Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde (cleaned but still have problems)


  • This topic is locked This topic is locked
8 replies to this topic

#1 mav253

mav253

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 15 January 2009 - 09:26 PM

Yesterday i got a virus called Virtumonde and I cleaned it with Combofix, it worked fine and removed it (i think). Then when I go on the internet and open up any site a window pops up with a blank screen and sometimes more windows will open like (56) or more. Here is my DDS Hijackthis log








DDS (Ver_09-01-07.01) - NTFSx86
Run by Ernest at 21:10:05.67 on Thu 01/15/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.110 [GMT -5:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated)
FW: ESET Personal firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Documents and Settings\Ernest\Desktop\logmein\x86\LogMeInSystray.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Documents and Settings\Ernest\Desktop\logmein\x86\LMIGuardian.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ernest\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = local;*.local
BHO: {58aaec49-2e9a-40ce-8f29-bff97eec0f57} - c:\windows\system32\hgGwTnkH.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: {571920fc-0537-dabb-e594-7c330326050f}: {f0506230-33c7-495e-bbad-7350cf029175} - c:\windows\system32\xpbgso.dll
TB: RefresherBand Class: {b24ba06e-fb7b-4757-95c2-dc01125f750e} - c:\progra~1\yrefre~1\YREFRE~1.DLL
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [UVS10 Preload] c:\program files\ulead systems\ulead videostudio se\uvPL.exe
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [LogMeIn GUI] "c:\documents and settings\ernest\desktop\logmein\x86\LogMeInSystray.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [CleanSetup] cmd /C rmdir /S /Q "c:\documents and settings\ernest\local settings\temp\nro.tmp\"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\vidalia bundle\privoxy\privoxy.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Add all items to the auction list - c:\program files\rkd\auctionnavigator\BidCtxtClick.dll/202
IE: Add this item to the auction list - c:\program files\rkd\auctionnavigator\BidCtxtClick.dll/201
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
AppInit_DLLs: eznfvb.dll xpbgso.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ernest\applic~1\mozilla\firefox\profiles\vhmzrbj8.default\
FF - prefs.js: browser.search.selectedEngine - Winzy
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - component: c:\documents and settings\ernest\application data\mozilla\firefox\profiles\vhmzrbj8.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll
FF - plugin: c:\documents and settings\ernest\application data\mozilla\firefox\profiles\vhmzrbj8.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-2-28 12192]
R4 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R4 LMIInfo;LogMeIn Kernel Information Provider;c:\documents and settings\ernest\desktop\logmein\x86\rainfo.sys [2008-2-28 12856]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-8-4 45848]
R4 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-9-24 935208]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-5-17 24652]
S0 mcwudqmf;mcwudqmf;c:\windows\system32\drivers\zymduibe.sys []
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [2008-7-2 45344]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2008-6-4 29184]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-01-15 17:01 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2009-01-15 16:55 <DIR> --d----- c:\program files\CleanMyPC
2009-01-15 16:32 127,488 a------- c:\windows\system32\xpbgso.dll
2009-01-15 16:32 127,488 a------- c:\windows\system32\uuxpitpy.dll
2009-01-15 16:29 1,375,225 ---sh--- c:\windows\system32\puwcjyei.ini
2009-01-15 16:29 82,432 a------- c:\windows\system32\ieyjcwup.dll
2009-01-15 16:26 40,960 a------- c:\windows\system32\rbwnrlrl.dll
2009-01-15 00:29 1,657,645 a--sh--- c:\windows\system32\HknTwGgh.ini2
2009-01-15 00:28 1,657,645 a--sh--- c:\windows\system32\HknTwGgh.ini
2009-01-14 23:28 161,792 a------- c:\windows\SWREG.exe
2009-01-14 23:28 98,816 a------- c:\windows\sed.exe
2009-01-14 23:19 3,039,899 a----r-- C:\ComboFix.exe
2009-01-14 19:43 <DIR> --d----- C:\VundoFix Backups
2009-01-14 16:41 24,064 a------- c:\windows\system32\pcload.exe
2009-01-14 16:32 2,204 a------- c:\windows\mcwudqmf
2009-01-11 01:19 <DIR> --d----- c:\program files\Bonjour
2009-01-11 01:06 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-09 19:34 <DIR> --d----- c:\program files\DivX
2009-01-05 14:27 3,850,760 a------- c:\windows\system32\d3dx9_38.dll
2009-01-01 19:54 <DIR> --d----- c:\documents and settings\ernest\dwhelper
2008-12-31 12:37 <DIR> --d----- c:\program files\Total Video Converter
2008-12-22 22:43 29,480 a------- c:\windows\system32\msxml3a.dll
2008-12-22 19:29 <DIR> --d----- c:\program files\BitTorrent

