Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Virus/Malware/Trojan


  • This topic is locked This topic is locked
4 replies to this topic

#1 XLbuster

XLbuster

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 25 December 2008 - 03:53 AM

I've been hit with something and it's reeking havoc on my pc.

A few things i've notice in a the 24 hrs (since this all started).

1. I cannot run any browsers (IE,Firefox and Chrome all crash after about 15 seconds of loading)
2. Cannot run spybot search and destroy (both in normal and safe mode). When I double click on the icon, nothing happens. The process shows up in the running processes but no window is displayed.
3. Cannot run MalwareBytes antimalware (same as #2)
4. My hosts file was modified and had thousands of entries in there routing back to 127.0.0.1. I manually changed the file back to normal however it seems like those entries are persistant (noticed this while trying to install spybot, as it tries to update but was trying to reach 127.0.0.1 for an update).
5. hijackthis also crashes and complains about not being able to access the host file (no entries in the host file except 127.0.0.1 localhost)
6. MS Antispyware 2009 pop ups
7. SmitFraudFix will not run normal and safe mode
8. ComboFix will not run normal and safe mode

===========
HIJACKTHIS LOG
===========
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:01:38 AM, on 25/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svch?st.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\TEMP\winloggn.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ITE\Smart Guardian\ITESmart.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\MSTMON_Y.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Documents and Settings\Soprano\Application Data\gadcom\gadcom.exe
C:\WINDOWS\system32\Updater.exe
C:\Documents and Settings\Soprano\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Soprano\Application Data\Microsoft\Windows\gvxyidy.exe
C:\WINDOWS\TEMP\a.exe
C:\DOCUME~1\Soprano\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Soprano\LOCALS~1\Temp\~tmpc.exe
C:\WINDOWS\TEMP\~tmpb.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
J:\SpywareTools\HijackThis.exe
C:\Program Files\Notepad++\notepad++.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [jsf8j34rgfght] C:\WINDOWS\TEMP\winloggn.exe
O4 - HKLM\..\Run: [VMware hqtray] "C:\Program Files\VMware\VMware Workstation\hqtray.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [svchost.exe] C:\WINDOWS\system32\svch?st.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESmart.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1400W STD] C:\WINDOWS\system32\MSTMON_Y.EXE STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [cc6916d8] rundll32.exe "C:\WINDOWS\system32\mqyqwuqg.dll",b
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Soprano\Application Data\gadcom\gadcom.exe" 61A847B5BBF728133A9D30466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKCU\..\Run: [jsf8j34rgfght] C:\WINDOWS\TEMP\winloggn.exe
O4 - HKCU\..\Run: [Windows Update] "C:\WINDOWS\system32\Updater.exe"
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Soprano\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Soprano\Application Data\Microsoft\Windows\gvxyidy.exe
O4 - HKCU\..\Run: [MSFox] C:\WINDOWS\TEMP\a.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Soprano\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Soprano\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Executor] "C:\Program Files\Executor\executor.exe" -s
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Cognac] C:\WINDOWS\TEMP\~tmpb.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com/v7/sit...b?1215996760359
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1215993198562
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe

