Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde infection


  • This topic is locked This topic is locked
15 replies to this topic

#1 bbing

bbing

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 24 February 2009 - 06:55 PM

DDS (Ver_09-02-01.01) - NTFSx86
Run by Administrator at 15:48:16.48 on Tue 02/24/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.484 [GMT -8:00]

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\Internet Security\UfUpdUi.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: NoExplorer - No File
BHO: Download Manager Browser Helper Object: {19c8e43b-07b3-49cb-bffc-6777b593e6f8} - c:\progra~1\common~1\fluxdvd\downlo~1\XEBDLH~1.DLL
BHO: {1a362425-6689-4b22-a313-326662bb762d} - c:\windows\system32\wutupile.dll
BHO: {778efaea-5d89-48ee-a722-f4ed3e04b42d} - c:\windows\system32\iiffEULc.dll
BHO: {5d4913e4-739b-3919-e414-eacd87d23997}: {79932d78-dcae-414e-9193-b9374e3194d5} - c:\windows\system32\ycffeo.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
uRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [EPSON Stylus Photo RX500] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [DLCQCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCQtime.dll,_RunDLLEntry@16
mRun: [CinemaNowMediaManagerApp]
mRun: [samimagumu] Rundll32.exe "c:\windows\system32\yabodesu.dll",s
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UfSeAgnt.exe] "c:\program files\trend micro\internet security\UfSeAgnt.exe"
dRun: [OE] c:\program files\trend micro\internet security\tmas_oe\TMAS_OEMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: ddcARhHA -
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: __c0064044 - c:\windows\system32\__c0064044.dat
AppInit_DLLs: ,c:\windows\system32\disowowu.dll ycffeo.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\iiffEULc
LSA: Notification Packages = scecli c:\windows\system32\disowowu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\y0h0f3cm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://sandiego.cox.net/cci/home
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\common files\fluxdvd\apix\NPAPIX.dll
FF - plugin: c:\program files\common files\fluxdvd\browserintegration\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\common files\mpdrm\NPMPDRM.dll
FF - plugin: c:\program files\google\picasa3\npPicasa2.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\ign\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de680400}\plugins\npCinemaNowPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPAPIX.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMPDRM.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-2-22 36368]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-7-30 334352]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-2-22 49680]
S2 TmPfw;Trend Micro Personal Firewall;c:\program files\trend micro\internet security\TmPfw.exe [2009-2-22 492888]
S2 TmProxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2009-2-22 677128]
S3 DJUSB;DMM Controller;c:\windows\system32\drivers\DM2.sys [2001-1-11 10758]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [2005-12-6 38604]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-02-24 03:59 5,944 a------- c:\windows\system32\jsladanx.dll
2009-02-24 03:56 5,943 a------- c:\windows\system32\vlnultqk.dll
2009-02-23 15:56 1,588,007 ---sh--- c:\windows\system32\pnwichce.ini
2009-02-23 15:56 72,704 a------- c:\windows\system32\echciwnp.dll
2009-02-23 15:53 129,024 a------- c:\windows\system32\ycffeo.dll
2009-02-23 15:53 129,024 a------- c:\windows\system32\hdykrqig.dll
2009-02-23 15:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-02-22 17:51 50,192 a------- c:\windows\system32\drivers\tmactmon.sys
2009-02-22 17:51 49,680 a------- c:\windows\system32\drivers\tmevtmgr.sys
2009-02-22 17:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trend Micro
2009-02-22 17:33 1,195,384 a------- c:\windows\system32\drivers\vsapint.sys
2009-02-22 17:33 205,328 a------- c:\windows\system32\drivers\tmxpflt.sys
2009-02-22 17:33 36,368 a------- c:\windows\system32\drivers\tmpreflt.sys
2009-02-22 17:29 <DIR> --d----- c:\program files\Trend Micro™ Internet Security
2009-02-22 05:32 1,607,788 ---sh--- c:\windows\system32\jkgtbpjq.ini
2009-02-22 05:32 72,704 a------- c:\windows\system32\qjpbtgkj.dll
2009-02-22 05:29 129,024 a------- c:\windows\system32\daghzv.dll
2009-02-22 05:29 129,024 a------- c:\windows\system32\sgvphxmt.dll
2009-02-21 17:29 129,024 a------- c:\windows\system32\ezrxmp.dll
2009-02-21 17:29 129,024 a------- c:\windows\system32\yhaiyiga.dll
2009-02-21 17:28 1,607,789 ---sh--- c:\windows\system32\sehawpqa.ini
2009-02-21 10:07 144,912 a------- c:\windows\system32\drivers\tmcomm.sys
2009-02-21 08:33 106 a------- C:\xcrashdump.dat
2009-02-20 10:40 129,024 a------- c:\windows\system32\wnvyna.dll
2009-02-20 10:40 129,024 a------- c:\windows\system32\gifqcwnw.dll
2009-02-20 10:38 1,598,385 ---sh--- c:\windows\system32\pattulis.ini
2009-02-20 10:38 72,704 a------- c:\windows\system32\siluttap.dll
2009-02-10 17:43 1,659,484 ---sh--- c:\windows\system32\ahxsvcmk.ini
2009-02-08 08:21 36,352 a------- c:\windows\system32\pmnnMcBq.dll
2009-02-02 13:36 36,352 a------- c:\windows\system32\nnnnLeBQ.dll
2009-02-02 13:36 36,352 a------- c:\windows\system32\rqRIaaaY.dll
2009-01-26 17:22 1,651,904 ---sh--- c:\windows\system32\chassmig.ini
2009-01-26 08:25 1,434,061 ---sh--- c:\windows\system32\huxuhjbj.ini

