Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde Infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 Hicksy

Hicksy

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 11 January 2009 - 11:07 AM

Heya.

Yesterday i suddenly had an attack on my computer, of which ive been trying everything on the net to resolve the issue. Spybot finds the following:
Virtumonde
Virtumonde.sci
Virtumonde.generic
Smitfraud
System Security (or something)

I manually deleted the registries myself, however when i ran spybot again, they all reappeared. Please can someone help me get rid of this, as its causing me a lot of pain and messing around with my computer.

Symptoms are:
blue screen of death
desktop changing
slow comp and
pop ups etc etc. (although to avoid pop ups etc i have taken my computer off the internet.)

I hope this info helps and here is my dds report:


DDS (Ver_09-01-07.01) - NTFSx86 MINIMAL
Run by DarkSummon at 15:52:14.26 on 11/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.758 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\DarkSummon\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\adobe packages\/Adobe Contribute CS3/contributeieplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ssqNgHyX.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\adobe packages\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FlashFXP Helper for Internet Explorer: {e5a1691b-d188-4419-ad02-90002030b8ee} - c:\progra~1\flashfxp\IEFlash.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\adobe packages\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\adobe packages\/Adobe Contribute CS3/contributeieplugin.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\adobe packages\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMBgMonitor.exe"
uRun: [FreeRAM XP] "c:\program files\yourware solutions\freeram xp pro\FreeRAM XP Pro.exe" -win
uRun: [Zinio DLM] c:\program files\zinio\ZinioReader.exe /autostart
uRun: [Google Update] "c:\documents and settings\darksummon\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [ALi5289] c:\program files\uli5289\ALi5289.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SpeedBitVideoAccelerator] "c:\program files\speedbit video accelerator\VideoAccelerator.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [VirtualCloneDrive] "c:\program files\elaborate bytes\virtualclonedrive\VCDDaemon.exe" /s
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [ATICustomerCare] "c:\program files\ati\aticustomercare\ATICustomerCare.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [Acrobat Assistant 8.0] "c:\adobe packages\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SDFix] c:\sdfix\RunThis.bat /second
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~2.lnk - c:\adobe packages\acrobat 8.0\acrobat\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\reader 8.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~2.lnk - c:\program files\adobe\reader 8.0\reader\AdobeCollabSync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Append to existing PDF - c:\adobe packages\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\adobe packages\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\adobe packages\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\adobe packages\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\adobe packages\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\adobe packages\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\adobe packages\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\adobe packages\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
TCP: {82348B4B-1882-447D-8590-BD538D051121} = 10.0.0.1,10.0.0.2
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ssqNgHyX - ssqNgHyX.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\ssqNgHyX.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\darksu~1\applic~1\mozilla\firefox\profiles\msrhz7x7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.absolutepunk.net/index.php
FF - component: c:\documents and settings\darksummon\application data\mozilla\firefox\profiles\msrhz7x7.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\darksummon\application data\mozilla\firefox\profiles\msrhz7x7.default\extensions\{6ac85730-7d0f-4de0-b3fa-21142dd85326}\platform\winnt\components\ColorZilla.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\dap\dapfirefox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\darksummon\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll

============= SERVICES / DRIVERS ===============

R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2008-2-13 51840]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2008-2-13 45056]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-25 97928]
S1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-5-25 26824]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-2-13 32840]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys --> c:\windows\system32\drivers\npf.sys [?]
S4 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-5-25 231704]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2006-12-2 2805000]
S4 sbbotdi;sbbotdi;c:\progra~1\speedb~1\sbbotdi.sys [2008-2-14 35584]
S4 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-11-10 1373480]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]

=============== Created Last 30 ================

2009-01-11 13:37 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-11 13:29 <DIR> --d----- c:\windows\ERUNT
2009-01-11 13:27 <DIR> --d----- C:\SDFix
2009-01-11 13:12 <DIR> --d----- C:\VundoFix Backups
2009-01-11 02:05 <DIR> --d----- C:\!KillBox
2009-01-11 01:11 <DIR> --d----- c:\program files\CCleaner
2009-01-11 01:08 <DIR> --d----- c:\program files\RogueRemover FREE
2009-01-11 01:00 3,330 a------- c:\windows\system32\tmp.reg
2009-01-10 13:17 52,224 a------- c:\windows\system32\wvUnKEvT.dll
2009-01-10 13:09 52,224 -------- c:\windows\system32\ssqNgHyX.dll
2009-01-05 14:59 <DIR> --d----- c:\documents and settings\darksummon\.jnlp-applet
2008-12-20 18:14 <DIR> --d----- C:\CloneDVDTemp
2008-12-17 18:17 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2008-11-21 21:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 21:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-02-21 22:31 87,608 -------- c:\docume~1\darksu~1\applic~1\inst.exe
2008-02-21 22:31 47,360 -------- c:\docume~1\darksu~1\applic~1\pcouffin.sys
2008-05-09 14:50 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050920080510\index.dat

