Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • This topic is locked This topic is locked
10 replies to this topic

#1 cederic

cederic

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 12 January 2009 - 11:01 AM

Hello, It seems I am infected with Virtumonde. Spysweeper, Ad aware, Exterminate IT won't kill it. Rescans show it coming back. Here are my logs....
And Thanks for the help!!!


DDS (Ver_09-01-07.01) - NTFSx86
Run by Justice at 10:30:15.12 on Mon 01/12/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.664 [GMT -6:00]

AV: Webroot AntiVirus with AntiSpyware *On-access scanning enabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*

============== Running Processes ===============

C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Justice\My Documents\dds.scr

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
uURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
mURLSearchHooks: N/A: {0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Ask Search Assistant BHO: {0579b4b1-0293-4d73-b02d-5ebb0ba0f0a2} - c:\program files\asksbar\srchastt\1.bin\A2SRCHAS.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Ask Toolbar BHO: {f0d4b231-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
BHO: {f6db4687-40c6-4246-8636-71041cf6bb6d} - c:\windows\system32\ssqNDwtq.dll
TB: Ask Toolbar: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program files\asksbar\bar\1.bin\ASKSBAR.DLL
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [NvCplDaemon] "c:\windows\system32\rundll32.exe" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [FPCCSMiddleware] "c:\program files\fisher-price\computer cool school\FPCCSMiddleware.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ga311s~1.lnk - c:\program files\netgear ga311 adapter\GA311.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
Trusted Zone: rcgovt.net\rcgpdc2
Trusted Zone: rutherfordcounty.org\webmail
Trusted Zone: rutherfordcountytn.gov\webmail
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: ssqRLEWq - ssqRLEWq.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\ssqNDwtq

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2003-8-15 11237]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
R4 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2003-9-17 8440]
R4 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-11-12 3667312]
R4 WRConsumerService;Webroot Client Service;c:\program files\webroot\spy sweeper\WRConsumerService.exe [2009-1-11 1086840]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2008-4-29 15648]
S3 Ad-Watch Real-Time Scanner;AW Real-Time Scanner;c:\windows\system32\drivers\Awrtpd.sys [2008-4-29 12960]
S3 Ad-Watch Registry Filter;Ad-Watch Registry Kernel Filter;c:\windows\system32\drivers\Awrtrd.sys [2008-4-29 15648]

=============== Created Last 30 ================

2009-01-12 08:30 143 a------- c:\windows\system32\mcrh.tmp
2009-01-11 23:09 120 ---sh--- c:\windows\system32\xqctooiy.ini
2009-01-11 23:09 80,896 a------- c:\windows\system32\yiootcqx.dll
2009-01-11 22:33 <DIR> --d----- c:\program files\Lavasoft
2009-01-11 22:32 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-11 19:11 <DIR> --d----- c:\program files\Trend Micro
2009-01-11 14:26 <DIR> --d----- c:\program files\Exterminate It!
2009-01-11 14:06 <DIR> --d----- C:\VundoFix Backups
2009-01-11 10:59 775,168 a------- c:\windows\isRS-000.tmp
2009-01-11 10:58 <DIR> --d----- C:\Binaries
2009-01-10 23:09 1,256,329 ---sh--- c:\windows\system32\wevccpqh.ini
2009-01-10 23:09 78,336 a------- c:\windows\system32\hqpccvew.dll
2009-01-10 23:05 675,658 a--sh--- c:\windows\system32\qtwDNqss.ini2
2009-01-10 23:05 675,690 a--sh--- c:\windows\system32\qtwDNqss.ini
2009-01-10 23:05 282,624 a------- c:\windows\system32\ssqNDwtq.dll
2009-01-10 23:00 <DIR> --d----- c:\docume~1\justice\applic~1\GetModule
2009-01-10 23:00 198,661 a------- c:\windows\system32\wpv091231602518.cpx
2009-01-09 19:42 <DIR> --d----- c:\program files\NETGEAR GA311 Adapter
2009-01-09 19:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{B7A015B7-4802-4678-8CEC-700380BA9AFD}
2009-01-08 18:14 <DIR> --d----- c:\program files\ATT-HSI
2009-01-08 18:14 <DIR> --d----- c:\program files\common files\Motive
2008-12-25 18:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Fisher-Price
2008-12-25 18:32 <DIR> --d----- c:\program files\Fisher-Price

