Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijack This Log - Virtumonde.prx


  • Please log in to reply
3 replies to this topic

#1 renton72

renton72

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 04 October 2008 - 04:11 AM

Hi,

All of my Spyware seemed to be destroyed except Virtumonde.prx won't remove I run the Spybot Search & Destroy and it "locates" this file and I click on remove but I run the scan again and it is still there!

It also says windows security centre disabled.

Spybot report below:

--- Search result list ---
Hint of the Day: Click the bar at the right of this to see more information! ()


Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start

Virtumonde.prx: [SBI $C46E6FC7] Configuration file (File, nothing done)
C:\WINDOWS\pskt.ini

Virtumonde.prx: [SBI $13DC8D4E] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\IProxyProvider\Path=...C:\WINDOWS\sys tem32\utrdvjfl.dll...

Virtumonde.prx: [SBI $797B4EBF] Library (File, nothing done)
C:\WINDOWS\system32\utrdvjfl.dll

Virtumonde.prx: [SBI $0EED8ADA] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\BMbf229304

Virtumonde.prx: [SBI $7BFCBA71] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct

Hijackthis log below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:30, on 04/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Atheros\ACU.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\All Users\Application Data\ipd\tray.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [uiksxnifrjnuqchq] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\hiblctoomkw.dll" EntryPoint
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [bc11a098] rundll32.exe "C:\WINDOWS\system32\qfkjfgnf.dll",b
O4 - HKLM\..\Run: [BMbf229304] Rundll32.exe "C:\WINDOWS\system32\utrdvjfl.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Start Shopper Link System Tray App.lnk = C:\Documents and Settings\All Users\Application Data\ipd\tray.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: tarsbu.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 8029 bytes

Thanks for any help.

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 04 October 2008 - 02:28 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.

Post that in your next reply with a fresh HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 renton72

renton72
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 11 October 2008 - 05:05 AM

