Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hi - battled with Virus, need help analyzing Logs?


  • Please log in to reply
1 reply to this topic

#1 Ecap

Ecap

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:54 PM

Posted 07 October 2008 - 01:32 AM

Hello!
This is my first time posting on this forum.
The couple nights ago, I contracted a very aggressive piece of spyware (or virus, or something), which was causing tons of pop-ups and reduced my computer speed signifigantly. It made the computer almost unusable within 36 hours. After some pilfering around I realized the virus was called Volmorde (or something like that? Definitely started with a V.)
Anyways, I googled the name and found a lot of information on it. I ran Ad-aware, Spy bot search and destroy, and Norton. These all identified 'infections' but didn't seem to be able to remove the problem.
And believe it or not, the virus changed my windows backround!!! It became 'clear', instead of the usual 'forest' backdrop.
In any case, I happened upon this forum and heared something about a program called 'combo' I believe.
I downloaded the program and ran it.
I just restarted my computer and everything is running PERFECTLY so far. At the end it gave me a "text" log. I am definitely NOT computer savvy and was wondering, if anyone had the chance or good-hearted inclination, if you could look it over. Thank you so much!

Evan

The Log:::


ComboFix 08-10-06.05 - Administrator 2008-10-07 1:41:56.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.265 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Video Add-on
C:\WINDOWS\BMe72650fc.txt
C:\WINDOWS\BMe72650fc.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dgwknvbe.dll
C:\WINDOWS\system32\gbjqaoeo.dll
C:\WINDOWS\system32\geBtULeC.dll
C:\WINDOWS\system32\gPVycMoq.ini
C:\WINDOWS\system32\gPVycMoq.ini2
C:\WINDOWS\system32\irwffdnl.dll
C:\WINDOWS\system32\ktkqntao.ini
C:\WINDOWS\system32\lejlxwub.dll
C:\WINDOWS\system32\ljJYQgHa.dll
C:\WINDOWS\system32\lndffwri.ini
C:\WINDOWS\system32\lphctthj0ea2j.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mrmbifjt.dll
C:\WINDOWS\system32\oatnqktk.dll
C:\WINDOWS\system32\oeoaqjbg.ini
C:\WINDOWS\system32\owoxjqho.dll
C:\WINDOWS\system32\qoMcyVPg.dll
C:\WINDOWS\system32\siowss.dll
C:\WINDOWS\system32\ssqOiFXO.dll
C:\WINDOWS\system32\vzmfxv.dll
C:\WINDOWS\system32\wiuost.dll
C:\WINDOWS\system32\wl.exe

.
((((((((((((((((((((((((( Files Created from 2008-09-07 to 2008-10-07 )))))))))))))))))))))))))))))))
.

2008-10-07 01:32 . 2004-06-10 16:22 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-10-07 01:32 . 2004-10-01 12:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\You've Got Pictures Screensaver
2008-10-07 01:32 . 2004-10-01 11:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-10-07 01:32 . 2004-10-01 12:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AOL
2008-10-07 01:32 . 2008-10-07 01:32 <DIR> d-------- C:\Documents and Settings\Administrator
2008-10-07 00:25 . 2008-10-07 00:25 115,340 --a------ C:\WINDOWS\system32\mfcxmsgn.exe
2008-10-06 23:48 . 2008-10-07 00:10 <DIR> d-------- C:\VundoFix Backups
2008-10-06 23:23 . 2008-10-06 23:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-06 23:23 . 2008-10-06 23:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-06 20:24 . 2008-10-06 20:24 <DIR> d-------- C:\Program Files\Lavasoft
2008-10-06 20:24 . 2008-10-06 20:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-06 20:23 . 2008-10-06 20:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-05 21:15 . 2008-10-05 21:15 73 --a------ C:\WINDOWS\st_affiliate.ini
2008-10-05 21:02 . 2008-10-05 21:02 63 --a------ C:\WINDOWS\av_affiliate.ini
2008-10-05 21:02 . 2008-10-05 21:02 63 --a------ C:\WINDOWS\as_affiliate.ini
2008-10-05 20:58 . 2008-10-05 20:57 67,424 --a------ C:\WINDOWS\system32\drivers\CDAVFS.sys
2008-10-05 20:35 . 2008-10-05 20:33 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-05 20:33 . 2008-10-05 23:12 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-09-17 16:54 . 2008-09-17 17:18 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-06 03:04 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-06 02:48 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-10-06 02:48 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-10-06 02:48 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-10-06 02:48 --------- d-----w C:\Program Files\Symantec
2008-10-06 02:45 --------- d-----w C:\Program Files\Norton AntiVirus
2008-10-06 02:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-10-03 13:18 --------- d-----w C:\Program Files\Quicken
2008-09-27 19:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-07-23 02:48 1,400 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-10-05 3822920]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}]
2008-10-05 20:56 3822920 --a------ C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-10-05 3822920]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6}"= "C:\Documents and Settings\Owner\Local Settings\Application Data\CyberDefender\cdmyidd.dll" [2008-10-05 3822920]

