Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde will not go away


  • This topic is locked This topic is locked
24 replies to this topic

#1 Josh66

Josh66

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 27 December 2008 - 01:40 PM

I have tried everything so far, Spybot s&d, Spydoctor with antivirus, ad-aware, Malwarebytes, vundofix, smitfraudfix, and combofix but it keeps coming back after I delete it.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:39:30 PM, on 2008-12-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {0e5c99d6-6b91-40ca-b15b-cbc230daa153} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.vistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.25.14/ttinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\zamivoru.dll c:\windows\system32\lugofetu.dll
O20 - Winlogon Notify: ddcDuRjK - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7226 bytes



Kaspersky


Saturday, December 27, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, December 27, 2008 13:28:06
Records in database: 1520697
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
G:\
Scan statistics
Files scanned 74751
Threat name 4
Infected objects 5
Suspicious objects 0
Duration of the scan 01:30:32

File name Threat name Threats count
C:\Documents and Settings\Admin\Incomplete\Preview-T-217699-MILF Cruiser 9 © CinemaPlay DVDRiP XViD .zip Infected: Virus.Win32.Fontra.c 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan-Clicker.Win32.VB.cqq 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\BYGEJDW4\us1[1].exe Infected: Trojan.Win32.FraudPack.igs 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PQ6GQ65N\us1[1].exe Infected: Trojan.Win32.FraudPack.igs 1
C:\WINDOWS\system32\nods32.dll Infected: Trojan-Downloader.Win32.BHO.aeh 1

BC AdBot (Login to Remove)

 


#2 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:28 PM

Posted 02 January 2009 - 07:14 AM

Hi,

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
You can reenable TeaTimer once your system is clean.

Next, if you have a copy of Combofix please delete it.

Next:

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

jedi

#3 Josh66

Josh66
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 02 January 2009 - 08:46 PM

