2008-09-15 12:01 . 2008-09-23 11:36 158 --a------ C:\WINDOWS\matlab.ini
2008-09-15 11:30 . 2008-09-15 12:02 <DIR> d-------- C:\MATLAB7
2008-09-15 11:14 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-15 11:13 . 2008-09-15 11:14 <DIR> d-------- C:\Program Files\Java
2008-09-15 11:13 . 2008-09-15 11:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-15 10:45 . 2008-09-15 10:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-09-15 10:44 . 2008-09-15 10:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-09-15 10:39 . 2008-09-15 10:45 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-15 10:23 . 2008-09-15 10:23 0 --a------ C:\WINDOWS\VPC32.INI
2008-09-15 10:21 . 2008-09-15 10:21 <DIR> d-------- C:\WINDOWS\system32\CBA
2008-09-15 10:21 . 2008-09-15 10:21 <DIR> d-------- C:\Program Files\Symantec
2008-09-15 10:21 . 2008-09-15 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-09-15 10:21 . 2001-09-24 01:29 120,379 --a------ C:\WINDOWS\system32\SYMEVNT.386
2008-09-15 10:21 . 2001-09-24 01:29 57,696 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-15 10:21 . 2001-09-24 01:29 36,864 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-15 10:21 . 2001-09-24 01:29 4,032 --a------ C:\WINDOWS\system32\SYMEVNT1.DLL
2008-09-15 10:20 . 2008-09-15 11:08 <DIR> d-------- C:\Program Files\NavNT
2008-09-15 10:20 . 2008-09-15 10:21 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-09-15 10:12 . 2008-09-15 10:12 <DIR> d-------- C:\Program Files\Google
2008-09-15 09:57 . 2008-09-20 18:49 <DIR> d-------- C:\Program Files\iTunes
2008-09-15 09:57 . 2008-09-15 09:57 <DIR> d-------- C:\Program Files\iPod
2008-09-15 09:57 . 2008-09-15 09:57 <DIR> d-------- C:\Program Files\Bonjour
2008-09-15 09:57 . 2008-09-15 09:57 <DIR> d-------- C:\Documents and Settings\Emily Moxley\Application Data\Apple Computer
2008-09-15 09:57 . 2008-09-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-15 09:57 . 2008-04-17 13:12 107,368 --a------ C:\WINDOWS\system32\GEARAspi.dll
2008-09-15 09:57 . 2008-04-17 13:12 15,464 --a------ C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2008-09-15 09:56 . 2008-09-15 09:57 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-09-15 09:56 . 2008-09-15 09:57 <DIR> d-------- C:\Program Files\QuickTime
2008-09-15 09:56 . 2008-09-15 09:56 <DIR> d-------- C:\Program Files\Apple Software Update
2008-09-15 09:56 . 2008-09-15 09:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-15 09:55 . 2008-09-15 09:56 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-09-15 09:55 . 2008-09-15 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-09-13 19:01 . 2008-09-13 19:01 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-13 19:01 . 2008-09-13 19:01 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-13 19:01 . 2008-09-13 19:01 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-13 19:01 . 2008-09-13 19:01 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-13 19:00 . 2008-09-13 19:00 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-13 18:52 . 2004-08-03 22:29 327,040 --------- C:\WINDOWS\system32\drivers\ati2mtaa.sys
2008-09-13 18:48 . 2008-09-13 18:48 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-09-13 18:48 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-09-13 18:08 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-09-13 18:08 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-09-13 18:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-09-13 18:08 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-09-13 18:08 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-09-13 18:07 . 2008-09-13 18:07 <DIR> d---s---- C:\Documents and Settings\Emily Moxley\UserData
2008-09-13 18:06 . 2008-09-13 18:06 <DIR> d-------- C:\Documents and Settings\Emily Moxley\Application Data\Roxio
2008-09-13 17:52 . 2008-09-13 17:52 <DIR> d-------- C:\Program Files\SSH Communications Security
2008-09-13 17:48 . 2008-09-25 05:09 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2008-09-13 17:48 . 2008-09-13 17:48 <DIR> d-------- C:\Documents and Settings\Emily Moxley\Application Data\Thunderbird
2008-09-13 17:46 . 2008-09-15 10:21 592 --a------ C:\WINDOWS\ODBC.INI
2008-09-13 17:43 . 2008-09-13 17:43 <DIR> dr-h----- C:\MSOCache
2008-09-13 17:37 . 2003-01-13 16:14 135,168 --a------ C:\WINDOWS\system32\l3codecx.acm
2008-09-13 17:36 . 2008-09-13 17:36 <DIR> d-------- C:\Program Files\Roxio
2008-09-13 17:34 . 2008-09-13 17:37 <DIR> d-------- C:\Program Files\Common Files\Roxio Shared
2008-09-13 17:16 . 2008-09-25 18:11 30,888 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000003-00000000-00000003-00001102-00000004-20061102}.rfx
2008-09-13 17:16 . 2008-09-25 18:11 30,888 --a------ C:\WINDOWS\system32\BMXState-{00000003-00000000-00000003-00001102-00000004-20061102}.rfx
2008-09-13 17:16 . 2008-09-25 18:11 30,528 --a------ C:\WINDOWS\system32\BMXCtrlState-{00000003-00000000-00000003-00001102-00000004-20061102}.rfx
2008-09-13 17:16 . 2008-09-25 18:11 30,528 --a------ C:\WINDOWS\system32\BMXBkpCtrlState-{00000003-00000000-00000003-00001102-00000004-20061102}.rfx
2008-09-13 17:16 . 2008-09-25 18:11 1,080 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-09-13 17:16 . 2008-09-25 18:11 1,080 --a------ C:\WINDOWS\system32\settings.sfm
2008-09-13 17:16 . 2008-09-25 18:11 384 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000003-00000000-00000003-00001102-00000004-20061102}.dat
2008-09-13 17:16 . 2008-09-25 18:11 384 --a------ C:\WINDOWS\system32\DVCState-{00000003-00000000-00000003-00001102-00000004-20061102}.dat
2008-09-13 17:15 . 2008-09-13 17:15 <DIR> d-------- C:\Program Files\Intel
2008-09-13 17:15 . 2008-09-25 18:13 4,933,581 --a------ C:\WINDOWS\{00000003-00000000-00000003-00001102-00000004-20061102}.CDF
2008-09-13 17:15 . 2008-09-13 17:15 4,932,819 --------- C:\WINDOWS\{00000003-00000000-00000003-00001102-00000004-20061102}.BAK