==================== Find3M ====================

2008-12-22 22:43 505,128 a------- c:\windows\system32\msvcp71.dll
2008-12-22 22:43 353,576 a------- c:\windows\system32\msvcr71.dll
2008-12-10 19:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 19:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-11-26 20:03 138,624 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-11-26 20:03 202,352 a------- c:\windows\system32\PnkBstrB.exe
2008-11-25 15:39 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-07-07 15:27 73,784 a------- c:\docume~1\ernest\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 21:11:00.82 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 mav253

mav253
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 19 January 2009 - 02:41 PM

NEW LOG

I ran "Malwarebytes" and cleaned the virus, i think it got all but im not sure, is it all gone?





HIJACKTHIS LOG





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:49 PM, on 1/19/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Documents and Settings\Ernest\Desktop\logmein\x86\LogMeInSystray.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Documents and Settings\Ernest\Desktop\logmein\x86\LMIGuardian.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ernest\Desktop\virus tools\Ernest.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {f95c0650-8bce-b558-9324-b89f337bb77d} - {d77bb733-f98b-4239-855b-ecb80560c59f} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: RefresherBand Class - {B24BA06E-FB7B-4757-95C2-DC01125F750E} - C:\PROGRA~1\YREFRE~1\YREFRE~1.DLL
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio SE\uvPL.exe
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Documents and Settings\Ernest\Desktop\logmein\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Privoxy.lnk = C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
O8 - Extra context menu item: Add all items to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/202
O8 - Extra context menu item: Add this item to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/201
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211065540434
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1211065532043
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - AppInit_DLLs: eznfvb.dll izsqbv.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7532 bytes

Edited by mav253, 19 January 2009 - 02:56 PM.


#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:51 PM

Posted 22 January 2009 - 05:34 PM

Hello Mav253,

I don't think everything is gone yet.

Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Please post back with the ComboFix log.

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 mav253

mav253
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 23 January 2009 - 04:05 PM

Here is my Log





ComboFix 09-01-21.04 - Ernest 2009-01-23 15:56:05.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.195 [GMT -5:00]
Running from: c:\documents and settings\Ernest\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\uuxpitpy.dll
c:\windows\system32\xpbgso.dll
c:\windows\Tasks\oehzvvpl.job

----- BITS: Possible infected sites -----

hxxp://maxpower1.fileave.com
.
((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))
.