ComboFix 09-01-01.02 - Klds in the hall 2009-01-02 12:09:36.1 - NTFSx86
Running from: c:\documents and settings\Klds in the hall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Klds in the hall\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU(2).exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\404Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\esodohuy.ini
c:\windows\system32\fetunigu.dll
c:\windows\system32\fulefoze.dll
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\oduveres.ini
c:\windows\system32\ohivesit.ini
c:\windows\system32\omozilel.ini
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\umimiyop.ini
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-01-02 15:11 . 2009-01-02 15:11 120 ---hs---- c:\windows\system32\oduveres.ini
2009-01-02 12:15 . 2009-01-02 12:15 <DIR> d-------- c:\windows\LastGood
2008-12-27 00:03 . 2008-12-27 00:03 <DIR> d-------- c:\program files\Trend Micro
2008-12-26 23:52 . 2008-12-26 23:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 23:52 . 2008-12-26 23:52 <DIR> d-------- c:\documents and settings\Klds in the hall\Application Data\Malwarebytes
2008-12-26 23:52 . 2008-12-26 23:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 23:52 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 23:52 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-25 23:46 . 2008-12-25 23:46 <DIR> d-------- C:\VundoFix Backups
2008-12-25 23:32 . 2008-12-25 23:32 230 --a------ c:\windows\system32\spupdsvc.inf
2008-12-25 16:37 . 2008-12-25 16:37 <DIR> d-------- c:\program files\LeapFrog
2008-12-24 14:21 . 2008-12-24 14:21 <DIR> d-------- c:\documents and settings\Administrator.OPTIMUSPRIME\SmitfraudFix
2008-12-24 14:16 . 2008-12-24 14:21 <DIR> d-------- c:\documents and settings\Administrator.OPTIMUSPRIME
2008-12-24 14:13 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-24 14:10 . 2008-12-24 14:11 <DIR> d-------- c:\program files\Common Files\PC Tools
2008-12-24 14:10 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2008-12-24 14:09 . 2008-12-24 14:09 <DIR> d-------- c:\documents and settings\Klds in the hall\Application Data\PC Tools
2008-12-24 14:09 . 2008-12-24 14:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2008-12-24 14:09 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-24 14:09 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-24 14:09 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-24 14:09 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-24 06:08 . 2008-12-24 06:08 2,713 ---hs---- c:\windows\system32\tavagato.exe
2008-12-23 13:04 . 2008-12-26 23:18 454 --a------ c:\windows\wininit.ini
2008-12-22 20:17 . 2008-12-22 20:17 46,592 --a------ c:\windows\system32\nods32.dll
2008-12-22 20:17 . 2008-12-22 20:17 1 --a------ c:\windows\system32\za.dat
2008-12-22 19:00 . 2008-12-22 19:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\acccore
2008-12-22 18:22 . 2009-01-02 12:05 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-22 17:48 . 2008-12-22 17:48 <DIR> d-------- c:\documents and settings\Administrator
2008-12-22 16:55 . 2008-12-22 16:55 <DIR> d-------- c:\temp\REX81
2008-12-22 16:54 . 2008-12-22 22:49 <DIR> d-------- c:\windows\system32\cap2
2008-12-22 16:54 . 2008-12-22 16:55 <DIR> d-------- c:\windows\system32\ain
2008-12-22 16:54 . 2008-12-22 16:54 2 --a------ C:\-800892512
2008-12-22 16:39 . 2008-12-22 16:39 45,056 --a------ c:\windows\system32\iiffGATL.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 17:05 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-27 20:31 --------- d-----w c:\program files\Songbird_20080207
2008-12-23 18:20 --------- d-----w c:\documents and settings\Klds in the hall\Application Data\BitTorrent
2008-12-23 18:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 04:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-21 20:40 31 ----a-w c:\documents and settings\Klds in the hall\jagex_runescape_preferences.dat
2008-12-21 03:41 --------- d-----w c:\program files\AIMTunes
2008-11-19 21:56 --------- d-----w c:\program files\AIM6
2008-11-19 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-19 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-12 02:48 --------- d-----w c:\program files\En espanol
2008-11-07 05:15 --------- d-----w c:\program files\MSXML 4.0
2008-11-06 00:57 --------- d-----w c:\program files\File Recover
2005-05-04 03:16 23,988 ------r c:\program files\Adobe After Effects CS3 Lisez-moi.html
2005-05-04 03:16 21,379 ------r c:\program files\Adobe After Effects CS3 - Bitte lesen.html
2005-05-04 03:16 21,207 ------r c:\program files\Léame de Adobe After Effects CS3.html
2005-05-04 03:16 20,610 ------r c:\program files\Leggimi di Adobe After Effects CS3.html
2005-05-04 03:16 19,435 ----a-w c:\program files\Adobe After Effects CS3 ???????.html
2005-05-04 03:16 18,450 ------r c:\program files\Adobe After Effects CS3 Read Me.html
2006-05-03 09:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2008-09-26 04:01 63,767 --sha-w c:\windows\system32\hafasego.dll
1601-01-01 00:12 61,096 --sha-w c:\windows\system32\heweluwi.dll
2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sha-r c:\windows\system32\nbDX.dll
1601-01-01 00:12 61,096 --sha-w c:\windows\system32\nozoyago.dll
1601-01-01 00:12 61,096 --sha-w c:\windows\system32\woyevepa.dll
2008-09-26 04:01 63,767 --sha-w c:\windows\system32\zafufovi.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-02-13 35328]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"nenisepifo"="c:\windows\system32\woyevepa.dll" [ 61096]
"d043590f"="c:\windows\system32\serevudo.dll" [2009-01-02 86293]
"CPMd3706a93"="c:\windows\system32\gohifodi.dll" [2009-01-02 98903]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\gohifodi.dll" [2009-01-02 98903]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\gohifodi.dll [2009-01-02 98903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcDuRjK]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msvideo"= o100vc.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll
"msacm.dvacm"= dvacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\zamivoru.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Canon\\DV Messenger\\DV Messenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spyware Doctor\\sdloader.exe"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\Program Files\\Verizon\\McciTrayApp.exe"=
"c:\\Program Files\\Verizon Wireless\\V CAST Music Manager\\MEMonitor.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsTray.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\explorer.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12bb6eaa-a04f-11dc-a2a0-00160177191c}]
\Shell\AutoRun\command - f:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - f:\system\viewer\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2008-12-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-02 c:\windows\Tasks\mwmwzzsl.job
- c:\windows\system32\rundll32.exe [2004-08-04 00:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0e5c99d6-6b91-40ca-b15b-cbc230daa153} - c:\windows\system32\wamejulu.dll


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Customize Menu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms
IE: RoboForm Toolbar
IE: Save Forms
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Klds in the hall\Application Data\Mozilla\Firefox\Profiles\btebzw0b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_03050024.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 15:10:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\oduveres.ini 1262075 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(816)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Mozilla Firefox\firefox.exe
c:\program files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2009-01-02 15:13:03 - machine was rebooted [Klds in the hall]
ComboFix-quarantined-files.txt 2009-01-02 20:12:36
ComboFix2.txt 2008-12-26 05:18:44
ComboFix3.txt 2008-12-25 03:58:03
ComboFix4.txt 2008-12-25 01:25:17
ComboFix5.txt 2009-01-02 17:09:17

Pre-Run: 55,454,461,952 bytes free
Post-Run: 55,669,194,752 bytes free

227 --- E O F --- 2008-12-18 08:00:49

#4 Josh66

Josh66
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 04 January 2009 - 06:52 PM

I was just browsing the internet when a command prompt came up by itself. I immediately unplugged the internet cable and turned off the computer. I knnow that this is definitely not a good sign.

#5 Josh66

Josh66
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 05 January 2009 - 04:49 PM

Update- computer freezes at the desktop, can only load in safe mode

#6 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:28 PM

Posted 10 January 2009 - 05:02 AM

Hi,

Do this in safe mode.

