Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde/Win32 Trojan infection :-(


  • This topic is locked This topic is locked
10 replies to this topic

#1 Angryvirusvictim

Angryvirusvictim

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 02 December 2008 - 05:03 AM

Hello everyone.

My name's Alex, and I am an Angry virus victim.

Late last night while browsing the internet I was infected with "something" which crashed my Firefox browser after clicking a link from a reputable website (I have the website and link if anyone is interested in evaluating the virus further, I don't know if I'm allowed to link it here :):thumbsup: )

After my Firefox browser crashed I received the usual "Send Error Report" screen. But this time, it was not a genuine screen, perhaps a spoofed one. ><.
Furthermore, my browser was Hijacked and performance became sluggish.

I am usually pretty good at removing spyware/viruses/malware from my computer myself, for its not the first time I've been infected, but this time its different and a little more advanced for my skills.

Here is my RSIT Log. In the attachment section you will find some Jpgs of activity from Security Task Manager, and AVAST.

Logfile of random's system information tool 1.04 (written by random/random)
Run by Alex at 2008-12-02 04:34:30
Microsoft Windows XP Professional Service Pack 3
System drive C: has 3 GB (15%) free of 20 GB
Total RAM: 1918 MB (57% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:34 AM, on 12/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
E:\ITUNESPLUSQUICK\iTunesHelper.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Security Task Manager\TaskMan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Alex\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\SA8\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Alex.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0C6E0EF2-2FAB-4B42-AE01-C49094604857} - C:\WINDOWS\system32\pmnlmljg.dll (file missing)
O2 - BHO: (no name) - {17908931-20C5-4D11-9B2C-5A254CDE896C} - C:\WINDOWS\system32\efcBrPgh.dll (file missing)
O2 - BHO: (no name) - {1AE5E866-FC44-4A6B-AF04-7A46D127A70D} - C:\WINDOWS\system32\hgGvwtsS.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\ITUNESPLUSQUICK\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 6169 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\GoogleUpdateTaskUser.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0C6E0EF2-2FAB-4B42-AE01-C49094604857}]
C:\WINDOWS\system32\pmnlmljg.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{17908931-20C5-4D11-9B2C-5A254CDE896C}]
C:\WINDOWS\system32\efcBrPgh.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AE5E866-FC44-4A6B-AF04-7A46D127A70D}]
C:\WINDOWS\system32\hgGvwtsS.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-01-28 1554256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19 546320]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2007-03-16 1392640]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [2007-05-10 405504]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-07-19 78008]
"iTunesHelper"=E:\ITUNESPLUSQUICK\iTunesHelper.exe [2008-07-30 289064]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-01-28 2097488]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-12-20 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{A63E645F-13BD-45ED-B15F-6E8C1BD57279}"=C:\WINDOWS\system32\nnnoNhhg.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\pmnlmljg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"E:\ITUNESPLUSQUICK\iTunes.exe"="E:\ITUNESPLUSQUICK\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Winamp Remote\bin\Orb.exe"="C:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb"
"C:\Program Files\Winamp Remote\bin\OrbTray.exe"="C:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray"
"C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe"="C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\SetupAssistant.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bf32da4-d362-11dc-92b2-806d6172696f}]
shell\AutoRun\command - D:\SetupAssistant.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ff1adbc-9acb-11dd-9609-0015c5cb943a}]
shell\AutoRun\command - G:\LaunchU3.exe -a