2009-01-20 22:13 . 2009-01-20 22:14 <DIR> d-------- c:\program files\iTunes
2009-01-20 22:13 . 2009-01-20 22:13 <DIR> d-------- c:\program files\iPod
2009-01-20 22:13 . 2009-01-20 22:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-20 21:58 . 2009-01-20 21:58 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-20 21:58 . 2009-01-20 21:58 1,409 --a------ c:\windows\QTFont.for
2009-01-19 15:37 . 2009-01-19 15:37 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-19 15:37 . 2009-01-19 18:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-19 14:31 . 2009-01-19 14:31 <DIR> d-------- C:\rsit
2009-01-19 13:47 . 2009-01-19 13:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-19 13:47 . 2009-01-19 13:47 <DIR> d-------- c:\documents and settings\Ernest\Application Data\Malwarebytes
2009-01-19 13:47 . 2009-01-19 13:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-19 13:47 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-19 13:47 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-19 12:02 . 2009-01-19 12:02 <DIR> d-------- C:\!KillBox
2009-01-17 16:09 . 2009-01-17 16:09 <DIR> d-------- c:\documents and settings\Ernest\Application Data\Ahead
2009-01-17 16:05 . 2003-03-29 15:45 89,184 --a------ c:\windows\system32\drivers\imagedrv.sys
2009-01-17 16:05 . 2003-09-15 13:56 57,344 --a------ c:\windows\system32\ImageDrive.cpl
2009-01-17 16:04 . 2009-01-17 16:04 <DIR> d-------- c:\program files\Common Files\Ahead
2009-01-17 16:04 . 2009-01-17 16:05 <DIR> d-------- c:\program files\Ahead
2009-01-17 16:04 . 2001-07-06 13:41 569,344 --a------ c:\windows\system32\imagr5.dll
2009-01-17 16:04 . 2001-07-06 11:44 544,768 --a------ c:\windows\system32\imagx5.dll
2009-01-17 16:04 . 2001-07-06 17:24 283,920 --a------ c:\windows\system32\ImagXpr5.dll
2009-01-17 16:04 . 2001-07-09 10:50 155,648 --a------ c:\windows\system32\NeroCheck.exe
2009-01-17 16:04 . 2001-06-26 07:15 38,912 --a------ c:\windows\system32\picn20.dll
2009-01-16 21:17 . 2009-01-16 21:17 <DIR> d-------- c:\windows\cfig
2009-01-15 17:01 . 2009-01-15 17:08 <DIR> d-------- c:\program files\Eusing Free Registry Cleaner
2009-01-15 16:55 . 2009-01-15 16:55 <DIR> d-------- c:\program files\CleanMyPC
2009-01-14 22:23 . 2009-01-14 22:23 <DIR> d-------- c:\documents and settings\Administrator
2009-01-14 19:43 . 2009-01-14 19:43 <DIR> d-------- C:\VundoFix Backups
2009-01-14 16:32 . 2009-01-19 14:24 2,204 --a------ c:\windows\mcwudqmf
2009-01-11 01:22 . 2009-01-11 01:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-01-11 01:19 . 2009-01-20 22:18 <DIR> d-------- c:\program files\Bonjour
2009-01-11 01:06 . 2009-01-11 01:06 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-01-09 23:30 . 2009-01-10 10:56 <DIR> d-------- c:\documents and settings\Ernest\Application Data\DivX
2009-01-09 19:34 . 2009-01-16 15:32 <DIR> d-------- c:\program files\DivX
2009-01-05 14:27 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\d3dx9_38.dll
2009-01-01 19:54 . 2009-01-01 19:57 <DIR> d-------- c:\documents and settings\Ernest\dwhelper
2008-12-31 12:37 . 2009-01-08 21:28 <DIR> d-------- c:\program files\Total Video Converter