============= FINISH: 15:53:02.84 ===============

Attached Files


Edited by Hicksy, 11 January 2009 - 01:19 PM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:53 AM

Posted 13 January 2009 - 04:48 AM

Hello Hicksy and welcome to Bleeping Computer,

Please download ComboFix from one of the locations below, and save it to your Desktop.

Link
Link
Link

Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 Hicksy

Hicksy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 13 January 2009 - 02:29 PM

Thanks very much for the reply!

Here is my log:

ComboFix 09-01-12.04 - DarkSummon 2009-01-13 19:05:40.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.786 [GMT 0:00]
Running from: c:\documents and settings\DarkSummon\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\DarkSummon\Application Data\inst.exe
C:\Documents
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekaypxuckad.sys
c:\windows\system32\install.exe
c:\windows\system32\mdm.exe
c:\windows\system32\senekaabafdskk.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\ssqNgHyX.dll
c:\windows\system32\tmp.reg
c:\windows\system32\wvUnKEvT.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_NPF
-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-11 13:37 . 2009-01-11 13:37 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-11 13:29 . 2009-01-11 13:29 <DIR> d-------- c:\windows\ERUNT
2009-01-11 13:27 . 2009-01-11 14:08 <DIR> d-------- C:\SDFix
2009-01-11 13:12 . 2009-01-11 13:12 <DIR> d-------- C:\VundoFix Backups
2009-01-11 02:05 . 2009-01-11 02:56 <DIR> d-------- C:\!KillBox
2009-01-11 01:11 . 2009-01-11 01:11 <DIR> d-------- c:\program files\CCleaner
2009-01-11 01:08 . 2009-01-11 01:08 <DIR> d-------- c:\program files\RogueRemover FREE
2009-01-05 14:59 . 2009-01-05 14:59 <DIR> d-------- c:\documents and settings\DarkSummon\.jnlp-applet
2008-12-20 18:14 . 2008-12-20 18:14 <DIR> d-------- C:\CloneDVDTemp
2008-12-17 18:17 . 2008-12-17 18:17 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-15 19:26 . 2008-12-16 21:53 <DIR> d-------- c:\documents and settings\DarkSummon\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-13 18:32 --------- d-----w c:\documents and settings\DarkSummon\Application Data\WTablet
2009-01-11 16:24 --------- d-----w c:\documents and settings\NetworkService\Application Data\WTablet
2009-01-11 02:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-09 23:51 --------- d-----w c:\documents and settings\DarkSummon\Application Data\uTorrent
2009-01-09 17:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-26 00:43 --------- d-----w c:\documents and settings\DarkSummon\Application Data\Vso
2008-12-24 18:30 --------- d-----w c:\documents and settings\DarkSummon\Application Data\Canon
2008-12-20 13:11 --------- d-----w c:\program files\DivX
2008-12-18 20:48 --------- d-----w c:\program files\SQLyog Community
2008-12-17 18:17 --------- d-----w c:\program files\Java
2008-12-10 19:12 --------- d-----w c:\program files\SpeedBit Video Accelerator
2008-12-10 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-10 18:06 --------- d-----w c:\program files\Tanar Online
2008-12-09 19:38 --------- d-----w c:\program files\iTunes
2008-12-09 19:38 --------- d-----w c:\program files\iPod
2008-12-09 19:38 --------- d-----w c:\program files\Common Files\Apple
2008-12-09 19:38 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-09 19:35 --------- d-----w c:\program files\QuickTime
2008-12-05 21:08 --------- d-----w c:\documents and settings\DarkSummon\Application Data\JetBrains
2008-12-05 21:00 --------- d-----w c:\program files\JetBrains
2008-11-24 18:52 --------- d-----w c:\program files\Triggersoft
2008-11-20 20:39 --------- d-----w c:\documents and settings\DarkSummon\Application Data\Apple Computer
2008-11-16 10:38 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-15 09:35 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-02-21 22:31 47,360 ------w c:\documents and settings\DarkSummon\Application Data\pcouffin.sys
2008-05-09 14:50 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050920080510\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-02-28 132392]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 1591808]
"Zinio DLM"="c:\program files\Zinio\ZinioReader.exe" [2008-07-08 3874886]
"Google Update"="c:\documents and settings\DarkSummon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-12 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALi5289"="c:\program files\ULI5289\ALi5289.exe" [2005-03-10 405504]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2008-05-12 2729584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 307200]
"Acrobat Assistant 8.0"="c:\adobe packages\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SDFix"="c:\sdfix\RunThis.bat" [2008-11-06 964661]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Wrapper"="runonce" [X]
"GrpConv"="grpconv -o" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-07-09 295606]
Adobe Acrobat Synchronizer.lnk - c:\adobe packages\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="0x00000000"
"UpdatesDisableNotify"="0x00000000"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jdk1.6.0\\jre\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Chronical Games\\PlayerRealms\\Server\\Server.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Documents and Settings\\DarkSummon\\My Documents\\Online RPG Game Engines\\MS3\\MS3\\Server\\Server.exe"=
"c:\\Documents and Settings\\DarkSummon\\My Documents\\Online RPG Game Engines\\MS (2.43) 3-frame\\MS 3-frame\\Server\\Server.exe"=
"c:\\Documents and Settings\\DarkSummon\\My Documents\\Online RPG Game Engines\\EchoStorms Online Source\\EchoStorms Online Source\\server\\Update Server.exe"=
"c:\\Documents and Settings\\DarkSummon\\My Documents\\Online RPG Game Engines\\EchoStorms Online Source\\EchoStorms Online Source\\server\\server.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Documents and Settings\\DarkSummon\\My Documents\\Online RPG Game Engines\\Essence\\server\\Server.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2008-02-13 51840]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2008-02-13 45056]
S3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-02-13 32840]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]
S4 sbbotdi;sbbotdi;c:\progra~1\SPEEDB~1\sbbotdi.sys [2008-02-14 35584]
S4 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-11-10 1373480]
S4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
.
Contents of the 'Scheduled Tasks' folder