==================== Find3M ====================

2008-11-13 17:11 1,553,272 a------- c:\windows\WRSetup.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-04-06 09:41 36,144 a------- c:\docume~1\justice\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 10:31:03.47 ===============

Attached Files


Edited by cederic, 12 January 2009 - 11:42 AM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 12 January 2009 - 03:01 PM

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**
  • If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

    Posted Image

    Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 cederic

cederic
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 12 January 2009 - 04:16 PM

Combo-fix and hijack this logs.....

ComboFix 09-01-11.04 - Justice 2009-01-12 14:58:23.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.635 [GMT -6:00]
Running from: c:\documents and settings\Justice\My Documents\Combo-Fix.exe
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Justice\Application Data\GetModule
c:\documents and settings\Justice\Application Data\GetModule\dicik.gz
c:\documents and settings\Justice\Application Data\GetModule\kwdik.gz
c:\documents and settings\Justice\Application Data\GetModule\ofadik.gz
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\encapi32.dll
c:\windows\system32\hqpccvew.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\qtwDNqss.ini
c:\windows\system32\qtwDNqss.ini2
c:\windows\system32\ssqNDwtq.dll
c:\windows\system32\wevccpqh.ini
c:\windows\system32\wpv091231602518.cpx
c:\windows\system32\xqctooiy.ini
c:\windows\system32\yiootcqx.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-11 22:33 . 2009-01-11 22:33 <DIR> d-------- c:\program files\Lavasoft
2009-01-11 22:33 . 2009-01-11 22:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-11 22:32 . 2009-01-11 22:32 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-11 19:11 . 2009-01-11 19:11 <DIR> d-------- c:\program files\Trend Micro
2009-01-11 17:41 . 2009-01-11 17:41 <DIR> d-------- c:\documents and settings\Administrator
2009-01-11 14:26 . 2009-01-12 08:16 <DIR> d-------- c:\program files\Exterminate It!
2009-01-11 14:06 . 2009-01-11 14:06 <DIR> d-------- C:\VundoFix Backups
2009-01-11 10:59 . 2009-01-11 10:59 775,168 --a------ c:\windows\isRS-000.tmp
2009-01-11 10:58 . 2009-01-11 10:58 <DIR> d-------- C:\Binaries
2009-01-09 19:42 . 2009-01-09 19:42 <DIR> d-------- c:\program files\NETGEAR GA311 Adapter
2009-01-09 19:42 . 2009-01-09 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\{B7A015B7-4802-4678-8CEC-700380BA9AFD}
2009-01-08 18:15 . 2009-01-08 18:21 <DIR> d-------- c:\documents and settings\Justice\Application Data\Motive
2009-01-08 18:14 . 2009-01-08 18:14 <DIR> d-------- c:\program files\Common Files\Motive
2009-01-08 18:14 . 2009-01-08 18:14 <DIR> d-------- c:\program files\ATT-HSI
2009-01-08 18:12 . 2009-01-08 18:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2008-12-25 18:33 . 2008-12-25 18:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fisher-Price
2008-12-25 18:32 . 2008-12-25 18:32 <DIR> d-------- c:\program files\Fisher-Price