ComboFix 08-10-10.09 - new 2008-10-11 10:59:29.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1279 [GMT 1:00]
Running from: C:\DOCUME~1\new\LOCALS~1\Temp\Saf54.tmp\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\new\LOCALS~1\Temp\tmp1.tmp
C:\DOCUME~1\new\LOCALS~1\Temp\tmp2.tmp
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\system32\ajxyhyuh.ini
C:\WINDOWS\system32\ankduffl.dll
C:\WINDOWS\system32\aqwbdbud.dll
C:\WINDOWS\system32\awtroNFw.dll
C:\WINDOWS\system32\bhkngtdo.dll
C:\WINDOWS\system32\bwptggdj.dll
C:\WINDOWS\system32\cjcoiubs.dll
C:\WINDOWS\system32\crzamt.dll
C:\WINDOWS\system32\dcswuiyn.ini
C:\WINDOWS\system32\dggonvwl.dll
C:\WINDOWS\system32\dhvywkyi.ini
C:\WINDOWS\system32\dnmocokl.dll
C:\WINDOWS\system32\dswflyte.dll
C:\WINDOWS\system32\ecnplnlb.dll
C:\WINDOWS\system32\efaulthv.dll
C:\WINDOWS\system32\ejnucvnd.dll
C:\WINDOWS\system32\eputhkhr.dll
C:\WINDOWS\system32\etncayas.ini
C:\WINDOWS\system32\ewlkrjcw.dll
C:\WINDOWS\system32\fnpjnepb.ini
C:\WINDOWS\system32\fotmtwwa.ini
C:\WINDOWS\system32\fsckgejj.dll
C:\WINDOWS\system32\galghrog.dll
C:\WINDOWS\system32\gjmskini.ini
C:\WINDOWS\system32\glgnmsnp.dll
C:\WINDOWS\system32\gxmpawig.ini
C:\WINDOWS\system32\hheqlmdw.dll
C:\WINDOWS\system32\iifDWqRK.dll
C:\WINDOWS\system32\ipybkpol.dll
C:\WINDOWS\system32\jatsffgm.dll
C:\WINDOWS\system32\jkwypfub.dll
C:\WINDOWS\system32\jpbjvjhd.dll
C:\WINDOWS\system32\jxnvgjrt.dll
C:\WINDOWS\system32\kemypdtd.dll
C:\WINDOWS\system32\klhmnnth.dll
C:\WINDOWS\system32\klpjbkcs.dll
C:\WINDOWS\system32\kltxljtc.ini
C:\WINDOWS\system32\kphilsjs.dll
C:\WINDOWS\system32\kqcapqfn.dll
C:\WINDOWS\system32\kqoixr.dll
C:\WINDOWS\system32\latkmuen.dll
C:\WINDOWS\system32\luvobusc.dll
C:\WINDOWS\system32\miesgbgg.dll
C:\WINDOWS\system32\mkvwbeos.ini
C:\WINDOWS\system32\motvqodu.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nmypksvj.ini
C:\WINDOWS\system32\nnnlkhgd.dll
C:\WINDOWS\system32\ntpqvl.dll
C:\WINDOWS\system32\pcgsgmsg.dll
C:\WINDOWS\system32\pftgaksk.dll
C:\WINDOWS\system32\plulnopy.dll
C:\WINDOWS\system32\qawjjpfc.ini
C:\WINDOWS\system32\qkhwugou.dll
C:\WINDOWS\system32\qoMcbcAS.dll
C:\WINDOWS\system32\QWGhPqru.ini
C:\WINDOWS\system32\rxtboxbm.ini
C:\WINDOWS\system32\sbpxqkud.ini
C:\WINDOWS\system32\secaevsq.dll
C:\WINDOWS\system32\sfnpsdkk.dll
C:\WINDOWS\system32\sqxhgsoi.ini
C:\WINDOWS\system32\ssqPgEww.dll
C:\WINDOWS\system32\ssqQKCtu.dll
C:\WINDOWS\system32\tikluaqw.ini
C:\WINDOWS\system32\tqtnokkh.dll
C:\WINDOWS\system32\ttbyabsx.dll
C:\WINDOWS\system32\udfxutso.dll
C:\WINDOWS\system32\ufwceyrq.dll
C:\WINDOWS\system32\uhmocgbf.ini
C:\WINDOWS\system32\upbvravp.ini
C:\WINDOWS\system32\uqhqkvxg.dll
C:\WINDOWS\system32\utrdvjfl.dll_old
C:\WINDOWS\system32\vaqlqlhj.ini
C:\WINDOWS\system32\vngrwp.dll
C:\WINDOWS\system32\vpsmclmx.dll
C:\WINDOWS\system32\vwufinwu.ini
C:\WINDOWS\system32\vxydypwm.dll
C:\WINDOWS\system32\wafcaroh.dll
C:\WINDOWS\system32\wbhcpqju.ini
C:\WINDOWS\system32\xabuclar.dll
C:\WINDOWS\system32\xidivpxt.dll
C:\WINDOWS\system32\xljvex.dll
C:\WINDOWS\system32\xmskodfv.dll
C:\WINDOWS\system32\xrhejrtv.ini
C:\WINDOWS\system32\yfbiqioc.ini
C:\WINDOWS\system32\ygiqddjl.dll
C:\WINDOWS\system32\ygtpbhmf.dll
C:\WINDOWS\system32\yxuduvky.ini

.
((((((((((((((((((((((((( Files Created from 2008-09-11 to 2008-10-11 )))))))))))))))))))))))))))))))
.