======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2008-12-02 02:03:48 ----D---- C:\rsit
2008-12-02 02:00:47 ----A---- C:\WINDOWS\system32\PerfStringBackup.TMP
2008-12-02 00:10:46 ----D---- C:\Program Files\Security Task Manager
2008-12-01 23:18:41 ----SHD---- C:\Config.Msi
2008-12-01 22:32:10 ----HD---- C:\WINDOWS\Prefetch
2008-12-01 21:41:32 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-12-01 21:41:25 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-12-01 21:41:18 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-12-01 21:41:09 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-12-01 21:41:00 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-12-01 21:40:51 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-12-01 21:40:44 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-12-01 21:40:35 ----HDC---- C:\WINDOWS\$NtUninstallKB953155$
2008-12-01 21:40:28 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-12-01 21:40:20 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-12-01 21:40:10 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-12-01 21:40:02 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-12-01 21:39:55 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-12-01 21:39:47 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-12-01 21:39:37 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-12-01 21:39:30 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-12-01 21:39:23 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-12-01 21:39:14 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-12-01 21:39:07 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-12-01 21:36:07 ----AH---- C:\WINDOWS\setuplog.txt
2008-12-01 21:34:55 ----HD---- C:\WINDOWS\system32\scripting
2008-12-01 21:34:53 ----HD---- C:\WINDOWS\l2schemas
2008-12-01 21:34:52 ----HD---- C:\WINDOWS\system32\en
2008-12-01 21:34:52 ----HD---- C:\WINDOWS\system32\bits
2008-12-01 21:32:34 ----HD---- C:\WINDOWS\ServicePackFiles
2008-12-01 21:20:35 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-12-01 19:44:06 ----D---- C:\Avenger
2008-12-01 19:44:05 ----A---- C:\avenger.txt
2008-12-01 16:50:06 ----AH---- C:\WINDOWS\system32\aswBoot.exe
2008-12-01 15:46:02 ----D---- C:\VundoFix Backups
2008-12-01 15:46:02 ----A---- C:\VundoFix.txt
2008-12-01 14:19:31 ----AH---- C:\WINDOWS\ntbtlog.txt
2008-12-01 14:06:50 ----AH---- C:\WINDOWS\system32\fgltgfrn.dll
2008-12-01 14:03:49 ----ASH---- C:\WINDOWS\system32\gjlmlnmp.ini2
2008-12-01 14:03:49 ----ASH---- C:\WINDOWS\system32\gjlmlnmp.ini
2008-12-01 03:16:08 ----D---- C:\Program Files\Trend Micro
2008-12-01 03:12:08 ----AH---- C:\WINDOWS\system32\oyebox.dll
2008-12-01 03:12:07 ----AH---- C:\WINDOWS\system32\cyspssss.dll
2008-12-01 03:11:25 ----ASH---- C:\WINDOWS\system32\hgPrBcfe.ini2
2008-12-01 03:11:24 ----ASH---- C:\WINDOWS\system32\hgPrBcfe.ini
2008-12-01 01:41:18 ----ASH---- C:\WINDOWS\system32\qsjjcrbs.ini
2008-12-01 01:41:16 ----AH---- C:\WINDOWS\system32\ypahhxxs.dll
2008-12-01 01:40:45 ----AH---- C:\WINDOWS\system32\cf3ab979-.txt
2008-12-01 01:40:23 ----ASH---- C:\WINDOWS\system32\SstwvGgh.ini2
2008-12-01 01:40:23 ----ASH---- C:\WINDOWS\system32\SstwvGgh.ini
2008-12-01 01:35:25 ----D---- C:\Documents and Settings\Alex\Application Data\gadcom
2008-11-25 09:33:20 ----D---- C:\Documents and Settings\Alex\Application Data\Help
2008-11-17 07:52:28 ----D---- C:\Program Files\Viewpoint
2008-11-17 07:52:28 ----D---- C:\Documents and Settings\All Users\Application Data\acccore
2008-11-17 07:51:32 ----D---- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-11-12 18:25:22 ----HDC---- C:\WINDOWS\$NtUninstallKB957097_0$
2008-11-12 18:25:13 ----HDC---- C:\WINDOWS\$NtUninstallKB955069_0$
2008-11-10 04:37:17 ----D---- C:\Program Files\leafDrums2