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 01:48 --------- d-----w c:\program files\Java
2009-01-12 01:10 --------- d-----w c:\program files\Common Files\Adobe
2009-01-11 17:02 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-01-10 01:42 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-10 22:54 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-13 23:11 1,553,272 ----a-w c:\windows\WRSetup.dll
2008-11-12 22:02 29,808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2008-11-12 22:02 23,152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2008-11-12 22:02 170,608 ----a-w c:\windows\system32\drivers\ssidrv.sys
2008-11-10 11:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-04-06 15:41 36,144 ----a-w c:\documents and settings\Justice\Application Data\GDIPFONTCACHEV1.DAT
2006-09-22 14:07 554,433 ----a-w c:\documents and settings\Statistics\excel_windows_datasets.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-01-11 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-01-11 14:51 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"FPCCSMiddleware"="c:\program files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe" [2008-10-10 538432]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-11-13 6273400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-06 270336]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\ssqNDwtq

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
backup=c:\windows\pss\Dataviz Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launch Pepid Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Launch Pepid Manager.lnk
backup=c:\windows\pss\Launch Pepid Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Justice^Start Menu^Programs^Startup^Palm Registration.lnk]
path=c:\documents and settings\Justice\Start Menu\Programs\Startup\Palm Registration.lnk
backup=c:\windows\pss\Palm Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Justice^Start Menu^Programs^Startup^Reboot.exe]
path=c:\documents and settings\Justice\Start Menu\Programs\Startup\Reboot.exe
backup=c:\windows\pss\Reboot.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
--a------ 2005-04-08 14:09 102400 c:\program files\epson\Creativity Suite\Event Manager\EEventManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2002-11-22 13:49 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
--a------ 2002-11-22 13:48 348160 c:\windows\system32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
--a------ 2002-11-22 13:50 49152 c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 16:34 213936 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2004-12-07 16:44 1884160 c:\progra~1\Ahead\NEROBA~1\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-29 16:50 4620288 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-10-29 16:50 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 10:42 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2006-01-20 17:46 28160 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-10-29 16:50 921600 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-09-16 06:39 69632 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2003-08-15 11237]
R4 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2003-09-17 8440]
R4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2009-01-11 1086840]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bebcfc10-de5b-11db-a78b-e07c51c87f4b}]
\Shell\AutoRun\command - j:\jdsecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 13:50]

2009-01-12 c:\windows\Tasks\xlazfcvk.job
- c:\windows\system32\rundll32.exe [2004-08-04 00:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F6DB4687-40C6-4246-8636-71041CF6BB6D} - c:\windows\system32\ssqNDwtq.dll
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
Notify-ssqRLEWq - ssqRLEWq.dll
MSConfigStartUp-4caef5d3 - c:\windows\system32\yiootcqx.dll
MSConfigStartUp-GetModule33 - c:\program files\GetModule\GetModule33.exe
MSConfigStartUp-System - c:\windows\system32\kernelwind32.exe
MSConfigStartUp-Windows update loader - c:\windows\xpupdate.exe


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: rcgpdc2.rcgovt.net
Trusted Zone: webmail.rutherfordcounty.org
Trusted Zone: webmail.rutherfordcountytn.gov

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 15:04:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LxrJD31s.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
.
**************************************************************************
.
Completion time: 2009-01-12 15:07:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-12 21:07:08

Pre-Run: 71,257,731,072 bytes free
Post-Run: 71,408,955,392 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

215


Logfile of Trend Micro HijackThis v2.0.2Scan saved at 3:09:53 PM, on 1/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FPCCSMiddleware] "C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://rcgpdc2.rcgovt.net
O15 - Trusted Zone: http://webmail.rutherfordcounty.org
O15 - Trusted Zone: http://webmail.rutherfordcountytn.gov
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1225643070001
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O24 - Desktop Component 0: (no name) - file:///H:/images/noflash.jpg

--
End of file - 4339 bytes

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 12 January 2009 - 10:46 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\Tasks\xlazfcvk.job

Registry::
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 cederic

cederic
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 13 January 2009 - 01:03 AM

ComboFix 09-01-11.04 - Justice 2009-01-12 23:51:01.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.678 [GMT -6:00]
Running from: c:\documents and settings\Justice\My Documents\Combo-Fix.exe
Command switches used :: c:\documents and settings\Justice\Desktop\CFScript.txt
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated)
FW: Webroot Internet Security Essentials *disabled*
* Created a new restore point

FILE ::
c:\windows\Tasks\xlazfcvk.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\xlazfcvk.job

.
((((((((((((((((((((((((( Files Created from 2008-12-13 to 2009-01-13 )))))))))))))))))))))))))))))))
.