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

File::
c:\windows\system32\zamivoru.dll
c:\windows\system32\oduveres.ini
c:\windows\system32\spupdsvc.inf
c:\windows\system32\tavagato.exe
c:\windows\system32\nods32.dll
c:\windows\wininit.ini
c:\windows\system32\za.dat
c:\windows\system32\iiffGATL.dll
c:\windows\system32\hafasego.dll
c:\windows\system32\heweluwi.dll
c:\windows\system32\nozoyago.dll
c:\windows\system32\woyevepa.dll
c:\windows\system32\zafufovi.dll
c:\windows\system32\serevudo.dll
c:\windows\system32\gohifodi.dll
c:\windows\Tasks\mwmwzzsl.job
Folder::
c:\temp\REX81
c:\windows\system32\cap2
c:\windows\system32\ain
C:\-800892512
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nenisepifo"=-
"d043590f"=-
"CPMd3706a93"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcDuRjK]


Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

jedi

#7 Josh66

Josh66
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 10 January 2009 - 12:24 PM

ComboFix 09-01-01.02 - Klds in the hall 2009-01-10 12:12:49.1 - NTFSx86 NETWORK
Running from: c:\documents and settings\Klds in the hall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Klds in the hall\Desktop\CfScript.txt

FILE ::
c:\windows\system32\gohifodi.dll
c:\windows\system32\hafasego.dll
c:\windows\system32\heweluwi.dll
c:\windows\system32\iiffGATL.dll
c:\windows\system32\nods32.dll
c:\windows\system32\nozoyago.dll
c:\windows\system32\oduveres.ini
c:\windows\system32\serevudo.dll
c:\windows\system32\spupdsvc.inf
c:\windows\system32\tavagato.exe
c:\windows\system32\woyevepa.dll
c:\windows\system32\za.dat
c:\windows\system32\zafufovi.dll
c:\windows\system32\zamivoru.dll
c:\windows\Tasks\mwmwzzsl.job
c:\windows\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\-800892512\
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\temp\REX81
c:\temp\REX81\BDF.log
c:\windows\system32\ahatezad.ini
c:\windows\system32\ain
c:\windows\system32\arubugaz.ini
c:\windows\system32\cap2
c:\windows\system32\ddcCSiig.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekamlxvowee.sys
c:\windows\system32\duvapame.dll
c:\windows\system32\egapurir.ini
c:\windows\system32\emapavud.ini
c:\windows\system32\fibideja.dll
c:\windows\system32\gohifodi.dll
c:\windows\system32\hafasego.dll
c:\windows\system32\heweluwi.dll
c:\windows\system32\iiffGATL.dll
c:\windows\system32\izumizij.ini
c:\windows\system32\jizimuzi.dll
c:\windows\system32\kakinahu.dll
c:\windows\system32\mulirowo.dll
c:\windows\system32\nods32.dll
c:\windows\system32\nozoyago.dll
c:\windows\system32\obisuvuz.ini
c:\windows\system32\odubiwud.ini
c:\windows\system32\oduveres.ini
c:\windows\system32\pidagimu.dll
c:\windows\system32\pitorewe.dll
c:\windows\system32\rirupage.dll
c:\windows\system32\rufupiba.dll
c:\windows\system32\seneka.dat
c:\windows\system32\senekaaqpuiqhr.dll
c:\windows\system32\senekabfpcvyme.dll
c:\windows\system32\senekabvsibapq.dll
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat
c:\windows\system32\spupdsvc.inf
c:\windows\system32\tavagato.exe
c:\windows\system32\tevaziva.dll
c:\windows\system32\uvakusab.ini
c:\windows\system32\vanabesa.dll
c:\windows\system32\watalove.dll
c:\windows\system32\wuduzuli.dll
c:\windows\system32\wulemake.dll
c:\windows\system32\yijanuze.dll
c:\windows\system32\za.dat
c:\windows\system32\zafufovi.dll
c:\windows\system32\zagubura.dll
c:\windows\Tasks\mwmwzzsl.job
c:\windows\wininit.ini

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA


((((((((((((((((((((((((( Files Created from 2008-12-10 to 2009-01-10 )))))))))))))))))))))))))))))))
.