2008-10-04 17:42 . 2008-10-04 17:42 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-10-04 17:41 . 2008-10-04 17:41 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-10-04 17:38 . 2008-10-05 08:38 <DIR> d-------- C:\Program Files\NOS
2008-10-04 17:38 . 2008-10-04 17:38 <DIR> d-------- C:\Program Files\Google
2008-10-04 17:38 . 2008-10-05 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS
2008-10-04 12:57 . 2008-10-04 13:00 <DIR> d-------- C:\Lop SD
2008-10-04 09:38 . 2008-10-04 09:39 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-04 09:38 . 2008-10-04 09:38 <DIR> d-------- C:\Documents and Settings\new\Application Data\Malwarebytes
2008-10-04 09:38 . 2008-10-04 09:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-04 09:38 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-04 09:38 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-04 09:27 . 2008-10-04 09:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-23 20:57 . 2008-09-23 20:57 <DIR> d-------- C:\Program Files\Citrix
2008-09-23 12:23 . 2008-10-04 09:35 330 --a------ C:\WINDOWS\wininit.ini
2008-09-23 12:01 . 2008-09-23 12:05 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-23 12:01 . 2008-09-23 13:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-22 21:02 . 2008-09-22 21:02 <DIR> d-------- C:\Documents and Settings\new\Application Data\ACD Systems
2008-09-22 20:36 . 2008-09-22 20:38 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-09-22 20:36 . 2008-09-22 20:37 <DIR> d-------- C:\Program Files\ACD Systems
2008-09-22 20:36 . 2008-09-22 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\WINDOWS\system\IOSUBSYS
2008-09-22 20:21 . 2008-09-22 20:21 <DIR> d-------- C:\Program Files\PENTAX
2008-09-22 20:16 . 2008-09-22 20:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\QuickTime
2008-09-17 21:06 . 2008-09-17 21:06 12,912 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-09-17 20:55 . 2008-09-17 20:56 <DIR> d-------- C:\Program Files\iTunes
2008-09-17 20:55 . 2008-09-17 20:55 <DIR> d-------- C:\Program Files\iPod
2008-09-17 20:55 . 2008-09-17 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-09-17 20:50 . 2008-09-17 20:51 <DIR> d-------- C:\Program Files\QuickTime
2008-09-17 20:42 . 2008-09-17 20:42 <DIR> d-------- C:\Program Files\Safari
2008-09-17 20:41 . 2008-09-17 20:41 <DIR> d-------- C:\Program Files\Bonjour
2008-09-16 21:52 . 2008-09-17 20:39 <DIR> d-------- C:\Program Files\Windows WebMedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-11 09:58 6,736 ----a-w C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-10-10 18:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-07 15:55 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-04 08:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\ipd
2008-09-22 15:30 71,790 ----a-w C:\WINDOWS\system32\gfpvzadjnokzeufmt.exe
2008-09-21 11:16 128 ----a-w C:\Documents and Settings\new\index.exe
2008-09-17 20:54 --------- d-----w C:\Program Files\Apple Software Update
2008-09-17 19:53 --------- d-----w C:\Documents and Settings\new\Application Data\Apple Computer
2008-09-17 19:50 --------- d-----w C:\Program Files\Common Files\Apple
2008-09-06 14:50 --------- d-----w C:\Program Files\Norton AntiVirus
2008-09-06 12:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-09-06 12:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-09-06 12:08 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-09-06 12:08 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-09-06 12:08 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-09-06 12:08 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-09-06 12:08 --------- d-----w C:\Program Files\Symantec
2008-09-05 10:01 --------- d-----w C:\Program Files\Windows Sidebar
2008-09-05 09:16 153,444 ----a-w C:\WINDOWS\system32\g79.exe
2008-09-05 09:16 --------- d-----w C:\Program Files\ShopperLink
2008-09-05 09:16 --------- d-----w C:\Documents and Settings\new\Application Data\IBPlugin
2008-09-05 09:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Tarma Installer
2008-09-05 09:14 --------- d-----w C:\Program Files\Launch Manager
2008-09-05 09:10 --------- d-----w C:\Documents and Settings\new\Application Data\Intel
2008-09-05 09:09 21,275 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-09-05 09:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intel
2008-09-05 09:08 --------- d-----w C:\Program Files\Intel
2008-09-05 09:05 --------- d-----w C:\Program Files\CONEXANT
2008-09-05 09:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-05 09:03 --------- d-----w C:\Program Files\Realtek
2008-09-05 08:57 --------- d-----w C:\Program Files\Atheros
2008-09-05 08:56 --------- d-----w C:\Program Files\Common Files\Logitech
2008-09-05 08:55 --------- d-----w C:\Program Files\Common Files\Acer
2008-09-05 08:45 39,424 ----a-w C:\WINDOWS\system32\drivers\LVUSBSta.sys
2008-09-05 08:15 --------- d-----w C:\Documents and Settings\new\Application Data\ATI
2008-09-04 13:45 --------- d-----w C:\Program Files\Logitech
2008-09-04 13:45 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-09-04 13:45 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-09-04 13:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-09-04 13:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-09-04 13:27 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-09-04 13:27 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_btprot_01005.Wdf
2008-09-04 13:17 --------- d-----w C:\Program Files\ATI Technologies
2008-09-04 11:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters
2008-09-04 11:48 --------- d-----w C:\Program Files\PC Drivers HeadQuarters
2008-09-04 11:23 --------- d-----w C:\Program Files\ASIX Electronics Corporation
2008-09-04 11:08 --------- d-----w C:\Program Files\microsoft frontpage
2008-08-29 09:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe
2008-08-29 08:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
2008-07-30 08:04 10,240 ----a-w C:\WINDOWS\system32\btiaci.dll
2008-07-30 08:04 1,419,232 ----a-w C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-16 15:05 53,248 ----a-w C:\WINDOWS\system32\CSVer.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-10-04 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-02-08 488984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 774168]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2006-06-23 225280]
"ACU"="C:\Program Files\Atheros\ACU.exe" [2005-01-31 253952]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-11-28 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-11-28 569413]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2005-12-06 458752]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-24 714608]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"Camera Detector"="C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE" [2003-06-17 208896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"RTHDCPL"="RTHDCPL.EXE" [2005-11-17 C:\WINDOWS\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Start Shopper Link System Tray App.lnk - C:\Documents and Settings\All Users\Application Data\ipd\tray.exe [2008-09-05 102400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=tarsbu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-14 149864]
R3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-11-20 847392]
S3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\ax88772.sys [2006-09-06 19072]
S3 BTIAUSB;Generic Bluetooth Device;C:\WINDOWS\system32\DRIVERS\btiausb.sys [2008-07-30 23808]
S3 BTPROT;Generic Bluetooth Filter;C:\WINDOWS\system32\DRIVERS\btprot.sys [2008-08-02 453120]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 23888]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6d47f222-871b-11dd-a555-0016363596cb}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ef90abb-7a72-11dd-a51d-b8300bde2f16}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ec04c800-88d9-11dd-a55e-0016363596cb}]
\Shell\Auto\command - E:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-10-09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-09-29 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - new.job
- C:\Program Files\Norton AntiVirus\Navw32.exe [2007-08-26 18:19]
.
- - - - ORPHANS REMOVED - - - -