======List of files/folders modified in the last 1 months======

2008-12-02 02:26:33 ----D---- C:\Program Files\Mozilla Firefox
2008-12-02 02:09:35 ----D---- C:\SA8
2008-12-02 02:00:47 ----HD---- C:\WINDOWS\system32
2008-12-02 02:00:29 ----HD---- C:\WINDOWS\system32\inetsrv
2008-12-02 01:59:33 ----D---- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-12-02 01:56:58 ----HD---- C:\WINDOWS\Temp
2008-12-02 01:56:49 ----HD---- C:\WINDOWS\system32\CatRoot2
2008-12-02 01:37:54 ----AH---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-02 01:31:43 ----AH---- C:\WINDOWS\SchedLgU.Txt
2008-12-02 01:18:34 ----HD---- C:\WINDOWS
2008-12-02 00:26:52 ----AH---- C:\WINDOWS\win.ini
2008-12-02 00:10:46 ----RD---- C:\Program Files
2008-12-01 23:18:51 ----SHD---- C:\WINDOWS\Installer
2008-12-01 23:17:49 ----AHC---- C:\WINDOWS\OEWABLog.txt
2008-12-01 22:31:38 ----HD---- C:\WINDOWS\system32\Setup
2008-12-01 22:31:38 ----HD---- C:\WINDOWS\AppPatch
2008-12-01 22:31:34 ----HD---- C:\WINDOWS\system32\wbem
2008-12-01 22:31:31 ----RSD---- C:\WINDOWS\Fonts
2008-12-01 22:31:16 ----HD---- C:\WINDOWS\system32\drivers
2008-12-01 21:44:53 ----HD---- C:\WINDOWS\security
2008-12-01 21:41:37 ----HD---- C:\WINDOWS\system32\CatRoot
2008-12-01 21:41:36 ----HD---- C:\WINDOWS\inf
2008-12-01 21:41:34 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-01 21:39:16 ----D---- C:\Program Files\Messenger
2008-12-01 21:35:36 ----HD---- C:\WINDOWS\WinSxS
2008-12-01 21:35:13 ----HD---- C:\WINDOWS\network diagnostic
2008-12-01 21:35:12 ----HD---- C:\WINDOWS\ime
2008-12-01 21:35:12 ----HD---- C:\WINDOWS\Help
2008-12-01 21:34:55 ----HD---- C:\WINDOWS\system32\usmt
2008-12-01 21:34:55 ----HD---- C:\WINDOWS\system32\en-US
2008-12-01 21:34:52 ----HD---- C:\WINDOWS\PeerNet
2008-12-01 21:34:52 ----D---- C:\Program Files\Movie Maker
2008-12-01 21:32:02 ----HD---- C:\WINDOWS\system32\Restore
2008-12-01 21:32:01 ----HD---- C:\WINDOWS\system32\npp
2008-12-01 21:32:01 ----HD---- C:\WINDOWS\mui
2008-12-01 21:32:00 ----HD---- C:\WINDOWS\msagent
2008-12-01 21:31:57 ----HD---- C:\WINDOWS\srchasst
2008-12-01 21:31:55 ----D---- C:\Program Files\NetMeeting
2008-12-01 21:31:53 ----HD---- C:\WINDOWS\system32\Com
2008-12-01 21:31:49 ----D---- C:\Program Files\Windows NT
2008-12-01 21:31:49 ----D---- C:\Program Files\Windows Media Player
2008-12-01 21:31:48 ----D---- C:\Program Files\Outlook Express
2008-12-01 21:31:43 ----D---- C:\Program Files\Common Files\System
2008-12-01 21:31:10 ----HD---- C:\WINDOWS\system32\oobe
2008-12-01 21:31:07 ----HD---- C:\WINDOWS\system
2008-12-01 21:25:23 ----HD---- C:\WINDOWS\system32\ReinstallBackups
2008-12-01 21:20:34 ----HD---- C:\WINDOWS\ehome
2008-12-01 14:20:42 ----D---- C:\Documents and Settings
2008-12-01 03:18:58 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-28 05:29:12 ----D---- C:\Documents and Settings\Alex\Application Data\Audacity
2008-11-28 00:48:31 ----D---- C:\Documents and Settings\Alex\Application Data\Azureus
2008-11-27 22:54:20 ----D---- C:\Program Files\Vuze
2008-11-20 02:14:51 ----SD---- C:\WINDOWS\Tasks
2008-11-17 13:32:56 ----D---- C:\Program Files\eMule
2008-11-17 07:53:46 ----D---- C:\Program Files\AIM6
2008-11-17 07:52:29 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-11-12 18:25:21 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-07-19 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-07-19 94416]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-04 12544]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-07-19 23152]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-12-20 2843136]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2007-03-16 604928]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2006-11-21 45568]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys [2005-12-01 936960]
R3 HSXHWAZL;HSXHWAZL; C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys [2005-12-01 192512]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-10 1222840]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2005-12-01 669696]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-22 116040]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-12-20 512000]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2007-12-20 593920]
S2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-06 307968]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