2009-01-07 18:09 . 2009-01-07 18:09 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-06 17:19 . 2009-01-06 17:20 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-01-06 17:19 . 2009-01-06 17:19 <DIR> d-------- c:\documents and settings\Klds in the hall\Application Data\PC Tools
2009-01-06 17:19 . 2009-01-06 17:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-06 17:19 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-06 17:19 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-06 17:19 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-06 17:19 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-06 17:19 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-01-04 20:07 . 2009-01-04 20:07 134,656 --a------ c:\windows\ehifenif.dll
2009-01-04 19:55 . 2009-01-04 19:55 40,448 --a------ c:\windows\system32\k9261108.exe
2009-01-04 19:55 . 2009-01-04 19:55 40,448 --a------ c:\windows\Kcisoyu.dll
2008-12-27 00:03 . 2008-12-27 00:03 <DIR> d-------- c:\program files\Trend Micro
2008-12-26 23:52 . 2008-12-26 23:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 23:52 . 2008-12-26 23:52 <DIR> d-------- c:\documents and settings\Klds in the hall\Application Data\Malwarebytes
2008-12-26 23:52 . 2008-12-26 23:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 23:52 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 23:52 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-25 23:46 . 2008-12-25 23:46 <DIR> d-------- C:\VundoFix Backups
2008-12-25 16:37 . 2008-12-25 16:37 <DIR> d-------- c:\program files\LeapFrog
2008-12-24 14:21 . 2008-12-24 14:21 <DIR> d-------- c:\documents and settings\Administrator.OPTIMUSPRIME\SmitfraudFix
2008-12-24 14:16 . 2008-12-24 14:21 <DIR> d-------- c:\documents and settings\Administrator.OPTIMUSPRIME
2008-12-24 14:13 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-22 19:00 . 2008-12-22 19:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\acccore
2008-12-22 18:22 . 2009-01-10 11:55 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-22 17:48 . 2008-12-22 17:48 <DIR> d-------- c:\documents and settings\Administrator
2008-12-22 16:54 . 2008-12-22 16:54 2 --a------ C:\-800892512

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-10 16:55 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-10 03:05 --------- d-----w c:\program files\Songbird_20080207
2009-01-09 20:34 --------- d-----w c:\program files\QuickTime
2009-01-06 22:24 --------- d-----w c:\documents and settings\Klds in the hall\Application Data\BitTorrent
2008-12-23 18:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 04:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-21 20:40 31 ----a-w c:\documents and settings\Klds in the hall\jagex_runescape_preferences.dat
2008-12-21 03:41 --------- d-----w c:\program files\AIMTunes
2008-11-19 21:56 --------- d-----w c:\program files\AIM6
2008-11-19 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-19 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-12 02:48 --------- d-----w c:\program files\En espanol
2005-05-04 03:16 23,988 ------r c:\program files\Adobe After Effects CS3 Lisez-moi.html
2005-05-04 03:16 21,379 ------r c:\program files\Adobe After Effects CS3 - Bitte lesen.html
2005-05-04 03:16 21,207 ------r c:\program files\Léame de Adobe After Effects CS3.html
2005-05-04 03:16 20,610 ------r c:\program files\Leggimi di Adobe After Effects CS3.html
2005-05-04 03:16 19,435 ----a-w c:\program files\Adobe After Effects CS3 ???????.html
2005-05-04 03:16 18,450 ------r c:\program files\Adobe After Effects CS3 Read Me.html
2006-05-03 09:06 163,328 --sha-r c:\windows\system32\flvDX.dll
1601-01-01 00:12 61,139 --sha-w c:\windows\system32\hupezivu.dll
1601-01-01 00:12 6,144 --sha-w c:\windows\system32\kakekuze.dll
2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sha-r c:\windows\system32\nbDX.dll
1601-01-01 00:12 61,139 --sha-w c:\windows\system32\seyohehu.dll
1601-01-01 00:12 6,144 --sha-w c:\windows\system32\tenagoki.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0e5c99d6-6b91-40ca-b15b-cbc230daa153}]
c:\windows\system32\wulemake.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-02-13 35328]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"Atuwug"="c:\windows\ehifenif.dll" [2009-01-04 134656]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msvideo"= o100vc.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll
"msacm.dvacm"= dvacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Canon\\DV Messenger\\DV Messenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spyware Doctor\\sdloader.exe"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\Program Files\\Verizon\\McciTrayApp.exe"=
"c:\\Program Files\\Verizon Wireless\\V CAST Music Manager\\MEMonitor.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsTray.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12bb6eaa-a04f-11dc-a2a0-00160177191c}]
\Shell\AutoRun\command - f:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - f:\system\viewer\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Customize Menu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms
IE: RoboForm Toolbar
IE: Save Forms
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Klds in the hall\Application Data\Mozilla\Firefox\Profiles\btebzw0b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_03050024.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-10 12:19:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(816)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-10 12:22:03 - machine was rebooted [Klds in the hall]
ComboFix-quarantined-files.txt 2009-01-10 17:21:15
ComboFix2.txt 2008-12-26 05:18:44
ComboFix3.txt 2008-12-25 03:58:03
ComboFix4.txt 2008-12-25 01:25:17
ComboFix5.txt 2009-01-02 17:09:17

Pre-Run: 54,500,888,576 bytes free
Post-Run: 54,620,409,856 bytes free

254 --- E O F --- 2009-01-03 08:01:27

Hijack This
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:29 PM, on 2009-01-10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: (no name) - {0e5c99d6-6b91-40ca-b15b-cbc230daa153} - C:\WINDOWS\system32\wulemake.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Atuwug] rundll32.exe "C:\WINDOWS\ehifenif.dll",e
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.vistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.25.14/ttinst.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7466 bytes

#8 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:28 PM

Posted 11 January 2009 - 04:44 AM

Hi again,

OK, if you can do these next steps in normal mode please do so, if not use safe mode with networking.