--
End of file - 12336 bytes



======
DDS.TXT
======

DDS (Version 1.1.0) - NTFSx86
Run by Prince at 3:25:26.95 on 25/12/2008
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.2.1033.18.2046.879 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\TEMP\winloggn.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\VMware\VMware Workstation\hqtray.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ITE\Smart Guardian\ITESmart.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\MSTMON_Y.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Documents and Settings\Soprano\Application Data\gadcom\gadcom.exe
C:\WINDOWS\system32\Updater.exe
C:\Documents and Settings\Soprano\Application Data\SpeedRunner\SpeedRunner.exe
C:\Documents and Settings\Soprano\Application Data\Microsoft\Windows\gvxyidy.exe
C:\WINDOWS\TEMP\a.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Soprano\LOCALS~1\Temp\~tmpc.exe
C:\WINDOWS\TEMP\~tmpb.exe
C:\Program Files\Launchy\Launchy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Notepad++\notepad++.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\VMware\VMware Workstation\vmware.exe
C:\DOCUME~1\Soprano\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\VMware\VMware Workstation\bin\vmware-vmx.exe
C:\Documents and Settings\Soprano\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mWinlogon: System=c:\windows\system32\svch?st.exe,
BHO: {1c15a5dc-7bee-4377-a28c-dff7e52ff7a1} - c:\windows\system32\ddcDvSji.dll
BHO: {3ccdf8ce-c339-4dd6-ad4f-ca7230c7e2f2} - c:\windows\system32\ssqpMgfE.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {a335cdc1-3b07-db29-e964-7cbfb223144c}: {c441322b-fbc7-469e-92bd-70b31cdc533a} - c:\windows\system32\btccsn.dll
BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
uRun: [gadcom] "c:\documents and settings\Soprano\application data\gadcom\gadcom.exe" 61A847B5BBF728133A9D30466188719AB689201522886B092CBD44BD8689220221DD3257
uRun: [jsf8j34rgfght] c:\windows\temp\winloggn.exe
uRun: [Windows Update] "c:\windows\system32\Updater.exe"
uRun: [SpeedRunner] c:\documents and settings\Soprano\application data\speedrunner\SpeedRunner.exe
uRun: [SfKg6wIP] c:\documents and settings\Soprano\application data\microsoft\windows\gvxyidy.exe
uRun: [MSFox] c:\windows\temp\a.exe
uRun: [Jnskdfmf9eldfd] c:\docume~1\Soprano\locals~1\temp\csrssc.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [Google Update] "c:\documents and settings\Soprano\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Executor] "c:\program files\executor\executor.exe" -s
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Cognac] c:\windows\temp\~tmpb.exe
mRun: [jsf8j34rgfght] c:\windows\temp\winloggn.exe
mRun: [VMware hqtray] "c:\program files\vmware\vmware workstation\hqtray.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [svchost.exe] c:\windows\system32\svch?st.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SmartGuardian] c:\program files\ite\smart guardian\ITESmart.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [KONICA MINOLTA PagePro 1400W STD] c:\windows\system32\MSTMON_Y.EXE STARTUP
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [cc6916d8] rundll32.exe "c:\windows\system32\mqyqwuqg.dll",b
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launchy.lnk - c:\program files\launchy\Launchy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{176130bc-99a1-41fe-a78b-56045e33ad70}\Icon3E5562ED7.ico
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: DisableCAD = 1 (0x1)
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Notify: Antiwpa - antiwpa.dll
Notify: LMIinit - LMIinit.dll
Notify: ssqpMgfE - ssqpMgfE.dll
AppInit_DLLs: btccsn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {3ccdf8ce-c339-4dd6-ad4f-ca7230c7e2f2} - c:\windows\system32\ssqpMgfE.dll
LSA: Authentication Packages = msv1_0 relog_ap c:\windows\system32\ddcDvSji

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\Soprano\applic~1\mozilla\firefox\profiles\t10bi7vf.default\
FF - component: c:\documents and settings\Soprano\application data\mozilla\firefox\profiles\t10bi7vf.default\extensions\jssh@extensions.mozilla.org\components\jssh.dll
FF - component: c:\program files\mozilla firefox\components\iamfamous.dll
FF - component: c:\program files\mozilla firefox\components\srff.dll
FF - plugin: c:\documents and settings\Soprano\application data\mozilla\firefox\profiles\t10bi7vf.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

============= SERVICES / DRIVERS ===============

R2 LMIInfo;LogMeIn Kernel Information Provider;\??\c:\program files\logmein\x86\RaInfo.sys [2008-2-28 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\c:\windows\system32\drivers\LMIRfsDriver.sys [2008-7-14 47640]
R3 iteio;iteio;\??\c:\windows\system32\drivers\iteio.sys [2008-7-13 3680]
R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-2-28 12192]
R3 SaiH8000;SaiH8000;c:\windows\system32\drivers\SaiH8000.sys [2008-4-4 136832]
S3 vsdatant;vsdatant;\??\c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 LMIRfsClientNP;LMIRfsClientNP; []