-----------------EOF-----------------




So far the processes shown in Security Task Manager that have spyware/malware features (High Threat/browser extensions nnnoNhhg.dll) are still running, every attempt to disable and remove these processes have failed. I've ran Vundofix and Virtumondebegone and they both have failed in detecting the Virtunmonde Trojan so I'm assuming I possibly got rid of that Trojan, However there are some other problems Avast picked up such as win32:spyware-gen / win32: trojan-gen which I'm also assuming are those pesky browser extensions that are present in Security Task Manager.

Here is a List of Programs I Have and used over the past 24 hours in regards to trying to fix this mess.

-Avast Home Edition
-Security Task Manager
-Tune Up Utilities Pro
-Spybot Search and Destroy
-Hijack This
-Malewarebytes AntiMalware
-Kaspersky Online Scanner
-And a swollen fist :)

By the way Kaspersky Online Scanner didn't pick up anything recently ;) so hopefully I'm winning. :)

Thanks in Advance

-Alex

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:19 AM

Posted 02 December 2008 - 05:42 AM

Hello Angryvirusvictim,

Posted Image

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

O2 - BHO: (no name) - {0C6E0EF2-2FAB-4B42-AE01-C49094604857} - C:\WINDOWS\system32\pmnlmljg.dll (file missing)
O2 - BHO: (no name) - {17908931-20C5-4D11-9B2C-5A254CDE896C} - C:\WINDOWS\system32\efcBrPgh.dll (file missing)
O2 - BHO: (no name) - {1AE5E866-FC44-4A6B-AF04-7A46D127A70D} - C:\WINDOWS\system32\hgGvwtsS.dll (file missing)


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Reboot your computer.

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/tools/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Thanks,
tea

Edited by teacup61, 02 December 2008 - 05:46 AM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 Angryvirusvictim

Angryvirusvictim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 02 December 2008 - 02:21 PM

Malwarebytes' Anti-Malware 1.30
Database version: 1446
Windows 5.1.2600 Service Pack 3

12/2/2008 2:09:02 PM
mbam-log-2008-12-02 (14-09-02).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 103705
Time elapsed: 32 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 20

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{02ed72fe-2a23-4257-bb91-875ecbc6a38c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{a63e645f-13bd-45ed-b15f-6e8c1bd57279} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\Alex\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\65YX2QH5\load[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\U4W8BWBG\upd[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\U4W8BWBG\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\YHMN6SHE\upd[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Alex\Local Settings\Temporary Internet Files\Content.IE5\YHMN6SHE\upd[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\hgGvwtsS.dll.q_804DC04_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\kmcwtn.dll.q_804F801_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\pmnlmljg.dll.q_804DC04_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\SecTaskMan\sbrcjjsq.dll.q_8041C01_q (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE6B0AA7-99D5-40D5-8F09-4F1834A55CF2}\RP152\A0075416.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE6B0AA7-99D5-40D5-8F09-4F1834A55CF2}\RP155\A0075437.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE6B0AA7-99D5-40D5-8F09-4F1834A55CF2}\RP156\A0075439.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE6B0AA7-99D5-40D5-8F09-4F1834A55CF2}\RP159\A0075445.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE6B0AA7-99D5-40D5-8F09-4F1834A55CF2}\RP162\A0075480.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE6B0AA7-99D5-40D5-8F09-4F1834A55CF2}\RP165\A0075515.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{BE6B0AA7-99D5-40D5-8F09-4F1834A55CF2}\RP167\A0075613.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oyebox.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fgltgfrn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cyspssss.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ypahhxxs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