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

File::
c:\windows\system32\ffkuz.dll
c:\windows\ehifenif.dll
c:\windows\system32\k9261108.exe
c:\windows\Kcisoyu.dll
c:\windows\system32\hupezivu.dll
c:\windows\system32\kakekuze.dll
c:\windows\system32\seyohehu.dll
c:\windows\system32\tenagoki.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0e5c99d6-6b91-40ca-b15b-cbc230daa153}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Atuwug"=-


Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Next:

Please do the following:
Run a BitDefender Online scan Here and post the results.

Next:

Download the latest version of Kaspersky Virus Removal Tool
  • Close all other applications and double-click and run the installer.
  • When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
So, I need to see:
  • Combofix output
  • Bitdefender report
  • Kaspersky report
jedi

#9 Josh66

Josh66
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 11 January 2009 - 11:10 PM

ComboFix 09-01-01.02 - Klds in the hall 2009-01-11 11:54:35.1 - NTFSx86
Running from: c:\documents and settings\Klds in the hall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Klds in the hall\Desktop\CFScript.txt
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\windows\ehifenif.dll
c:\windows\Kcisoyu.dll
c:\windows\system32\ffkuz.dll
c:\windows\system32\hupezivu.dll
c:\windows\system32\k9261108.exe
c:\windows\system32\kakekuze.dll
c:\windows\system32\seyohehu.dll
c:\windows\system32\tenagoki.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\ehifenif.dll
c:\windows\Kcisoyu.dll
c:\windows\system32\ffkuz.dll
c:\windows\system32\hupezivu.dll
c:\windows\system32\k9261108.exe
c:\windows\system32\kakekuze.dll
c:\windows\system32\seyohehu.dll
c:\windows\system32\tenagoki.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-06 17:19 . 2009-01-06 17:20 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-01-06 17:19 . 2009-01-06 17:19 <DIR> d-------- c:\documents and settings\Klds in the hall\Application Data\PC Tools
2009-01-06 17:19 . 2009-01-06 17:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-06 17:19 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-06 17:19 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-06 17:19 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-06 17:19 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-06 17:19 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-27 00:03 . 2008-12-27 00:03 <DIR> d-------- c:\program files\Trend Micro
2008-12-26 23:52 . 2008-12-26 23:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 23:52 . 2008-12-26 23:52 <DIR> d-------- c:\documents and settings\Klds in the hall\Application Data\Malwarebytes
2008-12-26 23:52 . 2008-12-26 23:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 23:52 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 23:52 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-25 23:46 . 2008-12-25 23:46 <DIR> d-------- C:\VundoFix Backups
2008-12-25 16:37 . 2008-12-25 16:37 <DIR> d-------- c:\program files\LeapFrog
2008-12-24 14:21 . 2008-12-24 14:21 <DIR> d-------- c:\documents and settings\Administrator.OPTIMUSPRIME\SmitfraudFix
2008-12-24 14:16 . 2008-12-24 14:21 <DIR> d-------- c:\documents and settings\Administrator.OPTIMUSPRIME
2008-12-24 14:13 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-22 19:00 . 2008-12-22 19:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\acccore
2008-12-22 18:22 . 2009-01-11 01:03 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-22 17:48 . 2008-12-22 17:48 <DIR> d-------- c:\documents and settings\Administrator
2008-12-22 16:54 . 2008-12-22 16:54 2 --a------ C:\-800892512

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 06:03 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-10 22:43 --------- d-----w c:\program files\AIMTunes
2009-01-10 03:05 --------- d-----w c:\program files\Songbird_20080207
2009-01-09 20:34 --------- d-----w c:\program files\QuickTime
2009-01-06 22:24 --------- d-----w c:\documents and settings\Klds in the hall\Application Data\BitTorrent
2009-01-04 23:03 97,000 --sha-w c:\windows\system32\zahatahe.dll
2009-01-03 19:19 97,581 ----a-w c:\windows\system32\lebobofu.dll
2009-01-03 04:55 98,939 --sha-w c:\windows\system32\jedepona.dll
2009-01-01 19:55 97,056 --sha-w c:\windows\system32\vajapaso.dll
2008-12-31 20:01 98,974 --sha-w c:\windows\system32\miyovawa.dll
2008-12-23 18:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 04:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-21 20:40 31 ----a-w c:\documents and settings\Klds in the hall\jagex_runescape_preferences.dat
2008-11-19 21:56 --------- d-----w c:\program files\AIM6
2008-11-19 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-19 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-12 02:48 --------- d-----w c:\program files\En espanol
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:20 667,648 ----a-w c:\windows\system32\wininet.dll
2005-05-04 03:16 23,988 ------r c:\program files\Adobe After Effects CS3 Lisez-moi.html
2005-05-04 03:16 21,379 ------r c:\program files\Adobe After Effects CS3 - Bitte lesen.html
2005-05-04 03:16 21,207 ------r c:\program files\Léame de Adobe After Effects CS3.html
2005-05-04 03:16 20,610 ------r c:\program files\Leggimi di Adobe After Effects CS3.html
2005-05-04 03:16 19,435 ----a-w c:\program files\Adobe After Effects CS3 ???????.html
2005-05-04 03:16 18,450 ------r c:\program files\Adobe After Effects CS3 Read Me.html
2006-05-03 09:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sha-r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-02-13 35328]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msvideo"= o100vc.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll
"msacm.dvacm"= dvacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Canon\\DV Messenger\\DV Messenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spyware Doctor\\sdloader.exe"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\Program Files\\Verizon\\McciTrayApp.exe"=
"c:\\Program Files\\Verizon Wireless\\V CAST Music Manager\\MEMonitor.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsTray.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12bb6eaa-a04f-11dc-a2a0-00160177191c}]
\Shell\AutoRun\command - f:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - f:\system\viewer\FlipVideoforPC.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Customize Menu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms
IE: RoboForm Toolbar
IE: Save Forms
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Klds in the hall\Application Data\Mozilla\Firefox\Profiles\btebzw0b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_03050024.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 11:55:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(812)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2009-01-11 11:56:50
ComboFix-quarantined-files.txt 2009-01-11 16:56:15
ComboFix2.txt 2009-01-10 17:22:04
ComboFix3.txt 2008-12-26 05:18:44
ComboFix4.txt 2008-12-25 03:58:03
ComboFix5.txt 2009-01-11 16:54:18

