Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Had Virtumonde..Dont Know If Its Gone Completely


  • Please log in to reply
7 replies to this topic

#1 southsd

southsd

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 11 February 2009 - 12:45 AM

i had the virus and scanned with spybot adaware and it deleted some files and some of the files didnt delete so i deleted some files in system32 folder...i also had a lot of files with (2) or (3) at the end of .dll files...i also deleted those

DDS FILE:

DDS (Ver_09-02-01.01) - NTFSx86
Run by Edna at 20:31:14.43 on Tue 02/10/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.351.170 [GMT -8:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\All Users\Start Menu\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\edna\applic~1\mozilla\firefox\profiles\2cqpmvsi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-10-31 112144]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-12-19 195344]
R2 AVP;Kaspersky Anti-Virus 7.0;c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe [2008-2-8 227856]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
S2 Par1284;Par1284;\??\c:\program files\flexisign-pro 8.1v1\program\par1284.sys --> c:\program files\flexisign-pro 8.1v1\program\Par1284.sys [?]
S3 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2007-8-7 15648]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-9-4 17792]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-9-4 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-9-4 21504]
S3 SiS630;SiS630;c:\windows\system32\drivers\sis630p.sys [2002-1-8 124928]
S3 USB-100;Compex LinkPort/UE202-B USB To Fast Ethernet Adapter;c:\windows\system32\drivers\UE202B.SYS [2005-5-5 26497]

=============== Created Last 30 ================



2009-02-06 11:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-01-25 21:57 7,680 a------- c:\windows\system32\drivers\RKL4.tmp.sys
2009-01-18 02:18 <DIR> --d----- c:\program files\iPod
2009-01-18 02:17 <DIR> --d----- c:\program files\iTunes
2009-01-18 02:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-18 02:15 <DIR> --d----- c:\program files\Bonjour
2009-01-18 02:08 32,000 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-17 23:10 161,792 a------- c:\windows\SWREG.exe
2009-01-17 23:10 98,816 a------- c:\windows\sed.exe
2009-01-17 21:36 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-16 21:58 33,280 ac------ c:\windows\system32\dllcache\rundll32.exe
2009-01-16 21:58 33,280 a------- c:\windows\system32\rundll32.exe
2009-01-16 19:41 155 a------- c:\windows\NeroDigital.ini
2009-01-15 02:01 127,488 -------- c:\windows\system32\drivers\imagesrv.sys
2009-01-15 02:01 5,888 -------- c:\windows\system32\drivers\imagedrv.sys
2009-01-15 02:01 106,496 a------- c:\windows\system32\TwnLib20.dll
2009-01-15 02:01 155,648 a------- c:\windows\system32\NeroCheck.exe
2009-01-13 17:07 333,952 -c------ c:\windows\system32\dllcache\srv.sys

==================== Find3M ====================

2009-02-10 20:31 2,516,000 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-02-10 20:31 47,785,504 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-10 14:28 237,968 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-02-10 14:27 642,032 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-02-04 13:18 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-02-04 13:18 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-06 00:23 96,384 a------- c:\windows\system32\drivers\sptd1021.sys
2008-12-28 22:42 15,648 a------- c:\windows\system32\drivers\NSDriver.sys
2008-12-28 22:42 15,648 a------- c:\windows\system32\drivers\AWRTRD.sys
2008-12-28 22:42 12,960 a------- c:\windows\system32\drivers\AWRTPD.sys
2008-12-24 00:21 36 a------- c:\program files\New Text Document.txt
2006-10-31 18:51 5,632 a--sh--- c:\program files\Thumbs.db
2005-08-23 02:08 133,342 a------- c:\program files\Speaker.ico
1998-10-23 23:00 700 ac-sh--- c:\windows\mk79vx928341.drv
1998-10-23 23:00 700 ac-sh--- c:\windows\mx3vdl2399726.drv
1998-10-23 23:00 700 ac-sh--- c:\windows\vzm9dl314539.drv
2005-10-30 21:53 56 ac-shr-- c:\windows\system32\6EE152F162.sys

============= FINISH: 20:33:51.10 ===============

BC AdBot (Login to Remove)

 


#2 SpotCheckBilly

SpotCheckBilly

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Twin Cities, MN
  • Local time:06:15 PM

Posted 22 February 2009 - 04:48 PM

Hi southsd,

Welcome to the BleepingComputer forums.