__________________________________________________________________________________________*******

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:42 PM, on 12/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\ITUNESPLUSQUICK\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\ITUNESPLUSQUICK\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 4931 bytes

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:19 AM

Posted 03 December 2008 - 02:52 AM

Hello Alex,

That looks better. :thumbsup: How is it running now please?

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 Angryvirusvictim

Angryvirusvictim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 03 December 2008 - 04:43 AM

Everything seems to be running fine :thumbsup: .

I'm curious how this process removed the virus opposed to a very similar process I used initially. Must be the order of operation :) .

There is still one problem. In security task manager there is a process named "%" and I still can't figure out what it belongs to, whether its safe or how to remove it.

Perhaps you can help me.
Posted Image


-Alex

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:19 AM

Posted 03 December 2008 - 10:48 AM

Hi Alex,

I can't really say what was different this time, as I don't know how you did it the first time around.

Have you done a search for the mystery entry? I've not seen that before, but whatever it is it says it's not running. Does it show up like that in Task Manager?

Can you please run RSIT one more time and post the report please? I want to be sure there's nothing left showing there before I turn you loose. :thumbsup:

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 Angryvirusvictim

Angryvirusvictim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 03 December 2008 - 04:02 PM

Logfile of random's system information tool 1.04 (written by random/random)
Run by Alex at 2008-12-03 16:01:48
Microsoft Windows XP Professional Service Pack 3
System drive C: has 3 GB (15%) free of 20 GB
Total RAM: 1918 MB (71% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:52 PM, on 12/3/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\ITUNESPLUSQUICK\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Alex\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Alex.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\ITUNESPLUSQUICK\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE (file missing)

--
End of file - 5074 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\1-Click Maintenance.job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\GoogleUpdateTaskUser.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-01-28 1554256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2007-09-20 328752]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"=C:\WINDOWS\system32\WLTRAY.exe [2007-03-16 1392640]
"SigmatelSysTrayApp"=C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe [2007-05-10 405504]
"avast!"=C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe [2008-07-19 78008]
"iTunesHelper"=E:\ITUNESPLUSQUICK\iTunesHelper.exe [2008-07-30 289064]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]
"MsnMsgr"=C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe [2007-10-18 5724184]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-01-28 2097488]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2007-12-20 122880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-04-10 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2008-04-13 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
C:\WINDOWS\system32\pmnlmljg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"E:\ITUNESPLUSQUICK\iTunes.exe"="E:\ITUNESPLUSQUICK\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Winamp Remote\bin\Orb.exe"="C:\Program Files\Winamp Remote\bin\Orb.exe:*:Enabled:Orb"
"C:\Program Files\Winamp Remote\bin\OrbTray.exe"="C:\Program Files\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray"
"C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe"="C:\Program Files\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:AIM"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - D:\SetupAssistant.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7bf32da4-d362-11dc-92b2-806d6172696f}]
shell\AutoRun\command - D:\SetupAssistant.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ff1adbc-9acb-11dd-9609-0015c5cb943a}]
shell\AutoRun\command - G:\LaunchU3.exe -a