==================== Find3M ====================

2009-02-24 15:46 7,218 a--sh--- c:\windows\system32\cLUEffii.ini2
2009-02-21 09:20 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-20 11:05 17,553 a------- c:\windows\system32\nvModes.dat
2009-02-11 20:15 73,400 a--sh--- c:\windows\system32\sekisahi.dll
2009-02-09 07:50 74,308 a--sh--- c:\windows\system32\zerinopa.dll
2009-02-06 10:17 72,949 a--sh--- c:\windows\system32\fimuwaho.dll
2009-02-04 10:16 72,948 a--sh--- c:\windows\system32\tahozoyu.dll
2009-02-02 09:07 63,107 a--sh--- c:\windows\system32\zesifimi.dll
2009-01-27 06:48 65,281 a--sh--- c:\windows\system32\medilile.dll
2009-01-26 08:16 72,389 a--sh--- c:\windows\system32\poyinada.dll
2009-01-22 09:24 65,211 a--sh--- c:\windows\system32\ziwinuro.dll
2009-01-20 09:17 64,226 a--sh--- c:\windows\system32\neganosu.dll
2009-01-19 21:15 62,121 a--sh--- c:\windows\system32\powirabu.dll
2009-01-19 09:17 5,944 a------- c:\windows\system32\njtjahmc.dll
2009-01-19 09:16 6,121 a--sh--- c:\windows\system32\torelire.dll
2009-01-17 11:27 5,944 a------- c:\windows\system32\eswgpboy.dll
2009-01-17 11:26 6,123 a--sh--- c:\windows\system32\vayojema.dll
2009-01-16 07:59 5,944 a------- c:\windows\system32\rsoqhdwa.dll
2009-01-16 07:58 6,289 a--sh--- c:\windows\system32\renawevu.dll
2009-01-15 19:32 6,218 a--sh--- c:\windows\system32\kenahozi.dll
2009-01-15 07:14 5,944 a------- c:\windows\system32\leydieid.dll
2009-01-15 07:13 6,138 a--sh--- c:\windows\system32\nehafote.dll
2009-01-14 19:06 6,115 a--sh--- c:\windows\system32\garavebu.dll
2009-01-14 07:06 6,182 a--sh--- c:\windows\system32\dupodayu.dll
2009-01-13 19:06 6,101 a--sh--- c:\windows\system32\yorerufo.dll
2009-01-13 07:49 5,944 a------- c:\windows\system32\tuhjkjet.dll
2009-01-13 07:05 6,302 a--sh--- c:\windows\system32\fahihufo.dll
2009-01-12 19:05 6,218 a--sh--- c:\windows\system32\zogonaha.dll
2009-01-12 07:07 6,232 a--sh--- c:\windows\system32\patafudi.dll
2009-01-11 15:36 6,069 a--sh--- c:\windows\system32\neyuvena.dll
2009-01-11 15:36 6,067 a--sh--- c:\windows\system32\giletisa.dll
2009-01-09 19:15 6,250 a--sh--- c:\windows\system32\rovokoko.dll
2009-01-09 19:15 6,127 a--sh--- c:\windows\system32\bapemode.dll
2009-01-09 07:17 6,288 a--sh--- c:\windows\system32\revulazo.dll
2009-01-09 07:17 6,213 a--sh--- c:\windows\system32\zifewiba.dll
2009-01-08 18:52 6,326 a--sh--- c:\windows\system32\hiwawijo.dll
2009-01-08 18:52 6,155 a--sh--- c:\windows\system32\fepuzega.dll
2009-01-08 13:18 5,944 a------- c:\windows\system32\kgeeiahv.dll
2009-01-08 06:52 6,266 a--sh--- c:\windows\system32\donilowi.dll
2009-01-08 06:52 6,105 a--sh--- c:\windows\system32\woferezi.dll
2009-01-07 23:10 129,024 a------- c:\windows\system32\ndhiqc.dll
2009-01-07 18:52 6,203 a--sh--- c:\windows\system32\lunuhofu.dll
2009-01-07 18:52 6,160 a--sh--- c:\windows\system32\vemewofo.dll
2009-01-07 06:52 6,093 a--sh--- c:\windows\system32\feyajute.dll
2009-01-07 06:52 6,082 a--sh--- c:\windows\system32\fiyobubi.dll
2009-01-06 07:23 6,278 a--sh--- c:\windows\system32\sewepedo.dll
2009-01-06 07:23 6,268 a--sh--- c:\windows\system32\dirupahu.dll
2009-01-05 18:42 6,236 a--sh--- c:\windows\system32\vezipoyo.dll
2009-01-05 18:42 6,134 a--sh--- c:\windows\system32\yamadeko.dll
2009-01-05 14:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2009-01-05 13:30 5,944 a------- c:\windows\system32\xwtawhvo.dll
2009-01-05 13:29 5,943 a------- c:\windows\system32\wcygdcin.dll
2009-01-05 06:44 6,267 a--sh--- c:\windows\system32\riyakuge.dll
2009-01-05 06:44 6,191 a--sh--- c:\windows\system32\komabagi.dll
2009-01-04 12:33 6,146 a--sh--- c:\windows\system32\dudukomi.dll
2009-01-04 12:33 6,059 a--sh--- c:\windows\system32\lawapuvo.dll
2009-01-04 09:06 5,944 a------- c:\windows\system32\xnjfuarv.dll
2009-01-04 09:03 5,943 a------- c:\windows\system32\wkjvmilf.dll
2009-01-04 00:33 6,291 a--sh--- c:\windows\system32\hijusuza.dll
2009-01-04 00:33 6,045 a--sh--- c:\windows\system32\wavowibi.dll
2009-01-03 12:33 6,109 a--sh--- c:\windows\system32\lobuzosi.dll
2009-01-03 12:33 6,095 a--sh--- c:\windows\system32\sisifeme.dll
2009-01-03 09:00 5,943 a------- c:\windows\system32\npmgydnf.dll
2009-01-03 09:00 5,944 a------- c:\windows\system32\vaetmrkt.dll
2009-01-03 00:30 6,291 a--sh--- c:\windows\system32\jujijano.dll
2009-01-03 00:30 6,134 a--sh--- c:\windows\system32\kikuvupi.dll
2009-01-02 12:31 6,243 a--sh--- c:\windows\system32\niyihese.dll
2009-01-02 12:31 6,157 a--sh--- c:\windows\system32\jogopamo.dll
2008-12-31 07:04 5,943 a------- c:\windows\system32\tybnkygt.dll
2008-12-29 10:48 5,943 a------- c:\windows\system32\swdvgtrc.dll
2008-12-29 10:45 5,944 a------- c:\windows\system32\acweeaco.dll
2008-12-28 10:45 5,943 a------- c:\windows\system32\memfvyeb.dll
2008-12-28 10:44 5,944 a------- c:\windows\system32\rwlljqvd.dll
2008-12-27 10:48 5,943 a------- c:\windows\system32\saxhpxsr.dll
2008-12-27 10:42 5,944 a------- c:\windows\system32\dacwwwiq.dll
2008-12-27 10:34 5,944 a------- c:\windows\system32\gdfxyexe.dll
2008-12-27 10:31 5,943 a------- c:\windows\system32\hqdhyapt.dll
2008-12-26 10:33 5,944 a------- c:\windows\system32\kppfodrp.dll
2008-12-26 10:31 5,943 a------- c:\windows\system32\wlxyjtga.dll
2008-12-25 08:47 5,944 a------- c:\windows\system32\qwoeahgq.dll
2008-12-25 08:41 5,943 a------- c:\windows\system32\ebbifbhb.dll
2008-12-24 08:48 5,943 a------- c:\windows\system32\rtpuymbo.dll
2008-12-24 08:42 5,944 a------- c:\windows\system32\rvajqmto.dll
2008-12-23 10:01 5,944 a------- c:\windows\system32\hoqfxanu.dll
2008-12-22 09:57 5,943 a------- c:\windows\system32\wiueqcqh.dll
2008-12-22 08:13 5,943 a------- c:\windows\system32\tovmekrj.dll
2008-12-21 08:18 5,944 a------- c:\windows\system32\rlakuerc.dll
2008-12-21 08:12 5,943 a------- c:\windows\system32\ercoqykg.dll
2008-12-19 08:25 5,943 a------- c:\windows\system32\kalmqkhv.dll
2008-12-19 08:23 16,384 a------- c:\windows\DCEBoot.exe
2008-12-19 08:22 5,944 a------- c:\windows\system32\umwowkjh.dll
2008-12-17 17:13 302,592 a------- c:\windows\system32\iiffEULc.dll
2008-12-12 22:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2007-08-15 08:53 56 ---shr-- c:\windows\system32\AD9D73BE74.sys
0000-00-00 00:00 73,400 a--sh--- c:\windows\system32\disowowu.dll
2007-08-20 07:32 2,098 a--sh--- c:\windows\system32\KGyGaAvL.sys
0000-00-00 00:00 73,400 a--sh--- c:\windows\system32\wutupile.dll
0000-00-00 00:00 73,400 a--sh--- c:\windows\system32\yabodesu.dll
2008-08-20 17:52 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 15:50:11.71 ===============