Pre-Run: 54,616,842,240 bytes free
Post-Run: 54,605,115,392 bytes free

191 --- E O F --- 2009-01-03 08:01:27



Bit defender showed no threats

AVPT
Scan
----
Scanned: 796120
Detected: 7
Untreated: 0
Start time: 2009-01-11 7:55:34 PM
Duration: 03:05:42
Finish time: 2009-01-11 11:01:16 PM


Detected
--------
Status Object
------ ------
deleted: Trojan program Trojan.Win32.Agent.bfdf File: C:\Qoobox\Quarantine\C\WINDOWS\system32\duvapame.dll.vir
deleted: Trojan program Trojan-Downloader.Win32.Murlo.vn File: C:\Qoobox\Quarantine\C\WINDOWS\system32\ffkuz.dll.vir
deleted: Trojan program Trojan.Win32.Agent.bfdf File: C:\Qoobox\Quarantine\C\WINDOWS\system32\jizimuzi.dll.vir
deleted: Trojan program Trojan-Downloader.Win32.BHO.aeh File: C:\Qoobox\Quarantine\C\WINDOWS\system32\nods32.dll.vir//PE_Patch.UPX//UPX
deleted: Trojan program Trojan.Win32.Agent.bfdf File: C:\Qoobox\Quarantine\C\WINDOWS\system32\rirupage.dll.vir
deleted: Trojan program Trojan.Win32.Agent.bfdf File: C:\Qoobox\Quarantine\C\WINDOWS\system32\tenagoki.dll.vir
deleted: Trojan program Trojan.Win32.Agent.bfdf File: C:\Qoobox\Quarantine\C\WINDOWS\system32\zagubura.dll.vir

Edited by Josh66, 11 January 2009 - 11:11 PM.


#10 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:28 PM

Posted 12 January 2009 - 01:09 PM

Hi again,

Delete the copy of Combofix you currently have. Download a fresh one here:
ComboFix
Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

File::
c:\windows\system32\zahatahe.dll
c:\windows\system32\lebobofu.dll
c:\windows\system32\jedepona.dll
c:\windows\system32\vajapaso.dll
c:\windows\system32\miyovawa.dll


Save this as CFScript

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

jedi

#11 Josh66

Josh66
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 12 January 2009 - 02:44 PM