We apologize for the delay in responding to your request for assistance. Every one of our team members is a volunteer and unfortunately, there are often just not enough to keep up with demand. Thank you so much for your patience.

If your issue has been resolved or you have received help elsewhere, please post a reply here and let us know so that we can close this thread.

If you still need assistance, my name is SpotCheckBilly (SCB for short) and I will be happy to help you.

===Very Important===

The instructions in this thread have been specifically designed for THIS USER'S MACHINE ONLY . You should not use these instructions to clean your machine. Doing so could cause irreparable damage to your machine. If you need assistance, please start your own thread.

=================


A few things which will make our fix go more smoothly.
  • Please >> DO NOT<< run any scans/tools or other fixes unless I ask you to.
  • Please DO NOT install any software while we are working.
  • Please Do not skip any steps. With some infections skipping a step can be disastrous.
  • If there is something you don't understand or or are unsure of -- please stop and take a moment to ask about it.
  • If you are running P2P filesharing program(s). My recommendation is you uninstall it/them.
  • Remove any cracked/pirated software. I will immediately stop helping you if I discover any.
The most important thing to remember is to be patient. Very seldom can we remove the entire infection in one go. Many of today's infections install other infections and for the most part they do not like to go quietly. :)

From this point on, please DO NOT make any changes, delete any files or do any registry edits unless I ask you to. Doing so may not only cause the cleaning process to be incomplete, you may do irreparable damage to your computer.

Have you made any edits or changes to your DDS log? There are several sections that are unusually short, most noticeable the section which displays your automatic start up entries. If so, please don't do that anymore. In order to effect a complete repair, we need ALL of the information in your log files.

If you're still needing help, please post a fresh HijackThis log. -- SCB :thumbup2:
Posted ImagePosted Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
Posted Image

#3 southsd

southsd
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 24 February 2009 - 02:19 AM

i didnt change the log......here it is again because it looks different now

DDS (Ver_09-02-01.01) - NTFSx86
Run by Edna at 22:54:44.56 on Mon 02/23/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.351.145 [GMT -8:00]

AV: Kaspersky Anti-Virus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\All Users\Start Menu\Programs\Accessories\System Tools\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local;*.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mWinlogon: UIHost=c:\windows\system32\logonuiX.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe"
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - {85E0B171-04FA-11D1-B7DA-00A0C90348D6} - c:\program files\kaspersky lab\kaspersky anti-virus 7.0\SCIEPlgn.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Notify: klogon - c:\windows\system32\klogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\edna\applic~1\mozilla\firefox\profiles\2cqpmvsi.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2007-10-31 112144]
R1 klif;Klif;c:\windows\system32\drivers\klif.sys [2007-12-19 195344]
R2 AVP;Kaspersky Anti-Virus 7.0;c:\program files\kaspersky lab\kaspersky anti-virus 7.0\avp.exe [2008-2-8 227856]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]
S3 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
S3 Ad-Watch Connect Filter;Ad-Watch Connect Kernel Filter;c:\windows\system32\drivers\NSDriver.sys [2007-8-7 15648]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-9-4 17792]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-9-4 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-9-4 21504]
S3 SiS630;SiS630;c:\windows\system32\drivers\sis630p.sys [2002-1-8 124928]
S3 USB-100;Compex LinkPort/UE202-B USB To Fast Ethernet Adapter;c:\windows\system32\drivers\UE202B.SYS [2005-5-5 26497]