2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1614895754-839522115-1003.job
- c:\documents and settings\DarkSummon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-12 16:30]
.
- - - - ORPHANS REMOVED - - - -

BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\ssqNgHyX.dll
HKLM-RunOnce-<NO NAME> - (no file)
ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\ssqNgHyX.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Append to existing PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: {82348B4B-1882-447D-8590-BD538D051121} = 10.0.0.1,10.0.0.2
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\DarkSummon\Application Data\Mozilla\Firefox\Profiles\msrhz7x7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.absolutepunk.net/index.php
FF - component: c:\documents and settings\DarkSummon\Application Data\Mozilla\Firefox\Profiles\msrhz7x7.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\DarkSummon\Application Data\Mozilla\Firefox\Profiles\msrhz7x7.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll
FF - component: c:\program files\DAP\DAPFireFox\components\DAPFireFox.dll
FF - plugin: c:\documents and settings\DarkSummon\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-13 19:14:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(268)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-13 19:26:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 19:26:30

Pre-Run: 244,337,741,824 bytes free
Post-Run: 244,209,971,200 bytes free

222 --- E O F --- 2008-12-18 03:02:03

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:53 AM

Posted 13 January 2009 - 05:18 PM

Hello Hicksy,

Your log looks quite good now,
but since you didn't install the Recovery Console, the result may not be totally accurate.

Please install the Recovery Console now, as described in the tutorial,
and run ComboFix again.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 Hicksy

Hicksy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 14 January 2009 - 05:18 AM

Hi Thunder,

Thats good news :thumbsup: thanks.

Well i tried to install the recovery console but it wouldnt connect. I put my ethernet connection back in (it was out due to the virus messing around with the internet etc) and i was in safe mode.

Do i need to do it another way? Cus when i boot up normally it just loads for a bit then i get blue screen of death, well at least it did before i ran ComboFix.

Thanks again for taking the time to help me.