BC AdBot (Login to Remove)

 


#2 bbing

bbing
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 24 February 2009 - 07:09 PM

sorry forgot this..

Attached Files



#3 bbing

bbing
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 03 March 2009 - 05:42 PM

Hey guys. I am confident you guys are as busy as it gets here, wonder if I should push on after reviewing other posts or if it is better to hang tight?
Wouldn't want to make your job any more complicated here.

#4 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 10 March 2009 - 07:23 AM

Hello bbing :thumbup2: ,

I apologise for the delay, the forum is very busy.

If you still need help follow my instructions and post a HijackThis log.
----------------------------------------------
Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Edited by chryssi2001, 10 March 2009 - 07:23 AM.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#5 bbing

bbing
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 10 March 2009 - 01:15 PM

here you go thanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:14:56 AM, on 3/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\dlcqcoms.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {1a362425-6689-4b22-a313-326662bb762d} - C:\WINDOWS\system32\wutupile.dll (file missing)
O2 - BHO: (no name) - {2518C608-FE13-4967-A9B1-87BFE1BCCC50} - C:\WINDOWS\system32\iiffEULc.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo RX500] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE /P24 "EPSON Stylus Photo RX500" /O6 "USB001" /M "Stylus Photo RX500"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DLCQCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [samimagumu] Rundll32.exe "C:\WINDOWS\system32\yabodesu.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
O4 - HKUS\S-1-5-19\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [OE] C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\disowowu.dll
O20 - Winlogon Notify: ddcARhHA - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: dlcq_device - - C:\WINDOWS\system32\dlcqcoms.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SfCtlCom - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe (file missing)
O23 - Service: WLANKEEPER - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8672 bytes

Attached Files


Edited by bbing, 10 March 2009 - 01:16 PM.