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 20:59 --------- d-----w c:\program files\DNA
2009-01-23 20:59 --------- d-----w c:\documents and settings\Ernest\Application Data\DNA
2009-01-21 03:12 --------- d-----w c:\program files\QuickTime
2009-01-17 21:04 --------- d-----w c:\documents and settings\Ernest\Application Data\uTorrent
2009-01-15 21:59 --------- d---a-w c:\documents and settings\All Users\Application Data\Temp
2009-01-14 23:50 --------- d-----w c:\program files\Tickerbar
2009-01-14 20:22 --------- d-----w c:\program files\Apple Software Update
2009-01-14 01:00 --------- d-----w c:\documents and settings\Ernest\Application Data\BitTorrent
2009-01-11 06:19 --------- d-----w c:\program files\Common Files\Adobe
2009-01-09 02:29 --------- d-----w c:\program files\Ad-Aware SE Personal
2009-01-09 02:28 --------- d-----w c:\program files\America's Army Deploy Client
2009-01-09 01:32 --------- d-----w c:\documents and settings\Ernest\Application Data\Canneverbe_Limited
2009-01-09 01:32 --------- d-----w c:\documents and settings\Ernest\Application Data\Apple Computer
2009-01-09 01:32 --------- d-----w c:\documents and settings\Ernest\Application Data\acccore
2009-01-02 17:37 --------- d-----w c:\documents and settings\Ernest\Application Data\U3
2008-12-23 03:47 --------- d-----w c:\documents and settings\Ernest\Application Data\CyberLink
2008-12-23 03:47 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2008-12-23 03:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 03:43 505,128 ----a-w c:\windows\system32\msvcp71.dll
2008-12-23 03:43 353,576 ----a-w c:\windows\system32\msvcr71.dll
2008-12-23 03:43 29,480 ----a-w c:\windows\system32\msxml3a.dll
2008-12-23 00:30 --------- d-----w c:\program files\BitTorrent
2008-12-21 01:47 --------- d-----w c:\program files\Java
2008-12-13 03:03 --------- d-----w c:\program files\Photobleepet
2008-12-13 02:57 --------- d-----w c:\program files\Clipdiary
2008-12-12 16:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-12-12 16:11 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-12-11 00:33 86,016 ----a-w c:\windows\system32\dpl100.dll
2008-12-11 00:33 200,704 ----a-w c:\windows\system32\dtu100.dll
2008-12-05 20:28 --------- d-----w c:\program files\AIM6
2008-12-05 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2008-12-05 20:27 --------- d-----w c:\documents and settings\All Users\Application Data\acccore
2008-12-05 20:26 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-30 03:47 --------- d-----w c:\documents and settings\Ernest\Application Data\Orbit
2008-11-27 01:03 202,352 ----a-w c:\windows\system32\PnkBstrB.exe
2008-11-27 01:03 138,624 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-11-25 20:39 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-11-10 10:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-07-07 20:27 73,784 ----a-w c:\documents and settings\Ernest\Application Data\GDIPFONTCACHEV1.DAT
2008-02-28 18:30 8,784 ----a-w c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2008-02-28 18:33 245,408 ----a-w c:\program files\mozilla firefox\plugins\unicows.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-09-16 5724184]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-20 342848]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-03 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE\uvPL.exe" [2006-08-09 36864]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]
"LogMeIn GUI"="c:\documents and settings\Ernest\Desktop\logmein\x86\LogMeInSystray.exe" [2008-02-28 63048]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-12-21 1443072]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 c:\windows\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-07-21 c:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2006-05-04 c:\windows\alcwzrd.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Privoxy.lnk - c:\program files\Vidalia Bundle\Privoxy\privoxy.exe [2006-11-20 250368]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-05-28 11:32 87352 c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eznfvb.dll izsqbv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^Ernest^Start Menu^Programs^Startup^Cashfiesta.lnk]
backup=c:\windows\pss\Cashfiesta.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-10-31 14:22 50480 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-02-28 12192]
R4 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2007-12-21 468224]
R4 LMIInfo;LogMeIn Kernel Information Provider;c:\documents and settings\Ernest\Desktop\logmein\x86\rainfo.sys [2008-02-28 12856]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-08-04 45848]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-05-17 24652]
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [2008-07-02 45344]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2008-06-04 29184]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-01-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{d77bb733-f98b-4239-855b-ecb80560c59f} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = local;*.local
IE: Add all items to the auction list - c:\program files\RKD\AuctionNavigator\BidCtxtClick.dll/202
IE: Add this item to the auction list - c:\program files\RKD\AuctionNavigator\BidCtxtClick.dll/201
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ernest\Application Data\Mozilla\Firefox\Profiles\vhmzrbj8.default\
FF - prefs.js: browser.search.selectedEngine - Winzy
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - component: c:\documents and settings\Ernest\Application Data\Mozilla\Firefox\Profiles\vhmzrbj8.default\extensions\{D02B1E87-A8C6-433f-9B5C-2CEC4A072736}\components\susfox3.dll
FF - plugin: c:\documents and settings\Ernest\Application Data\Mozilla\Firefox\Profiles\vhmzrbj8.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 15:59:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(800)
c:\windows\system32\LMIinit.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\documents and settings\Ernest\Desktop\logmein\x86\LMIGuardian.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2009-01-23 16:02:22 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-23 21:02:16
ComboFix2.txt 2009-01-15 05:31:34

Pre-Run: 105,412,116,480 bytes free
Post-Run: 105,519,726,592 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

239 --- E O F --- 2008-05-18 15:51:24

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:51 PM

Posted 23 January 2009 - 08:09 PM

Hello Mav253,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
c:\windows\mcwudqmf
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update11.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windowsi586-p.exe to install the newest version.
I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#6 mav253

mav253
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 23 January 2009 - 09:33 PM

Every thing seems to be fine, Thank you for your Help. :thumbsup:


My DDS Log





DDS (Ver_09-01-19.01) - NTFSx86
Run by Ernest at 21:28:31.81 on Fri 01/23/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.91 [GMT -5:00]

AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated)
FW: ESET Personal firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Documents and Settings\Ernest\Desktop\logmein\x86\LogMeInSystray.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Documents and Settings\Ernest\Desktop\logmein\x86\LMIGuardian.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Vidalia Bundle\Privoxy\privoxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ernest\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uInternet Settings,ProxyOverride = local;*.local
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: RefresherBand Class: {b24ba06e-fb7b-4757-95c2-dc01125f750e} - c:\progra~1\yrefre~1\YREFRE~1.DLL
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AlcWzrd] ALCWZRD.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [UVS10 Preload] c:\program files\ulead systems\ulead videostudio se\uvPL.exe
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [LogMeIn GUI] "c:\documents and settings\ernest\desktop\logmein\x86\LogMeInSystray.exe"
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\privoxy.lnk - c:\program files\vidalia bundle\privoxy\privoxy.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
IE: Add all items to the auction list - c:\program files\rkd\auctionnavigator\BidCtxtClick.dll/202
IE: Add this item to the auction list - c:\program files\rkd\auctionnavigator\BidCtxtClick.dll/201
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1211065540434
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1211065532043
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ernest\applic~1\mozilla\firefox\profiles\vhmzrbj8.default\
FF - prefs.js: browser.search.selectedEngine - Winzy
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - component: c:\documents and settings\ernest\application data\mozilla\firefox\profiles\vhmzrbj8.default\extensions\{d02b1e87-a8c6-433f-9b5c-2cec4a072736}\components\susfox3.dll
FF - plugin: c:\documents and settings\ernest\application data\mozilla\firefox\profiles\vhmzrbj8.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npRACtrl.dll