[HKEY_CLASSES_ROOT\clsid\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar.1]
[HKEY_CLASSES_ROOT\TypeLib\{CD24EB02-9831-4838-99D0-726D411B1328}]
[HKEY_CLASSES_ROOT\Cdmyidd.SecurityToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 67112]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-08 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-03-03 2904064]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-03-03 46080]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-11 135168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-01 98304]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe" [2006-02-01 1880064]
"Motive SmartBridge"="C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 438359]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-13 185896]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"SoundMan"="SOUNDMAN.EXE" [2003-08-15 C:\WINDOWS\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2004-03-03 C:\WINDOWS\system32\nwiz.exe]
"nForce Tray Options"="sstray.exe" [2003-09-03 C:\WINDOWS\system32\sstray.exe]
"CHotkey"="zHotkey.exe" [2004-05-18 C:\WINDOWS\zHotkey.exe]
"ShowWnd"="ShowWnd.exe" [2003-09-19 C:\WINDOWS\ShowWnd.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BigFix.lnk - C:\Program Files\BigFix\BigFix.exe [2004-10-07 1742384]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2003-10-02 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=siowss.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\PROGRA~1\\E-CAMP~1\\ECAMPA~1.EXE"=
"C:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 CDAVFS;CDAVFS;C:\WINDOWS\system32\DRIVERS\CDAVFS.sys [2008-10-05 67424]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-09-27 10664]
S3 WUSB54GSSVC;WUSB54GSSVC;C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe WUSB54GS.exe [ ]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12b60a86-0f20-11dc-943f-00038a000015}]
\Shell\AutoRun\command - J:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-10-04 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2007-05-23 12:13]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1702984E-7F76-458B-A33A-A7B32A0DCC72} - C:\WINDOWS\system32\ssqqqNec.dll
BHO-{1D474B70-5935-4ADC-9C55-D40EC643BB51} - C:\WINDOWS\system32\efcaWPjk.dll
BHO-{8CE72A94-417C-4919-9327-F6D89461D249} - C:\WINDOWS\system32\qoMcyVPg.dll
BHO-{d21d96be-911a-4ed9-94cd-4cc9e092f56d} - C:\WINDOWS\system32\siowss.dll
HKCU-Run-prunnet - C:\DOCUME~1\Owner\LOCALS~1\Temp\prun.exe
HKCU-Run-CyberDefender Early Detection Center - C:\Program Files\CyberDefender\AntiSpyware\cdas18.exe
HKLM-Run-prunnet - C:\DOCUME~1\Owner\LOCALS~1\Temp\prun.exe
HKLM-Run-CyberDefender Early Detection Center - C:\Program Files\CyberDefender\AntiSpyware\ISSIntro.exe
HKLM-Run-lphctthj0ea2j - C:\WINDOWS\system32\lphctthj0ea2j.exe
HKLM-Run-e4156360 - C:\WINDOWS\system32\oatnqktk.dll
HKLM-Run-BMe72650fc - C:\WINDOWS\system32\mrmbifjt.dll
ShellExecuteHooks-{1702984E-7F76-458B-A33A-A7B32A0DCC72} - C:\WINDOWS\system32\ssqqqNec.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.refdesk.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.nytimes.com/
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-07 02:04:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-10-07 2:13:34 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-10-07 06:13:19

Pre-Run: 147,402,539,008 bytes free
Post-Run: 147,522,719,744 bytes free

213 --- E O F --- 2008-10-03 04:03:18

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:08:54 PM

Posted 07 October 2008 - 04:20 AM

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.



at the top of every page in this forum

also

http://www.bleepingcomputer.com/forums/ind...st&p=954297
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users