#6 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 10 March 2009 - 02:20 PM

Hello bbing,

You have a lot of infection there :thumbup2:. Let's start cleaning. :)
----------------------------------------------
Please download ATF cleaner
Make sure that all browser windows are closed.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All and UNCHECK Cookies.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All and UNCHECK Cookies.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All and UNCHECK Cookies.
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Checked (tick) all items except items in the C:\System Volume Information folder, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Post back:
Malwarebytes' Anti-Malware report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#7 bbing

bbing
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 10 March 2009 - 07:37 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1832
Windows 5.1.2600 Service Pack 3

3/10/2009 5:29:23 PM
mbam-log-2009-03-10 (17-29-23).txt

Scan type: Full Scan (C:\|)
Objects scanned: 226431
Time elapsed: 3 hour(s), 29 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 20
Registry Values Infected: 1
Registry Data Items Infected: 6
Folders Infected: 7
Files Infected: 59

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\aymcpubh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\iiffEULc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\disowowu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yabodesu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sstnpg.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2518c608-fe13-4967-a9b1-87bfe1bccc50} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{2518c608-fe13-4967-a9b1-87bfe1bccc50} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1a362425-6689-4b22-a313-326662bb762d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1a362425-6689-4b22-a313-326662bb762d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2518c608-fe13-4967-a9b1-87bfe1bccc50} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\cs41275 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WS2IFSL (Fake.Driver) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\samimagumu (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\iiffeulc -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\disowowu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\disowowu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\disowowu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\iiffeulc -> Delete on reboot.

Folders Infected:
C:\Documents and Settings\Administrator\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\BASE (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\DELETED (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\SAVED (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\iiffEULc.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\cLUEffii.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cLUEffii.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aymcpubh.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\hbupcmya.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\echciwnp.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pnwichce.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qjpbtgkj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jkgtbpjq.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\siluttap.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pattulis.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yabodesu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\disowowu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sstnpg.dll (Trojan.Vundo) -> Delete on reboot.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090224-165917-421.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090224-165917-714.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090224-165917-871.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090224-165935-581.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090227-110544-126.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090227-110544-621.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090310-110634-577.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090310-110634-901.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090310-110758-275.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090310-110816-177.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP578\A0270319.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP578\A0270320.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP578\A0270321.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP581\A0272290.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP581\A0272291.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP581\A0272292.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP583\A0273318.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP583\A0273319.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP583\A0273320.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP593\A0275857.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP610\A0285417.dll (Trojan.Vundo.H) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP564\A0263721.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP564\A0263722.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP564\A0263723.dll (Trojan.Vundo) -> Not selected for removal.
C:\WINDOWS\system32\sekisahi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fimuwaho.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\folawayu.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\miliyepa.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tahozoyu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cwhxyrot.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\guborusi.dll.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zerinopa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\20090223160254828.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090223154128390.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090223155536546.log (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\WINDOWS\kernel32.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sirifiwi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sisifeme.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ligamosa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRIaaaY.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnnLeBQ.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnnMcBq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\riyakuge.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kenahozi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wavowibi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Attached Files



#8 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 11 March 2009 - 07:12 AM

Hi bbing,

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • If you need help to disable your protection programs see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image
Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
----------------------------------------------
RENAME HIJACKTHIS

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe and post back a new Hijackthis log.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#9 bbing

bbing
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 11 March 2009 - 10:49 AM

ComboFix 09-03-10.03 - Administrator 2009-03-11 8:20:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.486 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\ahxsvcmk.ini
c:\windows\system32\bejydaes.ini
c:\windows\system32\chassmig.ini
c:\windows\system32\daghzv.dll
c:\windows\system32\dojjvwdg.ini
c:\windows\system32\ewunurad.ini
c:\windows\system32\fwvucerp.ini
c:\windows\system32\hdykrqig.dll
c:\windows\system32\hfmyvqao.ini
c:\windows\system32\huxuhjbj.ini
c:\windows\system32\jafijohe.dll.tmp
c:\windows\system32\kohajawu.dll.tmp
c:\windows\system32\kozafuli.dll.tmp
c:\windows\system32\medilile.dll
c:\windows\system32\mkdeephy.ini
c:\windows\system32\neganosu.dll
c:\windows\system32\oahwefgw.ini
c:\windows\system32\pjrtfoux.ini
c:\windows\system32\powirabu.dll
c:\windows\system32\poyinada.dll
c:\windows\system32\rfbrspjg.ini
c:\windows\system32\sehawpqa.ini
c:\windows\system32\sgvphxmt.dll
c:\windows\system32\sylvrdvs.ini
c:\windows\system32\tuxeygym.ini
c:\windows\system32\xiwveknw.ini
c:\windows\system32\ycffeo.dll
c:\windows\system32\zesifimi.dll
c:\windows\system32\ziwinuro.dll
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FAD
-------\Legacy_PACKET


((((((((((((((((((((((((( Files Created from 2009-02-11 to 2009-03-11 )))))))))))))))))))))))))))))))
.