======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2008-12-02 02:03:48 ----D---- C:\rsit
2008-12-02 02:00:47 ----A---- C:\WINDOWS\system32\PerfStringBackup.TMP
2008-12-02 00:10:46 ----D---- C:\Program Files\Security Task Manager
2008-12-01 23:18:41 ----SHD---- C:\Config.Msi
2008-12-01 22:32:10 ----HD---- C:\WINDOWS\Prefetch
2008-12-01 21:41:32 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2008-12-01 21:41:25 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-12-01 21:41:18 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$
2008-12-01 21:41:09 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$
2008-12-01 21:41:00 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2008-12-01 21:40:51 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2008-12-01 21:40:44 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$
2008-12-01 21:40:35 ----HDC---- C:\WINDOWS\$NtUninstallKB953155$
2008-12-01 21:40:28 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2008-12-01 21:40:20 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2008-12-01 21:40:10 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2008-12-01 21:40:02 ----HDC---- C:\WINDOWS\$NtUninstallKB951698$
2008-12-01 21:39:55 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2008-12-01 21:39:47 ----HDC---- C:\WINDOWS\$NtUninstallKB951376$
2008-12-01 21:39:37 ----HDC---- C:\WINDOWS\$NtUninstallKB951066$
2008-12-01 21:39:30 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2008-12-01 21:39:23 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2008-12-01 21:39:14 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2008-12-01 21:39:07 ----HDC---- C:\WINDOWS\$NtUninstallKB938464$
2008-12-01 21:36:07 ----AH---- C:\WINDOWS\setuplog.txt
2008-12-01 21:34:55 ----HD---- C:\WINDOWS\system32\scripting
2008-12-01 21:34:53 ----HD---- C:\WINDOWS\l2schemas
2008-12-01 21:34:52 ----HD---- C:\WINDOWS\system32\en
2008-12-01 21:34:52 ----HD---- C:\WINDOWS\system32\bits
2008-12-01 21:32:34 ----HD---- C:\WINDOWS\ServicePackFiles
2008-12-01 21:20:35 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2008-12-01 19:44:06 ----D---- C:\Avenger
2008-12-01 19:44:05 ----A---- C:\avenger.txt
2008-12-01 16:50:06 ----A---- C:\WINDOWS\system32\aswBoot.exe
2008-12-01 15:46:02 ----D---- C:\VundoFix Backups
2008-12-01 15:46:02 ----A---- C:\VundoFix.txt
2008-12-01 14:19:31 ----AH---- C:\WINDOWS\ntbtlog.txt
2008-12-01 14:03:49 ----ASH---- C:\WINDOWS\system32\gjlmlnmp.ini2
2008-12-01 14:03:49 ----ASH---- C:\WINDOWS\system32\gjlmlnmp.ini
2008-12-01 03:16:08 ----D---- C:\Program Files\Trend Micro
2008-12-01 03:11:25 ----ASH---- C:\WINDOWS\system32\hgPrBcfe.ini2
2008-12-01 03:11:24 ----ASH---- C:\WINDOWS\system32\hgPrBcfe.ini
2008-12-01 01:41:18 ----ASH---- C:\WINDOWS\system32\qsjjcrbs.ini
2008-12-01 01:40:45 ----AH---- C:\WINDOWS\system32\cf3ab979-.txt
2008-12-01 01:40:23 ----ASH---- C:\WINDOWS\system32\SstwvGgh.ini2
2008-12-01 01:40:23 ----ASH---- C:\WINDOWS\system32\SstwvGgh.ini
2008-11-25 09:33:20 ----D---- C:\Documents and Settings\Alex\Application Data\Help
2008-11-17 07:52:28 ----D---- C:\Program Files\Viewpoint
2008-11-17 07:52:28 ----D---- C:\Documents and Settings\All Users\Application Data\acccore
2008-11-17 07:51:32 ----D---- C:\Documents and Settings\All Users\Application Data\AOL Downloads
2008-11-12 18:25:22 ----HDC---- C:\WINDOWS\$NtUninstallKB957097_0$
2008-11-12 18:25:13 ----HDC---- C:\WINDOWS\$NtUninstallKB955069_0$
2008-11-10 04:37:17 ----D---- C:\Program Files\leafDrums2