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:53 AM

Posted 14 January 2009 - 10:26 AM

Hello Hicksy,

Did you try starting up in normal mode and connecting to the internet yet ?

Do you still get that BSOD ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 Hicksy

Hicksy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 14 January 2009 - 01:10 PM

Hi Thunder,

I loaded up the comp in normal mode with the internet and it didnt go all loopy and BSOD me, which is good news in itself :thumbsup:

Just did the scan with recovery console and here is the log:

ComboFix 09-01-13.04 - DarkSummon 2009-01-14 17:52:41.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.473 [GMT 0:00]
Running from: c:\documents and settings\DarkSummon\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-11 13:37 . 2009-01-11 13:37 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-11 13:29 . 2009-01-11 13:29 <DIR> d-------- c:\windows\ERUNT
2009-01-11 13:27 . 2009-01-11 14:08 <DIR> d-------- C:\SDFix
2009-01-11 13:12 . 2009-01-11 13:12 <DIR> d-------- C:\VundoFix Backups
2009-01-11 02:05 . 2009-01-11 02:56 <DIR> d-------- C:\!KillBox
2009-01-11 01:11 . 2009-01-11 01:11 <DIR> d-------- c:\program files\CCleaner
2009-01-11 01:08 . 2009-01-11 01:08 <DIR> d-------- c:\program files\RogueRemover FREE
2009-01-05 14:59 . 2009-01-05 14:59 <DIR> d-------- c:\documents and settings\DarkSummon\.jnlp-applet
2008-12-20 18:14 . 2008-12-20 18:14 <DIR> d-------- C:\CloneDVDTemp
2008-12-17 18:17 . 2008-12-17 18:17 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-15 19:26 . 2008-12-16 21:53 <DIR> d-------- c:\documents and settings\DarkSummon\Application Data\dvdcss