BHO-{131A9F27-C686-4A97-B733-07B58B52F2F6} - (no file)
BHO-{41131be4-c848-4668-96fb-198343ef3a64} - (no file)
BHO-{43DDE022-6AA6-45F9-9F0B-4A0CB198323E} - (no file)
BHO-{4ccb579b-680f-4611-90fb-1a0fa6691571} - (no file)
BHO-{7a4843a1-b2e0-431c-8ea4-88e67e368edf} - (no file)
BHO-{AB479A2C-43B1-4FA9-8EDE-5797210A78C8} - (no file)
BHO-{B8714DC7-26CB-4F13-8A64-31067FB00090} - (no file)
BHO-{BA561FEC-8F98-409F-86CC-C038A2052547} - (no file)
BHO-{BE485D57-27FC-47D0-AD68-17244D5310F7} - (no file)
BHO-{C7267585-FE25-4371-8BD4-576344CDAB18} - (no file)
BHO-{E00A94C6-3324-4AF8-8974-DAE355AF1288} - (no file)
BHO-{FD1E7426-5C95-43D8-A03E-8F567A3450E5} - (no file)
HKLM-Run-uiksxnifrjnuqchq - C:\WINDOWS\system32\hiblctoomkw.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\new\Application Data\Mozilla\Firefox\Profiles\jziy4pvj.default\
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-11 11:02:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-11 11:02:57
ComboFix-quarantined-files.txt 2008-10-11 10:02:52

Pre-Run: 82,837,999,616 bytes free
Post-Run: 82,936,090,624 bytes free

302 --- E O F --- 2008-09-05 08:16:21


many thanks

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:11:00 PM

Posted 12 October 2008 - 03:03 PM

Before we begin, please visit the page below, scroll down to the part which says "How to install and use the Windows XP Recovery Console," and follow those instructions:

How to download and use ComboFix

Then please run another scan with Combofix and post back the new log, along with a HijackThis log
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users