=============== Created Last 30 ================

2008-12-25 02:21 103,424 a------- c:\windows\system32\mldqavxx.dll
2008-12-25 02:21 103,424 a------- c:\windows\system32\btccsn.dll
2008-12-24 23:45 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-24 23:45 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 23:45 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 23:45 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-24 20:02 <DIR> --d----- c:\windows\pss
2008-12-24 15:16 <DIR> --d----- c:\docume~1\Soprano\applic~1\SpeedRunner
2008-12-24 15:06 <DIR> --d----- c:\program files\Webtools
2008-12-24 15:01 <DIR> --d----- c:\program files\Mjcore
2008-12-24 15:01 1,668,120 ---sh--- c:\windows\system32\gquwqyqm.ini
2008-12-24 15:01 68,608 a------- c:\windows\system32\mqyqwuqg.dll
2008-12-24 02:21 103,424 a------- c:\windows\system32\iqfxuk.dll
2008-12-24 02:21 103,424 a------- c:\windows\system32\hhhyttap.dll
2008-12-24 02:20 610,059 a--sh--- c:\windows\system32\ijSvDcdd.ini2
2008-12-24 02:20 610,059 a--sh--- c:\windows\system32\ijSvDcdd.ini
2008-12-24 02:20 236,032 a------- c:\windows\system32\ddcDvSji.dll
2008-12-24 02:18 75,776 a------- c:\windows\system32\drivers\msqpdxserv.sys
2008-12-24 02:18 <DIR> --dshr-- C:\resycled
2008-12-24 02:18 255 ---shr-- C:\autorun.inf
2008-12-24 02:17 15,000 a------- c:\windows\system32\tyshb36rfjdf.dll
2008-12-24 02:17 138,244 a------- c:\windows\system32\msxml71.dll
2008-12-24 02:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2008-12-24 02:17 49,152 a------- c:\windows\system32\svch?st.exe
2008-12-24 02:16 <DIR> --d----- c:\docume~1\Soprano\applic~1\gadcom
2008-12-24 02:16 108,336 a------- c:\windows\system32\mswinsck.ocx
2008-12-24 02:16 <DIR> --d----- c:\windows\new
2008-12-24 02:15 35,328 a------- c:\windows\system32\ssqpMgfE.dll
2008-12-24 02:15 35,328 a------- c:\windows\system32\ddcYsSKd.dll
2008-12-24 01:52 3,144 ac------ c:\windows\system32\dllcache\srgb.icm
2008-12-24 01:48 <DIR> --d----- c:\program files\common files\Macrovision Shared
2008-12-24 01:01 <DIR> --d----- c:\program files\WinDirStat
2008-12-24 01:01 645,729 a------- c:\temp\windirstat1_1_2_setup.exe
2008-12-23 02:04 <DIR> --d----- c:\temp\quickpwn
2008-12-23 01:53 <DIR> --d----- c:\program files\iPod
2008-12-23 01:53 <DIR> --d----- c:\program files\iTunes
2008-12-23 01:53 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-23 00:47 <DIR> --d----- c:\temp\Tomato
2008-12-21 18:29 <DIR> --d----- c:\docume~1\Soprano\applic~1\Songbird2
2008-12-21 18:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SongbirdVLC
2008-12-21 18:28 <DIR> --d----- c:\program files\Songbird
2008-12-13 17:26 8 a------- c:\windows\system32\nvModes.dat
2008-12-13 17:21 201,157 a------- c:\windows\system32\nvapps.nvb
2008-12-13 17:21 453,152 a------- c:\windows\system32\nvudisp.exe
2008-12-13 17:21 195,368 a------- c:\windows\system32\nvapps.xml
2008-12-13 17:21 18,477 a------- c:\windows\system32\nvdisp.nvu
2008-12-13 17:21 <DIR> --d----- c:\windows\nview
2008-12-13 17:21 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-11 14:56 <DIR> --d-h--- c:\windows\system32\GroupPolicy
2008-12-10 23:37 <DIR> --d----- c:\program files\RivaTuner v2.20
2008-12-07 21:10 <DIR> --d----- c:\docume~1\Soprano\applic~1\Sibelius Software
2008-12-07 21:09 <DIR> --d----- c:\program files\Sibelius Software
2008-12-06 16:25 12 a------- c:\windows\bthservsdp.dat
2008-12-06 15:11 374,576 a------- c:\temp\GPU-Z.0.3.0.exe
2008-12-06 14:53 72,308,256 a------- c:\temp\180.84_geforce_winxp_32bit_english_beta.exe
2008-12-04 22:59 <DIR> --d----- c:\program files\Microsoft
2008-12-03 16:56 507,400 a------- c:\windows\system32\XAudio2_1.dll
2008-12-03 16:56 65,032 a------- c:\windows\system32\XAPOFX1_0.dll
2008-12-03 16:56 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2008-12-03 16:56 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2008-12-03 16:56 467,984 a------- c:\windows\system32\d3dx10_38.dll
2008-12-03 16:56 238,088 a------- c:\windows\system32\xactengine3_1.dll
2008-12-03 16:56 25,608 a------- c:\windows\system32\X3DAudio1_4.dll
2008-12-03 16:56 <DIR> --d----- c:\windows\Logs
2008-12-03 16:54 <DIR> --d----- c:\windows\system32\xlive
2008-12-03 16:54 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2008-12-03 16:02 <DIR> --d----- c:\windows\system32\XPSViewer
2008-12-03 16:02 14,048 a------- c:\windows\system32\spmsg2.dll
2008-12-02 23:11 1,253,376 a------- c:\windows\system32\NvPVEnc.ax
2008-11-30 08:14 376 a------- c:\windows\ODBC.INI
2008-11-30 08:14 17,920 a------- c:\windows\system32\mdimon.dll
2008-11-30 08:13 <DIR> --d----- c:\program files\common files\L&H
2008-11-30 08:13 <DIR> --d----- c:\program files\Microsoft ActiveSync
2008-11-30 08:12 <DIR> --d----- c:\windows\SHELLNEW
2008-11-28 20:02 <DIR> --d----- c:\documents and settings\Soprano\.gem
2008-11-28 19:58 <DIR> --d----- C:\ruby
2008-11-27 00:30 <DIR> --d----- c:\program files\Fraps