======List of files/folders modified in the last 1 months======

2008-12-03 15:56:30 ----HD---- C:\WINDOWS\Help
2008-12-03 15:55:03 ----D---- C:\Program Files\Mozilla Firefox
2008-12-03 15:15:43 ----HD---- C:\WINDOWS\system32
2008-12-03 15:15:39 ----HD---- C:\WINDOWS\system32\inetsrv
2008-12-03 15:13:48 ----HD---- C:\WINDOWS\Temp
2008-12-03 15:11:42 ----HD---- C:\WINDOWS\system32\CatRoot2
2008-12-03 04:51:03 ----AH---- C:\WINDOWS\SchedLgU.Txt
2008-12-03 00:55:52 ----D---- C:\Documents and Settings\Alex\Application Data\Audacity
2008-12-02 15:46:47 ----D---- C:\SA8
2008-12-02 15:08:17 ----D---- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-12-02 15:07:49 ----D---- C:\Program Files\Windows Live Toolbar
2008-12-02 14:23:09 ----HD---- C:\WINDOWS\Registration
2008-12-02 13:19:44 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-02 13:19:43 ----HD---- C:\WINDOWS\system32\drivers
2008-12-02 01:37:54 ----AH---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-12-02 01:18:34 ----HD---- C:\WINDOWS
2008-12-02 00:26:52 ----AH---- C:\WINDOWS\win.ini
2008-12-02 00:10:46 ----RD---- C:\Program Files
2008-12-01 23:18:51 ----SHD---- C:\WINDOWS\Installer
2008-12-01 23:17:49 ----AHC---- C:\WINDOWS\OEWABLog.txt
2008-12-01 22:31:38 ----HD---- C:\WINDOWS\system32\Setup
2008-12-01 22:31:38 ----HD---- C:\WINDOWS\AppPatch
2008-12-01 22:31:34 ----HD---- C:\WINDOWS\system32\wbem
2008-12-01 22:31:31 ----RSD---- C:\WINDOWS\Fonts
2008-12-01 21:44:53 ----HD---- C:\WINDOWS\security
2008-12-01 21:41:37 ----HD---- C:\WINDOWS\system32\CatRoot
2008-12-01 21:41:36 ----HD---- C:\WINDOWS\inf
2008-12-01 21:41:34 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-12-01 21:39:16 ----D---- C:\Program Files\Messenger
2008-12-01 21:35:36 ----HD---- C:\WINDOWS\WinSxS
2008-12-01 21:35:13 ----HD---- C:\WINDOWS\network diagnostic
2008-12-01 21:35:12 ----HD---- C:\WINDOWS\ime
2008-12-01 21:34:55 ----HD---- C:\WINDOWS\system32\usmt
2008-12-01 21:34:55 ----HD---- C:\WINDOWS\system32\en-US
2008-12-01 21:34:52 ----HD---- C:\WINDOWS\PeerNet
2008-12-01 21:34:52 ----D---- C:\Program Files\Movie Maker
2008-12-01 21:32:02 ----HD---- C:\WINDOWS\system32\Restore
2008-12-01 21:32:01 ----HD---- C:\WINDOWS\system32\npp
2008-12-01 21:32:01 ----HD---- C:\WINDOWS\mui
2008-12-01 21:32:00 ----HD---- C:\WINDOWS\msagent
2008-12-01 21:31:57 ----HD---- C:\WINDOWS\srchasst
2008-12-01 21:31:55 ----D---- C:\Program Files\NetMeeting
2008-12-01 21:31:53 ----HD---- C:\WINDOWS\system32\Com
2008-12-01 21:31:49 ----D---- C:\Program Files\Windows NT
2008-12-01 21:31:49 ----D---- C:\Program Files\Windows Media Player
2008-12-01 21:31:48 ----D---- C:\Program Files\Outlook Express
2008-12-01 21:31:43 ----D---- C:\Program Files\Common Files\System
2008-12-01 21:31:10 ----HD---- C:\WINDOWS\system32\oobe
2008-12-01 21:31:07 ----HD---- C:\WINDOWS\system
2008-12-01 21:25:23 ----HD---- C:\WINDOWS\system32\ReinstallBackups
2008-12-01 21:20:34 ----HD---- C:\WINDOWS\ehome
2008-12-01 14:20:42 ----D---- C:\Documents and Settings
2008-12-01 03:18:58 ----SD---- C:\WINDOWS\Downloaded Program Files
2008-11-28 00:48:31 ----D---- C:\Documents and Settings\Alex\Application Data\Azureus
2008-11-27 22:54:20 ----D---- C:\Program Files\Vuze
2008-11-20 02:14:51 ----SD---- C:\WINDOWS\Tasks
2008-11-17 13:32:56 ----D---- C:\Program Files\eMule
2008-11-17 07:53:46 ----D---- C:\Program Files\AIM6
2008-11-17 07:52:29 ----D---- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-11-12 18:25:21 ----HD---- C:\WINDOWS\$hf_mig$