2009-01-11 22:33 . 2009-01-11 22:33 <DIR> d-------- c:\program files\Lavasoft
2009-01-11 22:33 . 2009-01-11 22:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-11 22:32 . 2009-01-11 22:32 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-01-11 19:11 . 2009-01-11 19:11 <DIR> d-------- c:\program files\Trend Micro
2009-01-11 17:41 . 2009-01-11 17:41 <DIR> d-------- c:\documents and settings\Administrator
2009-01-11 14:26 . 2009-01-12 23:15 <DIR> d-------- c:\program files\Exterminate It!
2009-01-11 14:06 . 2009-01-11 14:06 <DIR> d-------- C:\VundoFix Backups
2009-01-11 10:59 . 2009-01-11 10:59 775,168 --a------ c:\windows\isRS-000.tmp
2009-01-11 10:58 . 2009-01-11 10:58 <DIR> d-------- C:\Binaries
2009-01-09 19:42 . 2009-01-09 19:42 <DIR> d-------- c:\program files\NETGEAR GA311 Adapter
2009-01-09 19:42 . 2009-01-09 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\{B7A015B7-4802-4678-8CEC-700380BA9AFD}
2009-01-08 18:15 . 2009-01-08 18:21 <DIR> d-------- c:\documents and settings\Justice\Application Data\Motive
2009-01-08 18:14 . 2009-01-08 18:14 <DIR> d-------- c:\program files\Common Files\Motive
2009-01-08 18:14 . 2009-01-08 18:14 <DIR> d-------- c:\program files\ATT-HSI
2009-01-08 18:12 . 2009-01-08 18:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2008-12-25 18:33 . 2008-12-25 18:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fisher-Price
2008-12-25 18:32 . 2008-12-25 18:32 <DIR> d-------- c:\program files\Fisher-Price

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-12 01:48 --------- d-----w c:\program files\Java
2009-01-12 01:10 --------- d-----w c:\program files\Common Files\Adobe
2009-01-11 17:02 --------- d-----w c:\documents and settings\All Users\Application Data\Webroot
2009-01-10 01:42 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-10 22:54 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-13 23:11 1,553,272 ----a-w c:\windows\WRSetup.dll
2008-11-10 11:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-04-06 15:41 36,144 ----a-w c:\documents and settings\Justice\Application Data\GDIPFONTCACHEV1.DAT
2006-09-22 14:07 554,433 ----a-w c:\documents and settings\Statistics\excel_windows_datasets.zip
.