2009-03-10 13:57 . 2009-03-10 13:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-10 13:57 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-10 13:56 . 2009-03-10 13:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 13:56 . 2009-03-10 13:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-10 13:56 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-10 09:30 . 2009-03-10 09:30 5,941 --a------ c:\windows\system32\tftcqrlc.dll
2009-03-10 09:28 . 2009-03-10 09:28 5,943 --a------ c:\windows\system32\kkcrubvq.dll
2009-03-06 12:54 . 2009-03-06 12:54 5,943 --a------ c:\windows\system32\tmpgsgay.dll
2009-03-06 12:53 . 2009-03-06 12:53 5,941 --a------ c:\windows\system32\pebfkjkt.dll
2009-03-06 09:28 . 2009-03-06 09:28 2,713 --ahs---- c:\windows\system32\nevaluso.dll
2009-03-05 21:14 . 2009-03-05 21:14 5,941 --a------ c:\windows\system32\nuqruawy.dll
2009-03-05 21:11 . 2009-03-05 21:11 5,943 --a------ c:\windows\system32\mpeabrol.dll
2009-03-05 09:11 . 2009-03-05 09:11 <DIR> d-------- c:\windows\system32\Interactive
2009-03-05 09:11 . 2009-03-05 09:11 5,941 --a------ c:\windows\system32\msnwokfx.dll
2009-03-05 09:09 . 2009-03-05 09:09 5,943 --a------ c:\windows\system32\jwnsupie.dll
2009-03-04 15:23 . 2009-03-04 15:23 5,943 --a------ c:\windows\system32\vcgapccw.dll
2009-03-04 15:23 . 2009-03-04 15:23 5,941 --a------ c:\windows\system32\hhelqsxt.dll
2009-03-03 09:20 . 2009-03-03 09:20 5,941 --a------ c:\windows\system32\mwxdrbno.dll
2009-03-03 09:17 . 2009-03-03 09:17 5,943 --a------ c:\windows\system32\madvsoor.dll
2009-03-02 09:19 . 2009-03-02 09:19 5,943 --a------ c:\windows\system32\csltdyvn.dll
2009-03-02 09:19 . 2009-03-02 09:19 5,941 --a------ c:\windows\system32\colryumc.dll
2009-02-27 20:47 . 2009-02-27 20:47 5,943 --a------ c:\windows\system32\xkgvcddc.dll
2009-02-27 20:47 . 2009-02-27 20:47 5,941 --a------ c:\windows\system32\qsgrovhb.dll
2009-02-26 07:08 . 2009-02-26 07:08 5,943 --a------ c:\windows\system32\jbijarwl.dll
2009-02-26 07:05 . 2009-02-26 07:05 5,941 --a------ c:\windows\system32\krodqhuw.dll
2009-02-25 19:08 . 2009-02-25 19:08 5,941 --a------ c:\windows\system32\ggveibif.dll
2009-02-25 19:05 . 2009-02-25 19:05 5,943 --a------ c:\windows\system32\wmjhnisi.dll
2009-02-25 07:08 . 2009-02-25 07:08 5,941 --a------ c:\windows\system32\lmcfwggo.dll
2009-02-25 07:05 . 2009-02-25 07:05 5,943 --a------ c:\windows\system32\tymkvfhw.dll
2009-02-24 18:01 . 2009-02-24 18:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\HouseCall 6.6
2009-02-24 17:52 . 2009-02-24 17:50 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-24 04:59 . 2009-02-24 04:59 5,944 --a------ c:\windows\system32\jsladanx.dll
2009-02-24 04:56 . 2009-02-24 04:56 5,943 --a------ c:\windows\system32\vlnultqk.dll
2009-02-22 18:51 . 2008-07-30 12:05 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-02-22 18:51 . 2008-07-30 12:05 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-02-22 18:41 . 2009-02-23 14:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-22 18:33 . 2008-11-26 18:39 1,195,384 --a------ c:\windows\system32\drivers\vsapint.sys
2009-02-22 18:33 . 2008-11-26 18:42 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-02-22 18:33 . 2008-11-26 18:42 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-02-22 18:29 . 2009-02-22 18:30 <DIR> d-------- c:\program files\Trend Micro™ Internet Security
2009-02-21 11:07 . 2008-07-30 12:05 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-25 00:31 --------- d-----w c:\program files\Java
2009-02-24 00:05 --------- d-----w c:\program files\Google
2009-02-23 01:51 --------- d-----w c:\program files\Trend Micro
2009-02-21 16:08 --------- d-----w c:\program files\IEForge
2009-02-21 16:04 --------- d-----w c:\program files\DAS Trader DEMO
2008-12-19 16:23 16,384 ----a-w c:\windows\DCEBoot.exe
2001-12-04 00:09 90,112 ----a-w c:\program files\internet explorer\plugins\DjVuControl.dll
2007-08-15 16:53 56 --sh--r c:\windows\system32\AD9D73BE74.sys
2007-08-20 15:32 2,098 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-21 01:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080821\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-07-30 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-20 6725632]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-02 99840]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-01-24 198128]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 622592]
"DLCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-06-07 106496]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-30 970808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-24 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-07-30 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-17 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-09-15 1720320]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-11-04 724992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 14:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= myokent.dll
"msvideo9"= SDVC03.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"c:\\Program Files\\32nd America's Cup\\VskAC32.exe"=
"c:\\WINDOWS\\system32\\dlcqcoms.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mobsync.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-02-22 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-02-22 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-02-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-02-22 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-07-30 334352]
S3 DJUSB;DMM Controller;c:\windows\system32\drivers\DM2.sys [2001-01-11 10758]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [2005-12-06 38604]
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Picasa Media Detector - c:\program files\Picasa2\PicasaMediaDetector.exe
HKLM-Run-CinemaNowMediaManagerApp - (no file)
Notify-ddcARhHA - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y0h0f3cm.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.icmag.com/ic/member.php?u=8805
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Common Files\fluxDVD\APIX\NPAPIX.dll
FF - plugin: c:\program files\Common Files\fluxDVD\BrowserIntegration\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\Common Files\mpDRM\NPMPDRM.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de680400}\plugins\npCinemaNowPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAPIX.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMPDRM.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-11 08:32:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCQCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\Multimedia\1;~| QMMPWV6E_^*SUl$ tK}]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\Administrator\Software\Microsoft\Multimedia\q+NQRQPV[_^UQe*VW} }31;~| QMCMPWV6E_^*SUl$ tK}]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1620)
c:\windows\system32\myokent.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1676)
c:\windows\system32\myokent.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\dlcqcoms.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Dell\NicConfigSvc\NicConfigSvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\tlntsvr.exe
c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
c:\progra~1\Intel\Wireless\Bin\1XConfig.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtBty.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-11 8:42:14 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-11 15:42:09