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Aavmker4;avast! Asynchronous Virus Monitor; C:\WINDOWS\system32\drivers\Aavmker4.sys [2008-07-19 26944]
R1 aswSP;avast! Self Protection; C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 78416]
R1 aswTdi;avast! Network Shield Support; C:\WINDOWS\system32\drivers\aswTdi.sys [2008-07-19 42912]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\WINDOWS\system32\DRIVERS\wmiacpi.sys [2008-04-13 8832]
R2 aswFsBlk;aswFsBlk; C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 20560]
R2 aswMon2;avast! Standard Shield Support; C:\WINDOWS\system32\drivers\aswMon2.sys [2008-07-19 94416]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2005-10-04 12544]
R3 aswRdr;aswRdr; C:\WINDOWS\system32\drivers\aswRdr.sys [2008-07-19 23152]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2007-12-20 2843136]
R3 BCM43XX;Dell Wireless WLAN Card Driver; C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2007-03-16 604928]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2006-11-21 45568]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2008-04-13 13952]
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DPV;HSF_DPV; C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys [2005-12-01 936960]
R3 HSXHWAZL;HSXHWAZL; C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys [2005-12-01 192512]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-04 12160]
R3 sdbus;sdbus; C:\WINDOWS\system32\DRIVERS\sdbus.sys [2008-04-13 79232]
R3 STHDA;SigmaTel High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2007-05-10 1222840]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys [2005-12-01 669696]
S3 UIUSys;Conexant Setup API; C:\WINDOWS\system32\DRIVERS\UIUSYS.SYS []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-22 116040]
R2 aswUpdSv;avast! iAVS4 Control Service; C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe [2008-07-19 16056]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2007-12-20 512000]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast4\ashServ.exe [2008-07-19 147640]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 IISADMIN;IIS Admin; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP); C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 UxTuneUp;TuneUp Theme Extension; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 W3SVC;World Wide Web Publishing; C:\WINDOWS\system32\inetsrv\inetinfo.exe [2008-04-13 15360]
R2 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
R3 avast! Mail Scanner;avast! Mail Scanner; C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe [2008-07-19 250040]
R3 avast! Web Scanner;avast! Web Scanner; C:\Program Files\Alwil Software\Avast4\ashWebSv.exe [2008-07-23 348344]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264]
R3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2007-12-20 593920]
S2 wltrysvc;Dell Wireless WLAN Tray Service; C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service; C:\WINDOWS\System32\TuneUpDefragService.exe [2008-04-06 307968]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]

-----------------EOF-----------------

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:19 AM

Posted 04 December 2008 - 08:34 PM

Hello,

Can you please answer my questions? :thumbsup:

Thanks!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 Angryvirusvictim

Angryvirusvictim
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:19 AM

Posted 05 December 2008 - 10:24 AM

Doesn't seem to be showing up in regular task manager. Just security task manager.

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:19 AM

Posted 05 December 2008 - 11:28 AM

And did you do a search for it to see if it showed up there?

While you're at that, please have a look for this file and delete it if you see it :

C:\WINDOWS\system32\pmnlmljg

Everything else looks really good. :thumbsup: Still running all right?

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:03:19 AM

Posted 17 December 2008 - 03:13 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users