ComboFix 09-01-01.02 - Klds in the hall 2009-01-12 14:34:08.2 - NTFSx86
Running from: c:\documents and settings\Klds in the hall\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Klds in the hall\Desktop\CFScript.txt
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\windows\system32\jedepona.dll
c:\windows\system32\lebobofu.dll
c:\windows\system32\miyovawa.dll
c:\windows\system32\vajapaso.dll
c:\windows\system32\zahatahe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jedepona.dll
c:\windows\system32\lebobofu.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-11 19:55 . 2009-01-11 23:12 868,384 --ahs---- c:\windows\system32\drivers\fidbox.dat
2009-01-11 19:55 . 2009-01-11 23:12 11,252 --ahs---- c:\windows\system32\drivers\fidbox.idx
2009-01-11 12:10 . 2009-01-11 12:22 <DIR> d-------- c:\windows\BDOSCAN8
2009-01-06 17:19 . 2009-01-06 17:20 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-01-06 17:19 . 2009-01-06 17:19 <DIR> d-------- c:\documents and settings\Klds in the hall\Application Data\PC Tools
2009-01-06 17:19 . 2009-01-06 17:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-06 17:19 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-06 17:19 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-06 17:19 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-06 17:19 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-06 17:19 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-27 00:03 . 2008-12-27 00:03 <DIR> d-------- c:\program files\Trend Micro
2008-12-26 23:52 . 2008-12-26 23:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-26 23:52 . 2008-12-26 23:52 <DIR> d-------- c:\documents and settings\Klds in the hall\Application Data\Malwarebytes
2008-12-26 23:52 . 2008-12-26 23:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-26 23:52 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-26 23:52 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-25 23:46 . 2008-12-25 23:46 <DIR> d-------- C:\VundoFix Backups
2008-12-25 16:37 . 2008-12-25 16:37 <DIR> d-------- c:\program files\LeapFrog
2008-12-24 14:21 . 2008-12-24 14:21 <DIR> d-------- c:\documents and settings\Administrator.OPTIMUSPRIME\SmitfraudFix
2008-12-24 14:16 . 2008-12-24 14:21 <DIR> d-------- c:\documents and settings\Administrator.OPTIMUSPRIME
2008-12-24 14:13 . 2008-12-12 00:57 78,336 --a------ c:\windows\system32\Agent.OMZ.Fix.exe
2008-12-22 19:00 . 2008-12-22 19:00 <DIR> d-------- c:\documents and settings\Administrator\Application Data\acccore
2008-12-22 18:22 . 2009-01-11 01:03 <DIR> d-------- c:\program files\Spyware Doctor
2008-12-22 17:48 . 2008-12-22 17:48 <DIR> d-------- c:\documents and settings\Administrator
2008-12-22 16:54 . 2008-12-22 16:54 2 --a------ C:\-800892512

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 04:00 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-11 22:53 --------- d-----w c:\program files\AIMTunes
2009-01-11 19:46 --------- d-----w c:\program files\Songbird_20080207
2009-01-09 20:34 --------- d-----w c:\program files\QuickTime
2009-01-06 22:24 --------- d-----w c:\documents and settings\Klds in the hall\Application Data\BitTorrent
2008-12-23 18:05 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-23 04:01 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-21 20:40 31 ----a-w c:\documents and settings\Klds in the hall\jagex_runescape_preferences.dat
2008-11-19 21:56 --------- d-----w c:\program files\AIM6
2008-11-19 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-19 21:55 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-11-12 02:48 --------- d-----w c:\program files\En espanol
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 10:20 667,648 ----a-w c:\windows\system32\wininet.dll
2005-05-04 03:16 23,988 ------r c:\program files\Adobe After Effects CS3 Lisez-moi.html
2005-05-04 03:16 21,379 ------r c:\program files\Adobe After Effects CS3 - Bitte lesen.html
2005-05-04 03:16 21,207 ------r c:\program files\Léame de Adobe After Effects CS3.html
2005-05-04 03:16 20,610 ------r c:\program files\Leggimi di Adobe After Effects CS3.html
2005-05-04 03:16 19,435 ----a-w c:\program files\Adobe After Effects CS3 ???????.html
2005-05-04 03:16 18,450 ------r c:\program files\Adobe After Effects CS3 Read Me.html
2006-05-03 09:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll
2008-03-16 12:30 216,064 --sha-r c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-11_11.55.19.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-11 17:10:22 45,056 ----a-w c:\windows\BDOSCAN8\avxdisk.dll
+ 2009-01-11 17:10:23 10,240 ----a-w c:\windows\BDOSCAN8\avxs.dll
+ 2009-01-11 17:10:23 27,136 ----a-w c:\windows\BDOSCAN8\avxt.dll
+ 2009-01-11 17:10:28 102,400 ----a-w c:\windows\BDOSCAN8\bdcore.dll
+ 2008-01-09 20:01:48 118,784 ----a-w c:\windows\BDOSCAN8\bdupd.dll
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\BDOSCAN8\ipsupd.dll
+ 2009-01-11 17:10:29 142,848 ----a-w c:\windows\BDOSCAN8\libfn.dll
+ 2009-01-11 17:10:24 86,016 ----a-w c:\windows\BDOSCAN8\librtvr.dll
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\bdoscandel.exe
+ 2008-01-09 20:01:48 118,784 ----a-w c:\windows\Downloaded Program Files\bdupd.dll
+ 2008-01-09 20:01:48 53,248 ----a-w c:\windows\Downloaded Program Files\ipsupd.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"Aim6"="" [BU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2005-12-10 133016]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2007-02-13 35328]
"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2007-03-11 936960]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-12-11 267048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 c:\windows\stsystra.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msvideo"= o100vc.dll
"vidc.3IV2"= 3ivxVfWCodec_dec.dll
"msacm.dvacm"= dvacm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0lsdelete