=============== Created Last 30 ================

2009-02-19 14:00 <DIR> --d----- c:\program files\AviSynth 2.5
2009-02-12 23:58 <DIR> --d-h--- c:\program files\Creative Installation Information
2009-02-11 15:01 27,648 -c------ c:\windows\system32\dllcache\jsproxy.dll
2009-02-11 15:01 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2009-02-11 15:01 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-02-11 15:01 193,024 -c------ c:\windows\system32\dllcache\msrating.dll
2009-02-11 15:01 44,544 -c------ c:\windows\system32\dllcache\iernonce.dll
2009-02-11 15:01 44,544 -c------ c:\windows\system32\dllcache\pngfilt.dll
2009-02-11 15:00 102,912 -c------ c:\windows\system32\dllcache\occache.dll
2009-02-11 15:00 105,984 -c------ c:\windows\system32\dllcache\url.dll
2009-02-11 15:00 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2009-02-11 15:00 230,400 -c------ c:\windows\system32\dllcache\ieaksie.dll
2009-02-11 15:00 153,088 -c------ c:\windows\system32\dllcache\ieakeng.dll
2009-02-11 15:00 233,472 -c------ c:\windows\system32\dllcache\webcheck.dll
2009-02-11 15:00 477,696 -c------ c:\windows\system32\dllcache\mshtmled.dll
2009-02-11 14:59 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2009-02-11 14:59 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-02-11 14:59 70,656 -c------ c:\windows\system32\dllcache\ie4uinit.exe
2009-02-11 14:59 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2009-02-11 14:58 384,512 -c------ c:\windows\system32\dllcache\iedkcs32.dll
2009-02-11 14:58 124,928 -c------ c:\windows\system32\dllcache\advpack.dll
2009-02-11 14:58 347,136 -c------ c:\windows\system32\dllcache\dxtmsft.dll
2009-02-11 14:58 214,528 -c------ c:\windows\system32\dllcache\dxtrans.dll
2009-02-11 14:58 671,232 -c------ c:\windows\system32\dllcache\mstime.dll
2009-02-11 14:58 161,792 -c------ c:\windows\system32\dllcache\ieakui.dll
2009-02-11 14:58 133,120 -c------ c:\windows\system32\dllcache\extmgr.dll
2009-02-11 14:58 2,455,488 -c------ c:\windows\system32\dllcache\ieapfltr.dat
2009-02-11 14:58 991,232 -c------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-02-11 14:58 826,368 -c------ c:\windows\system32\dllcache\wininet.dll
2009-02-11 14:57 1,160,192 -c------ c:\windows\system32\dllcache\urlmon.dll
2009-02-11 14:57 1,831,424 -c------ c:\windows\system32\dllcache\inetcpl.cpl
2009-02-11 14:57 6,066,688 -c------ c:\windows\system32\dllcache\ieframe.dll
2009-02-06 11:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-01-25 21:57 7,680 a------- c:\windows\system32\drivers\RKL4.tmp.sys

==================== Find3M ====================

2009-02-23 22:54 2,560,288 a--sh--- c:\windows\system32\drivers\fidbox2.dat
2009-02-23 22:49 48,903,712 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-02-23 14:05 242,120 a--sh--- c:\windows\system32\drivers\fidbox2.idx
2009-02-23 14:05 657,032 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-02-04 13:18 101,287 a------- c:\windows\system32\drivers\klin.dat
2009-02-04 13:18 89,601 a------- c:\windows\system32\drivers\klick.dat
2009-01-17 21:35 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-12 00:51 33,280 a------- c:\windows\system32\rundll32.exe
2009-01-06 00:23 96,384 a------- c:\windows\system32\drivers\sptd1021.sys
2008-12-28 22:42 15,648 a------- c:\windows\system32\drivers\NSDriver.sys
2008-12-28 22:42 15,648 a------- c:\windows\system32\drivers\AWRTRD.sys
2008-12-28 22:42 12,960 a------- c:\windows\system32\drivers\AWRTPD.sys
2008-12-20 15:15 826,368 a------- c:\windows\system32\wininet.dll
2006-10-31 18:51 5,632 a--sh--- c:\program files\Thumbs.db
2005-08-23 02:08 133,342 a------- c:\program files\Speaker.ico
1998-10-23 23:00 700 ac-sh--- c:\windows\mk79vx928341.drv
1998-10-23 23:00 700 ac-sh--- c:\windows\mx3vdl2399726.drv
1998-10-23 23:00 700 ac-sh--- c:\windows\vzm9dl314539.drv
2005-10-30 21:53 56 ac-shr-- c:\windows\system32\6EE152F162.sys

============= FINISH: 22:57:26.16 ===============




-----------HIJACKTHIS LOG-------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:02:25 PM, on 2/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 4087 bytes