============= SERVICES / DRIVERS ===============

R3 radpms;Driver for RADPMS Device;c:\windows\system32\drivers\radpms.sys [2008-2-28 12192]
R4 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R4 LMIInfo;LogMeIn Kernel Information Provider;c:\documents and settings\ernest\desktop\logmein\x86\rainfo.sys [2008-2-28 12856]
R4 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-8-4 45848]
R4 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;c:\program files\common files\nero\nero backitup 4\NBService.exe [2008-9-24 935208]
S3 CoachVid;CoachVid;c:\windows\system32\drivers\CoachVid.sys [2008-7-2 45344]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2008-6-4 29184]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2009-01-23 15:55 <DIR> a-dshr-- C:\cmdcons
2009-01-20 22:13 <DIR> --d----- c:\program files\iPod
2009-01-20 22:13 <DIR> --d----- c:\program files\iTunes
2009-01-20 22:13 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-20 21:58 1,409 a------- c:\windows\QTFont.for
2009-01-20 21:58 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-19 15:37 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-19 15:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-19 13:47 <DIR> --d----- c:\docume~1\ernest\applic~1\Malwarebytes
2009-01-19 13:47 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-19 13:47 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-19 13:47 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-19 13:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-19 12:02 <DIR> --d----- C:\!KillBox
2009-01-17 16:05 89,184 a------- c:\windows\system32\drivers\imagedrv.sys
2009-01-17 16:05 57,344 a------- c:\windows\system32\ImageDrive.cpl
2009-01-17 16:04 38,912 a------- c:\windows\system32\picn20.dll
2009-01-17 16:04 569,344 a------- c:\windows\system32\imagr5.dll
2009-01-17 16:04 544,768 a------- c:\windows\system32\imagx5.dll
2009-01-17 16:04 283,920 a------- c:\windows\system32\ImagXpr5.dll
2009-01-17 16:04 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-01-16 21:17 <DIR> --d----- c:\windows\cfig
2009-01-15 17:01 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2009-01-15 16:55 <DIR> --d----- c:\program files\CleanMyPC
2009-01-14 23:28 161,792 a------- c:\windows\SWREG.exe
2009-01-14 23:28 98,816 a------- c:\windows\sed.exe
2009-01-14 19:43 <DIR> --d----- C:\VundoFix Backups
2009-01-11 01:19 <DIR> --d----- c:\program files\Bonjour
2009-01-11 01:06 <DIR> --d----- c:\program files\common files\Macrovision Shared
2009-01-09 19:34 <DIR> --d----- c:\program files\DivX
2009-01-05 14:27 3,850,760 a------- c:\windows\system32\d3dx9_38.dll
2009-01-01 19:54 <DIR> --d----- c:\documents and settings\ernest\dwhelper
2008-12-31 12:37 <DIR> --d----- c:\program files\Total Video Converter

==================== Find3M ====================

2008-12-22 22:43 505,128 a------- c:\windows\system32\msvcp71.dll
2008-12-22 22:43 353,576 a------- c:\windows\system32\msvcr71.dll
2008-12-22 22:43 29,480 a------- c:\windows\system32\msxml3a.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-10 19:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-10 19:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-11-26 20:03 138,624 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-11-26 20:03 202,352 a------- c:\windows\system32\PnkBstrB.exe
2008-11-25 15:39 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-07-07 15:27 73,784 a------- c:\docume~1\ernest\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 21:28:44.64 ===============

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:51 PM

Posted 24 January 2009 - 03:33 PM

Hello Mav253,

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

No more issues ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#8 mav253

mav253
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:06:51 AM

Posted 25 January 2009 - 07:04 PM

No, no more problems Thanks

:thumbsup:

#9 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:12:51 PM

Posted 26 January 2009 - 05:05 AM

Glad we could help, Mav253 :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users