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-19 19:26 82,944 ----a-w C:\WINDOWS\system32\o4Patch.exe
2008-09-19 19:26 82,944 ----a-w C:\WINDOWS\system32\IEDFix.C.exe
2008-09-13 17:29 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-09 06:38 88,576 ----a-w C:\WINDOWS\system32\AntiXPVSTFix.exe
2008-09-02 23:51 86,528 ----a-w C:\WINDOWS\system32\VACFix.exe
2008-08-18 19:19 82,432 ----a-w C:\WINDOWS\system32\404Fix.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34e361f0-05c5-4a1c-8e18-3d6310474d6f}]
2008-09-25 17:56 112128 --a------ C:\WINDOWS\system32\ylsngw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-04-21 94208]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Google Update"="C:\Documents and Settings\Emily Moxley\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-22 133104]
"RegistryMechanic"="C:\Program Files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-09 344064]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 90112]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-01-13 69632]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-01-13 757760]
"RoxioAudioCentral"="C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-01-09 253952]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"vptray"="C:\Program Files\NavNT\vptray.exe" [2001-09-24 73728]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"fc738f33"="C:\WINDOWS\system32\eooyuhpv.dll" [2008-09-25 88576]
"BMff40bcaf"="C:\WINDOWS\system32\sxtctxke.dll" [2008-09-25 98816]
"CTHelper"="CTHELPER.EXE" [2004-03-10 C:\WINDOWS\system32\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ylsngw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\WINDOWS\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"19789:TCP"= 19789:TCP:BitComet 19789 TCP
"19789:UDP"= 19789:UDP:BitComet 19789 UDP

.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{0FDAFB0E-AC76-4713-A186-8BD71AA2617c} - C:\WINDOWS\system32\cxpghnyw.dll
BHO-{1AADD90A-B46B-4242-A4C6-567E85EC808E} - (no file)
BHO-{A1DB0BC4-3E5C-451E-BBBB-27A69BD6FF5C} - C:\WINDOWS\system32\geBqNDwX.dll
BHO-{A286EF28-7AF7-477C-AB55-E54F2603A74D} - C:\WINDOWS\system32\khfGwUkI.dll
BHO-{B562A266-E4B6-470E-98D3-85889D136529} - (no file)
BHO-{de19d598-144b-40b8-82fe-0851fff06398} - (no file)
ShellExecuteHooks-{A1DB0BC4-3E5C-451E-BBBB-27A69BD6FF5C} - C:\WINDOWS\system32\geBqNDwX.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Emily Moxley\Application Data\Mozilla\Firefox\Profiles\fffqccxw.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.nytimes.com
FF -: plugin - C:\Documents and Settings\Emily Moxley\Local Settings\Application Data\Google\Update\1.2.131.11\npGoogleOneClick5.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\browser\nppdf32.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-25 18:13:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\NavLogon.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\eooyuhpv.dll
-> C:\WINDOWS\system32\sxtctxke.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MSGSYS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2008-09-25 18:18:22 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-26 01:18:14

Pre-Run: 114,305,961,984 bytes free
Post-Run: 114,161,606,656 bytes free

263

Attached Files

  • Attached File  log.txt   18.72KB   1 downloads


#3 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:21 PM

Posted 02 October 2008 - 01:24 PM

Hello moxley777,

I saw on some other posts to run combofix and post the log. I have done that, and am attaching the output file and pasting it below.



You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.


I can see that you did not follow the instructions! It asked you install RECOVERY CONSOLE before running ComboFix. :thumbsup:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


Disable your Norton Anitvirus and Spybot Teatimer before running ComboFix.

To disable Norton Antivirus:
Please navigate to the system tray on the bottom right hand corner and look for a Posted Image sign.
  • right-click it -> chose "Disable Auto-Protect."
  • select a duration of 5 hours (this assures no interference with the cleanup of your pc)
  • click "Ok."
  • a popup will warn that protection will now be disabled and the sign will now look like this: Posted Image
You succesfully disabled the Norton Antivirus Guard.

To disable Spybot's Teatimer:
Run Spybot-S&D
Go to the Mode menu, and make sure "Advanced Mode" is selected
On the left hand side, choose Tools -> Resident
Uncheck "Resident TeaTimer" and OK any prompts



Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Drag the setup package onto ComboFix.exe and drop it.

  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image

  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.

Edited by SifuMike, 02 October 2008 - 01:36 PM.
disable Norton & Teatimer

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:01:21 PM

Posted 07 October 2008 - 01:44 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact me or a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users