((((((((((((((((((((((((((((( snapshot@2009-01-12_15.06.21.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-12 14:37:25 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-13 05:22:51 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-01-12 14:37:25 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-13 05:22:51 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-01-12 21:04:40 3,760 ----a-w c:\windows\Temp\wrstemp\S-1-5-18.dat
+ 2009-01-13 05:53:58 3,748 ----a-w c:\windows\Temp\wrstemp\S-1-5-18.dat
- 2009-01-12 21:04:40 4,182 ----a-w c:\windows\Temp\wrstemp\S-1-5-19.dat
+ 2009-01-13 05:53:58 4,182 ----a-w c:\windows\Temp\wrstemp\S-1-5-19.dat
- 2009-01-12 21:04:40 4,250 ----a-w c:\windows\Temp\wrstemp\S-1-5-20.dat
+ 2009-01-13 05:53:58 4,250 ----a-w c:\windows\Temp\wrstemp\S-1-5-20.dat
- 2009-01-12 21:04:44 5,008 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1708537768-1993962763-854245398-1004.dat
+ 2009-01-13 05:54:05 5,008 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1708537768-1993962763-854245398-1004.dat
- 2009-01-12 21:04:40 4,460 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1708537768-1993962763-854245398-500.dat
+ 2009-01-13 05:53:58 4,460 ----a-w c:\windows\Temp\wrstemp\S-1-5-21-1708537768-1993962763-854245398-500.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-01-11 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
2008-01-11 14:51 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-10-19 286720]
"FPCCSMiddleware"="c:\program files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe" [2008-10-10 538432]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-11-13 6273400]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
GA311 Smart Wizard Utility.lnk - c:\program files\NETGEAR GA311 Adapter\GA311.exe [2003-11-06 270336]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Dataviz Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Dataviz Messenger.lnk
backup=c:\windows\pss\Dataviz Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Launch Pepid Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Launch Pepid Manager.lnk
backup=c:\windows\pss\Launch Pepid Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Justice^Start Menu^Programs^Startup^Palm Registration.lnk]
path=c:\documents and settings\Justice\Start Menu\Programs\Startup\Palm Registration.lnk
backup=c:\windows\pss\Palm Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Justice^Start Menu^Programs^Startup^Reboot.exe]
path=c:\documents and settings\Justice\Start Menu\Programs\Startup\Reboot.exe
backup=c:\windows\pss\Reboot.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EEventManager]
--a------ 2005-04-08 14:09 102400 c:\program files\epson\Creativity Suite\Event Manager\EEventManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2002-11-22 13:49 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
--a------ 2002-11-22 13:48 348160 c:\windows\system32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
--a------ 2002-11-22 13:50 49152 c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 16:34 213936 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--a------ 2004-12-07 16:44 1884160 c:\progra~1\Ahead\NEROBA~1\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2004-10-29 16:50 4620288 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2004-10-29 16:50 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2002-04-17 10:42 69632 c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2006-01-20 17:46 28160 c:\windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2004-10-29 16:50 921600 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2004-09-16 06:39 69632 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2008-11-12 29808]
R3 Diag69xp;Diag69xp;c:\windows\system32\drivers\diag69xp.sys [2003-08-15 11237]
R4 LANPkt;Realtek LANPkt Protocol;c:\windows\system32\drivers\LANPkt.sys [2003-09-17 8440]
R4 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2009-01-11 1086840]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bebcfc10-de5b-11db-a78b-e07c51c87f4b}]
\Shell\AutoRun\command - j:\jdsecure\Windows\JDSecure31.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-13 c:\windows\Tasks\HP Usg Login.job
- c:\program files\hp photosmart 11\printer\Hphusg04.exe [2002-11-22 13:50]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
Trusted Zone: rcgpdc2.rcgovt.net
Trusted Zone: webmail.rutherfordcounty.org
Trusted Zone: webmail.rutherfordcountytn.gov

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 23:53:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\LxrJD31s.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Webroot\Spy Sweeper\SSU.exe
.
**************************************************************************
.
Completion time: 2009-01-12 23:56:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-13 05:56:28
ComboFix2.txt 2009-01-13 05:25:59
ComboFix3.txt 2009-01-12 21:07:14

Pre-Run: 71,398,010,880 bytes free
Post-Run: 71,387,541,504 bytes free

200


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:59 PM, on 1/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
O4 - HKLM\..\Run: [NvCplDaemon] "C:\WINDOWS\system32\RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FPCCSMiddleware] "C:\Program Files\Fisher-Price\Computer Cool School\FPCCSMiddleware.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - Global Startup: GA311 Smart Wizard Utility.lnk = C:\Program Files\NETGEAR GA311 Adapter\GA311.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O15 - Trusted Zone: http://rcgpdc2.rcgovt.net
O15 - Trusted Zone: http://webmail.rutherfordcounty.org
O15 - Trusted Zone: http://webmail.rutherfordcountytn.gov
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1225643070001
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
O24 - Desktop Component 0: (no name) - file:///H:/images/noflash.jpg

--
End of file - 4291 bytes

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 13 January 2009 - 07:03 AM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 cederic

cederic
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 15 January 2009 - 11:34 PM

First Scan....