#4 SpotCheckBilly

SpotCheckBilly

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Twin Cities, MN
  • Local time:06:15 PM

Posted 24 February 2009 - 04:39 PM

Hi southsd,

Well I don't see any signs of
Virtumonde in any of your logs. That's the good news. To make sure that no critical system files were deleted while you were removing files from \system 32\ you can do the following (have your XP install disk handy):
  • Go to Start=>Run.
  • Type "sfc /scannow"-without the quotes. ( note the space between the "c" and "/" )
  • Click OK.
The computer will scan for and attempt to replace any corrupt system files found. There are backups of some of these files on your PC and Windows will check for a copy here first. NOTE: If you are prompted to insert your Windows XP disc, do so.

For details on the System File Checker, click here. (Thanks Noviciate for the canned speech and the link.)

Just to make sure that the vundo Trojan (Virtumonde) is completely gone:

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Quick Scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).
  • Click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.

    If Malware is found...
  • Be sure that >>everything is checked<<, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to your desktop.
NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:
  • Launch Malwarebytes' Anti-Malware.
  • Click the Logs tab.
  • Double-click log-mm.dd.yyyy [xxxxxx].txt.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Please post back the results of the Malwarebytes Anti-Malware scan. -- SCB :thumbup2:
Posted ImagePosted Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
Posted Image

#5 southsd

southsd
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 28 February 2009 - 02:19 AM

alright i did a mbam scan and nothing showed
----------------------------------------------------------
Malwarebytes' Anti-Malware 1.34
Database version: 1807
Windows 5.1.2600 Service Pack 3

2/26/2009 8:47:57 PM
mbam-log-2009-02-26 (20-47-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 125657
Time elapsed: 1 hour(s), 19 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


and heres my hijackthis log
----------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:28 PM, on 2/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe

--
End of file - 4087 bytes

i also did that sfc /scannow and put the cd in like you said
so why is rundll32 still running

#6 SpotCheckBilly

SpotCheckBilly

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Twin Cities, MN
  • Local time:06:15 PM

Posted 28 February 2009 - 07:40 PM

Hi southsd,

When located in the \system 32\ folder, rundll32.exe is a legitimate Microsoft process. See the information provided >>Here<< from processlibrary.com.

Other than the fact that the Startup section of your HJT log only has one entry, you don't show any evidence of leftovers from the Vundo infection. If you're still concerned, we can certainly dig a little deeper, otherwise, looks like you're good to go. How is your machine running now? Odd behaviors? Any symptoms of infection? Please let me know. -- SCB :thumbup2:
Posted ImagePosted Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
Posted Image

#7 southsd

southsd
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:15 PM

Posted 01 March 2009 - 02:56 PM

my computer is running just fine and the rundll32 is in the right folder and the icon is a picture of a blank page but all i wanted to know is why does it still show in task manager. whats making rundll32 start in the first place. and is there a way to make it stop

#8 SpotCheckBilly

SpotCheckBilly

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Twin Cities, MN
  • Local time:06:15 PM

Posted 02 March 2009 - 04:00 PM

Hi southsd,

all i wanted to know is why does it still show in task manager. whats making rundll32 start in the first place. and is there a way to make it stop

liutilities.com (Uniblue) definition: The rundll32.exe process is responsible for running DLLs and placing its libraries in the memory.

ActiveState definition: DLL is short for Dynamic Link Library. A DLL is a set of functions that can be executed, or data that can be used by a Windows application. Some are for the use of a specific application, while others, such as many of those that come with Microsoft Windows 95, Windows 98, and Windows NT, can be used by more than one application at the same time.

What this basically means is that rundll32.exe allows .dll files to be run as if they were an application. What's causing it to start? Hard to say, but if you disable it, there may be critical system components that won't work. Additionally since many .dll's are shared between programs there may be other programs that won't work either.

This would be a classic case of "if it ain't broke, don't fix it." Do you have a specific reason for wanting to disable it? If so, it may merit further investigation. For instance, if you have an issue with system performance. If you are trying to boost performance, see Black viper's web site. -- SCB :thumbup2:
Posted ImagePosted Image
ChrisRLG's Computer Safety Online

"I was worried 'bout rich and skinny,
'til I wound up poor and fat"
- Delbert McClinton
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users