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Canon\\DV Messenger\\DV Messenger.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Spyware Doctor\\sdloader.exe"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\Program Files\\Verizon\\McciTrayApp.exe"=
"c:\\Program Files\\Verizon Wireless\\V CAST Music Manager\\MEMonitor.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsTray.exe"=
"c:\\Program Files\\Winamp\\winampa.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\hkcmd.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12bb6eaa-a04f-11dc-a2a0-00160177191c}]
\Shell\AutoRun\command - f:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - f:\system\viewer\FlipVideoforPC.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: Customize Menu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms
IE: RoboForm Toolbar
IE: Save Forms
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Klds in the hall\Application Data\Mozilla\Firefox\Profiles\btebzw0b.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint_03050024.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 14:34:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(808)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2009-01-12 14:36:28
ComboFix-quarantined-files.txt 2009-01-12 19:35:51
ComboFix2.txt 2009-01-11 16:56:51
ComboFix3.txt 2009-01-10 17:22:04
ComboFix4.txt 2008-12-26 05:18:44
ComboFix5.txt 2009-01-12 19:33:46

Pre-Run: 54,899,187,712 bytes free
Post-Run: 54,995,910,656 bytes free

193 --- E O F --- 2009-01-03 08:01:27




HijactThis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:59 PM, on 2009-01-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk = C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfios.verizon.net/sdcCommo...IOS/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {4EFA317A-8569-4788-B175-5BAF9731A549} (Microsoft Virtual Server VMRC Advanced Control) - http://www.vistatestdrive.com/ActiveX/VMRCActiveXClient1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.25.14/ttinst.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7580 bytes

#12 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:28 PM

Posted 12 January 2009 - 04:42 PM

Hi again,

OK, it's looking better. No new files created this time.

Please do the following:
Run a BitDefender Online scan Here and post the results.

jedi

#13 Josh66

Josh66
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 12 January 2009 - 08:11 PM

Time


00:54:18

Files


381346

Folders


10727

Boot Sectors


0

Archives


4127

Packed Files


32143







Results

Identified Viruses


2

Infected Files


8

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


8







Engines Info

Virus Definitions


2444484

Engine build


AVCORE v1.7 (build 8314.19) (i386) (Sep 29 2008 17:19:14)

Scan plugins


17

Archive plugins


45

Unpack plugins


7

E-mail plugins


6

System plugins


4







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\Qoobox\Quarantine\C\WINDOWS\system32\lebobofu.dll.vir


Infected with: Gen:Trojan.Heur.564E44

C:\Qoobox\Quarantine\C\WINDOWS\system32\lebobofu.dll.vir


Disinfection failed

C:\Qoobox\Quarantine\C\WINDOWS\system32\lebobofu.dll.vir


Deleted

C:\Qoobox\Quarantine\C\WINDOWS\system32\vanabesa.dll.vir


Infected with: Trojan.Vundo.GGD

C:\Qoobox\Quarantine\C\WINDOWS\system32\vanabesa.dll.vir


Deleted

C:\Qoobox\Quarantine\C\WINDOWS\system32\watalove.dll.vir


Infected with: Trojan.Vundo.GGD

C:\Qoobox\Quarantine\C\WINDOWS\system32\watalove.dll.vir


Deleted

C:\Qoobox\Quarantine\C\WINDOWS\system32\wulemake.dll.vir


Infected with: Trojan.Vundo.GGD

C:\Qoobox\Quarantine\C\WINDOWS\system32\wulemake.dll.vir


Deleted

C:\System Volume Information\_restore{45FB52A5-7A87-4339-BF51-5C695AC098C7}\RP611\A0106166.dll


Infected with: Trojan.Vundo.GGD

C:\System Volume Information\_restore{45FB52A5-7A87-4339-BF51-5C695AC098C7}\RP611\A0106166.dll


Deleted

C:\System Volume Information\_restore{45FB52A5-7A87-4339-BF51-5C695AC098C7}\RP611\A0106167.dll


Infected with: Trojan.Vundo.GGD

C:\System Volume Information\_restore{45FB52A5-7A87-4339-BF51-5C695AC098C7}\RP611\A0106167.dll


Deleted

C:\System Volume Information\_restore{45FB52A5-7A87-4339-BF51-5C695AC098C7}\RP611\A0106169.dll


Infected with: Trojan.Vundo.GGD

C:\System Volume Information\_restore{45FB52A5-7A87-4339-BF51-5C695AC098C7}\RP611\A0106169.dll


Deleted

C:\System Volume Information\_restore{45FB52A5-7A87-4339-BF51-5C695AC098C7}\RP612\A0106333.dll


Infected with: Gen:Trojan.Heur.564E44

C:\System Volume Information\_restore{45FB52A5-7A87-4339-BF51-5C695AC098C7}\RP612\A0106333.dll


Disinfection failed

C:\System Volume Information\_restore{45FB52A5-7A87-4339-BF51-5C695AC098C7}\RP612\A0106333.dll


Deleted

#14 jedi

jedi

  • Members
  • 274 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:28 PM

Posted 13 January 2009 - 01:32 AM

Hi again,

OK, it looks like we got it. How is the PC running now?

jedi

#15 Josh66

Josh66
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 13 January 2009 - 02:31 PM

OK, two things. I have noticed that my internet seems to be running slower then it was pre-virus. The browser (firefox) is also displaying it's own advertisements, for example this one weight loss ad which seems to be on most sites.

Edited by Josh66, 13 January 2009 - 06:02 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users