Pre-Run: 2,715,328,512 bytes free
Post-Run: 2,478,456,832 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

279 --- E O F --- 2008-12-11 15:09:44

Attached Files



#10 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 11 March 2009 - 01:19 PM

Hello bbing,

Did you install Trendmicro Internet Security after you got infected?

Are you the administrator of this pc? Did you change any policies regarding Multimedia registry keys?

What language is your OS?
----------------------------------------------
Go to Start-Settings-Control Panel, click on Add remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

Note: We'll install Adobe Reader latest version later.
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
Adobe Reader 7.0.5
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7


WildTangent Web Driver << If you use this pc to play games, do not remove this program.
----------------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

c:\windows\system32\AD9D73BE74.sys

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/206273/virtumonde-infection/?p=1173371
    
    Collect::
    c:\windows\system32\tftcqrlc.dll
    c:\windows\system32\kkcrubvq.dll
    c:\windows\system32\tmpgsgay.dll
    c:\windows\system32\pebfkjkt.dll
    c:\windows\system32\nevaluso.dll
    c:\windows\system32\nuqruawy.dll
    c:\windows\system32\mpeabrol.dll
    c:\windows\system32\Interactive
    c:\windows\system32\msnwokfx.dll
    c:\windows\system32\jwnsupie.dll
    c:\windows\system32\vcgapccw.dll
    c:\windows\system32\hhelqsxt.dll
    c:\windows\system32\mwxdrbno.dll
    c:\windows\system32\madvsoor.dll
    c:\windows\system32\csltdyvn.dll
    c:\windows\system32\colryumc.dll
    c:\windows\system32\xkgvcddc.dll
    c:\windows\system32\qsgrovhb.dll
    c:\windows\system32\jbijarwl.dll
    c:\windows\system32\krodqhuw.dll
    c:\windows\system32\ggveibif.dll
    c:\windows\system32\wmjhnisi.dll
    c:\windows\system32\lmcfwggo.dll
    c:\windows\system32\tymkvfhw.dll
    c:\windows\system32\jsladanx.dll
    c:\windows\system32\vlnultqk.dll
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
----------------------------------------------
Post back:
Combofix report.
Kaspersky report.
Please reply to my questions.

P.S. Please do not post attachments.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#11 bbing

bbing
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 12 March 2009 - 04:16 PM

Did you install Trendmicro Internet Security after you got infected? yes

Are you the administrator of this pc? yesDid you change any policies regarding Multimedia registry keys?no

What language is your OS? win xp pro

During combofix trend blocked catchme.txt even though I have security diabled? It prompted for ui and I blocked it??? should I have let it run?

ComboFix 09-03-10.03 - Administrator 2009-03-12 14:03:15.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.624 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-12 to 2009-03-12 )))))))))))))))))))))))))))))))
.