==================== Find3M ====================

2008-12-11 00:02 138,184 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-12-11 00:02 183,112 a------- c:\windows\system32\PnkBstrB.exe
2008-12-03 22:00 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-11-29 01:16 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-11-17 15:04 2,306,113 a------- c:\windows\system32\GPhotos.scr
2008-10-30 09:30 75,788 a------- c:\windows\luxe.exe
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-25 11:51 167,936 a------- c:\windows\system32\Updater.exe
2008-10-25 11:26 63,504 a------- c:\windows\system32\win.exe
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-19 09:16 22,328 a------- c:\docume~1\Soprano\applic~1\PnkBstrK.sys
2008-10-19 09:16 669,184 a------- c:\windows\system32\pbsvc.exe
2008-10-17 17:42 83,288 a------- c:\windows\system32\LMIRfsClientNP.dll
2008-10-17 17:42 87,352 a------- c:\windows\system32\LMIinit.dll
2008-10-17 17:42 28,984 a------- c:\windows\system32\LMIport.dll
2008-10-17 17:42 23,736 a------- c:\windows\system32\lmimirr.dll
2008-10-17 17:42 10,040 a------- c:\windows\system32\lmimirr2.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-03 05:02 247,326 a------- c:\windows\system32\strmdll.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll

============= FINISH: 3:26:36.34 ===============


Any help that can be provided would greatly be appreciated.

Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 XLbuster

XLbuster
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 25 December 2008 - 01:04 PM

I also ran the RootKitRevealer by sysinternals. The screenshot is attached.

Posted Image

Attached Files



#3 XLbuster

XLbuster
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:35 AM

Posted 26 December 2008 - 10:24 PM

Quick update.. I was able to get AVG running on my pc (although it would not update to the latest definitions). I manually updated the virus database and did a scan in safe mode. I can now run ff however still have problems routing (ie. some sites go to 127.0.0.1). Still getting pops and I can't install spybot because it tries to connect to the internet.

Edited by XLbuster, 26 December 2008 - 10:24 PM.


#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 05 January 2009 - 09:26 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 12 January 2009 - 03:05 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users