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-14 17:30 --------- d-----w c:\documents and settings\DarkSummon\Application Data\WTablet
2009-01-11 16:24 --------- d-----w c:\documents and settings\NetworkService\Application Data\WTablet
2009-01-11 02:58 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-09 23:51 --------- d-----w c:\documents and settings\DarkSummon\Application Data\uTorrent
2009-01-09 17:29 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-26 00:43 --------- d-----w c:\documents and settings\DarkSummon\Application Data\Vso
2008-12-24 18:30 --------- d-----w c:\documents and settings\DarkSummon\Application Data\Canon
2008-12-20 13:11 --------- d-----w c:\program files\DivX
2008-12-18 20:48 --------- d-----w c:\program files\SQLyog Community
2008-12-17 18:17 --------- d-----w c:\program files\Java
2008-12-10 19:12 --------- d-----w c:\program files\SpeedBit Video Accelerator
2008-12-10 18:09 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-10 18:06 --------- d-----w c:\program files\Tanar Online
2008-12-09 19:38 --------- d-----w c:\program files\iTunes
2008-12-09 19:38 --------- d-----w c:\program files\iPod
2008-12-09 19:38 --------- d-----w c:\program files\Common Files\Apple
2008-12-09 19:38 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-09 19:35 --------- d-----w c:\program files\QuickTime
2008-12-05 21:08 --------- d-----w c:\documents and settings\DarkSummon\Application Data\JetBrains
2008-12-05 21:00 --------- d-----w c:\program files\JetBrains
2008-11-24 18:52 --------- d-----w c:\program files\Triggersoft
2008-11-21 21:46 200,704 ----a-w c:\windows\system32\ssldivx.dll
2008-11-21 21:46 1,044,480 ----a-w c:\windows\system32\libdivx.dll
2008-11-20 20:39 --------- d-----w c:\documents and settings\DarkSummon\Application Data\Apple Computer
2008-11-16 10:38 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-15 09:35 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-02-21 22:31 47,360 ------w c:\documents and settings\DarkSummon\Application Data\pcouffin.sys
2008-05-09 14:50 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008050920080510\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-13_19.25.40.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-14 17:30:29 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe" [2008-02-28 132392]
"FreeRAM XP"="c:\program files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-22 1591808]
"Zinio DLM"="c:\program files\Zinio\ZinioReader.exe" [2008-07-08 3874886]
"Google Update"="c:\documents and settings\DarkSummon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-12 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ALi5289"="c:\program files\ULI5289\ALi5289.exe" [2005-03-10 405504]
"SpeedBitVideoAccelerator"="c:\program files\SpeedBit Video Accelerator\VideoAccelerator.exe" [2008-05-12 2729584]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 185896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2006-09-28 57344]
"VirtualCloneDrive"="c:\program files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2006-04-29 94208]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"ATICustomerCare"="c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 307200]
"Acrobat Assistant 8.0"="c:\adobe packages\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SDFix"="c:\sdfix\RunThis.bat" [2008-11-06 964661]
"SoundMan"="SOUNDMAN.EXE" [2004-12-22 c:\windows\SOUNDMAN.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe [2008-07-09 295606]
Adobe Acrobat Synchronizer.lnk - c:\adobe packages\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 734872]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Java\\jdk1.6.0\\jre\\bin\\java.exe"=
"c:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"=
"c:\\Program Files\\Chronical Games\\PlayerRealms\\Server\\Server.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\WINDOWS\\system32\\dxdiag.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\java.exe"=
"c:\\Program Files\\Java\\jdk1.6.0\\bin\\java.exe"=
"c:\\Program Files\\Java\\jre1.6.0_05\\bin\\javaw.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Documents and Settings\\DarkSummon\\My Documents\\Online RPG Game Engines\\MS3\\MS3\\Server\\Server.exe"=
"c:\\Documents and Settings\\DarkSummon\\My Documents\\Online RPG Game Engines\\MS (2.43) 3-frame\\MS 3-frame\\Server\\Server.exe"=
"c:\\Documents and Settings\\DarkSummon\\My Documents\\Online RPG Game Engines\\EchoStorms Online Source\\EchoStorms Online Source\\server\\Update Server.exe"=
"c:\\Documents and Settings\\DarkSummon\\My Documents\\Online RPG Game Engines\\EchoStorms Online Source\\EchoStorms Online Source\\server\\server.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\COMMON\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Documents and Settings\\DarkSummon\\My Documents\\Online RPG Game Engines\\Essence\\server\\Server.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\VB98\\VB6.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Microsoft Visual Studio 8\\Common7\\IDE\\devenv.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SpeedBit Video Accelerator\\VideoAccelerator.exe"=
"c:\\Program Files\\SpeedBit Video Accelerator\\VideoAcceleratorEngine.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 m5289;m5289;c:\windows\system32\drivers\m5289.sys [2008-02-13 51840]
R0 uliagpkx;ULi AGP Bus Filter Driver;c:\windows\system32\drivers\AGPKX.SYS [2008-02-13 45056]
R3 ngrpci;NETGEAR FA310TX Fast Ethernet Adapter Driver;c:\windows\system32\drivers\Ngrpci.sys [2008-02-13 32840]
R4 sbbotdi;sbbotdi;c:\progra~1\SPEEDB~1\sbbotdi.sys [2008-02-14 35584]
R4 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-11-10 1373480]
R4 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 2805000]
.
Contents of the 'Scheduled Tasks' folder

2008-11-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-1614895754-839522115-1003.job
- c:\documents and settings\DarkSummon\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-12 16:30]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Append to existing PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\adobe packages\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: {82348B4B-1882-447D-8590-BD538D051121} = 10.0.0.1,10.0.0.2
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
FF - ProfilePath - c:\documents and settings\DarkSummon\Application Data\Mozilla\Firefox\Profiles\msrhz7x7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.absolutepunk.net/index.php
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 17:56:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(772)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-14 18:04:47
ComboFix-quarantined-files.txt 2009-01-14 18:03:22
ComboFix2.txt 2009-01-13 19:26:33

Pre-Run: 244,111,241,216 bytes free
Post-Run: 244,092,559,360 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

213

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:53 AM

Posted 14 January 2009 - 04:33 PM

Hello Hicksy,

You seem to be good to go again. :thumbsup:

If you have no longer any problems,
you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update11.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#9 Hicksy

Hicksy
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:53 AM

Posted 15 January 2009 - 06:48 AM

Woah, it all works again!! Thanks so much Thunder :) Really means a lot to me. I have all my stuff back again ^^

Much appreciated and ill be sending a donation your way, hopefully very soon.

Thank again, especially for the tips as well.

Damn java vulnerabilities :thumbsup: hehe.

Take care!!

#10 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:07:53 AM

Posted 15 January 2009 - 07:26 AM

Glad we could help, Hicksy :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users