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3761 (20090113)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=6ccb2c45859d2b45b80d83c69a8fe445
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-13 03:58:29
# local_time=2009-01-13 09:58:29 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=166717
# found=2
# scan_time=2690
C:\Documents and Settings\Justice\Application Data\Sun\Java\Deployment\cache\6.0\43\7d3deceb-354aa5f3 Java/TrojanDownloader.OpenStream.NAC trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL Win32/Toolbar.AskSBar application (unable to clean - deleted (after the next restart)) 00000000000000000000000000000000


I've Shut down and restarted computer multiple times, along with heavy internet usage. Scanned with Spysweeper, Ad aware, etc. No pop upS. No malware prompts. Sweeps and scans come out clean.
Looks good. I'll keep my fingers crossed!!!

THANKS A BUNCH, YOU ROCK!!!!

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 16 January 2009 - 01:37 AM

Awesome!! Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbsup:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 cederic

cederic
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 18 January 2009 - 01:52 PM

I ran one last ESET scan, and here it is....

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3774 (20090117)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=6ccb2c45859d2b45b80d83c69a8fe445
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-18 05:39:00
# local_time=2009-01-18 11:39:00 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=168399
# found=0
# scan_time=1398


No problems found, computer runs great. NO pop ups.

Just to recap...I started noticing a lot of pop ups, and the computer seemed to be engaged in processes when it should have been "quiet". Ran my Webroot Spysweeper and it found "Virtumonde", I attempted to quarantine and remove, but it always came back after reboots of the computer. Other items found after updating my Spysweeper (I had not updated for a long time...)
Virtumonde, Internet Speed Monitor, Trojan Horse: storm.gen, Virus(es): Mal/Behav-181, mal/Dorf-d, mal/dorf-e, mal/fakavjs-a, mal/psyme-a, mal/tibspak, mal/tibspk-a, mal/tibspk-d, troj/agent-iov, troj/dloader-kh, troj/virtum-gen, troj/zlob-arh. Again, Quarantine and kill would not work for Virtumonde.
Before coming to this board I added Ad-aware (lavasoft product), but it did not see any of those things that spysweeper found.
I followed the instructions in this post from the experts, and it looks like it worked.

All scans come up clean.

Some curious things have as a result, though. My spysweeper and ad-aware no longer load when Windows starts. There is not even an option for this when I look at the file through "msconfig" startup options. The only thing checked is my Wireless DSL modem. I have checked the options for the software to allow this load upon startup but it will not. I can live with this. All I have to remember is to manually load it after startup, and it works fine.
Another thing with my computer is that when I click to shut down, the computer reboots and loads windows again. It will shut down after clicking shut down again, but it always takes two times to get it turned off for good.

Anyways, I am happy. I can't begin to say how thankful I am to those who helped me. You saved me alot of time and effort performing a back-up and reformat, and I was very close to doing that!

Thanks Again!!!!!!!!!

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 20 January 2009 - 05:13 AM

My spysweeper and ad-aware no longer load when Windows starts.


Please uninstall and re-install both applications back..

Another thing with my computer is that when I click to shut down, the computer reboots and loads windows again. It will shut down after clicking shut down again, but it always takes two times to get it turned off for good.


Not sure about that.. Please forward the shut down problem at our Windows XP forums below

http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/


Do you have anymore questions? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:01:07 PM

Posted 26 January 2009 - 06:44 PM

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users