2009-03-10 13:57 . 2009-03-10 13:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-10 13:57 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-10 13:56 . 2009-03-10 13:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 13:56 . 2009-03-10 13:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-10 13:56 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-05 09:11 . 2009-03-05 09:11 <DIR> d-------- c:\windows\system32\Interactive
2009-02-24 18:01 . 2009-02-24 18:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\HouseCall 6.6
2009-02-24 17:52 . 2009-02-24 17:50 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-22 18:51 . 2008-07-30 12:05 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-02-22 18:51 . 2008-07-30 12:05 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-02-22 18:41 . 2009-02-23 14:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-22 18:33 . 2008-11-26 18:39 1,195,384 --a------ c:\windows\system32\drivers\vsapint.sys
2009-02-22 18:33 . 2008-11-26 18:42 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-02-22 18:33 . 2008-11-26 18:42 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-02-22 18:29 . 2009-02-22 18:30 <DIR> d-------- c:\program files\Trend Micro™ Internet Security
2009-02-21 11:07 . 2008-07-30 12:05 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-11 19:11 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-11 16:09 --------- d-----w c:\documents and settings\All Users\Application Data\32nd America's Cup
2009-03-10 19:02 6,158 --sha-w c:\windows\system32\hanayupu.dll
2009-03-10 04:57 6,207 --sha-w c:\windows\system32\konovozo.dll
2009-03-09 16:57 6,282 --sha-w c:\windows\system32\gamofepu.dll
2009-03-09 04:57 6,123 --sha-w c:\windows\system32\zayewegi.dll
2009-03-08 16:57 6,274 --sha-w c:\windows\system32\siyesohi.dll
2009-03-08 04:57 6,106 --sha-w c:\windows\system32\kikububu.dll
2009-03-07 16:59 6,216 --sha-w c:\windows\system32\tewetopi.dll
2009-03-06 04:08 6,048 --sha-w c:\windows\system32\piwuhapi.dll
2009-03-04 17:38 6,075 --sha-w c:\windows\system32\nowuvaku.dll
2009-02-25 00:50 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-25 00:31 --------- d-----w c:\program files\Java
2009-02-24 00:05 --------- d-----w c:\program files\Google
2009-02-23 01:51 --------- d-----w c:\program files\Trend Micro
2009-02-21 16:08 --------- d-----w c:\program files\IEForge
2009-02-21 16:04 --------- d-----w c:\program files\DAS Trader DEMO
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-19 17:17 5,944 ----a-w c:\windows\system32\njtjahmc.dll
2009-01-19 17:16 6,121 --sha-w c:\windows\system32\torelire.dll
2009-01-17 19:27 5,944 ----a-w c:\windows\system32\eswgpboy.dll
2009-01-17 19:26 6,123 --sha-w c:\windows\system32\vayojema.dll
2009-01-17 04:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-16 15:59 5,944 ----a-w c:\windows\system32\rsoqhdwa.dll
2009-01-16 15:58 6,289 --sha-w c:\windows\system32\renawevu.dll
2009-01-15 15:14 5,944 ----a-w c:\windows\system32\leydieid.dll
2009-01-15 15:13 6,138 --sha-w c:\windows\system32\nehafote.dll
2009-01-15 03:06 6,115 --sha-w c:\windows\system32\garavebu.dll
2009-01-14 15:06 6,182 --sha-w c:\windows\system32\dupodayu.dll
2009-01-14 03:06 6,101 --sha-w c:\windows\system32\yorerufo.dll
2009-01-13 15:49 5,944 ----a-w c:\windows\system32\tuhjkjet.dll
2009-01-13 15:05 6,302 --sha-w c:\windows\system32\fahihufo.dll
2009-01-13 03:05 6,218 --sha-w c:\windows\system32\zogonaha.dll
2009-01-12 15:07 6,232 --sha-w c:\windows\system32\patafudi.dll
2009-01-11 23:36 6,069 --sha-w c:\windows\system32\neyuvena.dll
2009-01-11 23:36 6,067 --sha-w c:\windows\system32\giletisa.dll
2009-01-10 03:15 6,250 --sha-w c:\windows\system32\rovokoko.dll
2009-01-10 03:15 6,127 --sha-w c:\windows\system32\bapemode.dll
2009-01-09 15:17 6,288 --sha-w c:\windows\system32\revulazo.dll
2009-01-09 15:17 6,213 --sha-w c:\windows\system32\zifewiba.dll
2009-01-09 02:52 6,326 --sha-w c:\windows\system32\hiwawijo.dll
2009-01-09 02:52 6,155 --sha-w c:\windows\system32\fepuzega.dll
2009-01-08 21:18 5,944 ----a-w c:\windows\system32\kgeeiahv.dll
2009-01-08 14:52 6,266 --sha-w c:\windows\system32\donilowi.dll
2009-01-08 14:52 6,105 --sha-w c:\windows\system32\woferezi.dll
2009-01-08 07:10 129,024 ----a-w c:\windows\system32\ndhiqc.dll
2009-01-08 02:52 6,203 --sha-w c:\windows\system32\lunuhofu.dll
2009-01-08 02:52 6,160 --sha-w c:\windows\system32\vemewofo.dll
2009-01-07 14:52 6,093 --sha-w c:\windows\system32\feyajute.dll
2009-01-07 14:52 6,082 --sha-w c:\windows\system32\fiyobubi.dll
2009-01-06 15:23 6,278 --sha-w c:\windows\system32\sewepedo.dll
2009-01-06 15:23 6,268 --sha-w c:\windows\system32\dirupahu.dll
2009-01-06 02:42 6,236 --sha-w c:\windows\system32\vezipoyo.dll
2009-01-06 02:42 6,134 --sha-w c:\windows\system32\yamadeko.dll
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2009-01-05 21:30 5,944 ----a-w c:\windows\system32\xwtawhvo.dll
2009-01-05 21:29 5,943 ----a-w c:\windows\system32\wcygdcin.dll
2009-01-05 14:44 6,191 --sha-w c:\windows\system32\komabagi.dll
2009-01-04 20:33 6,146 --sha-w c:\windows\system32\dudukomi.dll
2009-01-04 20:33 6,059 --sha-w c:\windows\system32\lawapuvo.dll
2009-01-04 17:06 5,944 ----a-w c:\windows\system32\xnjfuarv.dll
2009-01-04 17:03 5,943 ----a-w c:\windows\system32\wkjvmilf.dll
2009-01-04 08:33 6,291 --sha-w c:\windows\system32\hijusuza.dll
2009-01-03 20:33 6,109 --sha-w c:\windows\system32\lobuzosi.dll
2009-01-03 17:00 5,944 ----a-w c:\windows\system32\vaetmrkt.dll
2009-01-03 17:00 5,943 ----a-w c:\windows\system32\npmgydnf.dll
2009-01-03 08:30 6,291 --sha-w c:\windows\system32\jujijano.dll
2009-01-03 08:30 6,134 --sha-w c:\windows\system32\kikuvupi.dll
2009-01-02 20:31 6,243 --sha-w c:\windows\system32\niyihese.dll
2009-01-02 20:31 6,157 --sha-w c:\windows\system32\jogopamo.dll
2008-12-31 15:04 5,943 ----a-w c:\windows\system32\tybnkygt.dll
2008-12-29 18:48 5,943 ----a-w c:\windows\system32\swdvgtrc.dll
2008-12-29 18:45 5,944 ----a-w c:\windows\system32\acweeaco.dll
2008-12-28 18:45 5,943 ----a-w c:\windows\system32\memfvyeb.dll
2008-12-28 18:44 5,944 ----a-w c:\windows\system32\rwlljqvd.dll
2008-12-27 18:48 5,943 ----a-w c:\windows\system32\saxhpxsr.dll
2008-12-27 18:42 5,944 ----a-w c:\windows\system32\dacwwwiq.dll
2008-12-27 18:34 5,944 ----a-w c:\windows\system32\gdfxyexe.dll
2008-12-27 18:31 5,943 ----a-w c:\windows\system32\hqdhyapt.dll
2008-12-26 18:33 5,944 ----a-w c:\windows\system32\kppfodrp.dll
2008-12-26 18:31 5,943 ----a-w c:\windows\system32\wlxyjtga.dll
2008-12-25 16:47 5,944 ----a-w c:\windows\system32\qwoeahgq.dll
2008-12-25 16:41 5,943 ----a-w c:\windows\system32\ebbifbhb.dll
2008-12-24 16:48 5,943 ----a-w c:\windows\system32\rtpuymbo.dll
2008-12-24 16:42 5,944 ----a-w c:\windows\system32\rvajqmto.dll
2008-12-23 18:01 5,944 ----a-w c:\windows\system32\hoqfxanu.dll
2008-12-22 17:57 5,943 ----a-w c:\windows\system32\wiueqcqh.dll
2008-12-22 16:13 5,943 ----a-w c:\windows\system32\tovmekrj.dll
2008-12-21 16:18 5,944 ----a-w c:\windows\system32\rlakuerc.dll
2008-12-21 16:12 5,943 ----a-w c:\windows\system32\ercoqykg.dll
2008-12-19 16:25 5,943 ----a-w c:\windows\system32\kalmqkhv.dll
2008-12-19 16:23 16,384 ----a-w c:\windows\DCEBoot.exe
2008-12-19 16:22 5,944 ----a-w c:\windows\system32\umwowkjh.dll
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2001-12-04 00:09 90,112 ----a-w c:\program files\internet explorer\plugins\DjVuControl.dll
2007-08-15 16:53 56 --sh--r c:\windows\system32\AD9D73BE74.sys
2007-08-20 15:32 2,098 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-21 01:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080821\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-07-30 497008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-20 6725632]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-02 99840]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-01-24 198128]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 622592]
"DLCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-06-07 106496]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-30 970808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-24 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-07-30 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-17 110592]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-09-15 1720320]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-11-04 724992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 14:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= myokent.dll
"msvideo9"= SDVC03.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"c:\\Program Files\\32nd America's Cup\\VskAC32.exe"=
"c:\\WINDOWS\\system32\\dlcqcoms.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mobsync.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-02-22 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-02-22 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-02-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-02-22 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-07-30 334352]
S3 DJUSB;DMM Controller;c:\windows\system32\drivers\DM2.sys [2001-01-11 10758]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [2005-12-06 38604]
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y0h0f3cm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.icmag.com/ic/member.php?u=8805
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Common Files\fluxDVD\APIX\NPAPIX.dll
FF - plugin: c:\program files\Common Files\fluxDVD\BrowserIntegration\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\Common Files\mpDRM\NPMPDRM.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de680400}\plugins\npCinemaNowPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAPIX.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMPDRM.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCQCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\Administrator\Software\Microsoft\Multimedia\1;~| QMMPWV6E_^*SUl$ tK}]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\Administrator\Software\Microsoft\Multimedia\q+NQRQPV[_^UQe*VW} }31;~| QMCMPWV6E_^*SUl$ tK}]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1620)
c:\windows\system32\myokent.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1676)
c:\windows\system32\myokent.dll
.
Completion time: 2009-03-12 14:10:45
ComboFix-quarantined-files.txt 2009-03-12 21:10:41
ComboFix2.txt 2009-03-22 16:18:06
ComboFix3.txt 2009-03-11 15:42:17

Pre-Run: 2,667,917,312 bytes free
Post-Run: 2,710,786,048 bytes free

267 --- E O F --- 2009-03-11 19:05:05


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, March 22, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, March 12, 2009 16:30:14
Records in database: 1891362
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 150162
Threat name: 30
Infected objects: 83
Suspicious objects: 1
Duration of the scan: 03:43:13


File name / Threat name / Threats count
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Outlook\archive.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1953.tmp Infected: Trojan.Win32.Monder.gen 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1963.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.kdl 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1964.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.kdm 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1965.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.kdm 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1966.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.kdl 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1B36.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.kdl 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1B37.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.kdm 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1B38.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.kdm 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\1B39.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.kdl 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\399D.tmp Infected: not-a-virus:FraudTool.Win32.MSAntispyware2009.t 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B71.tmp Infected: Trojan.Win32.Monder.awgj 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B72.tmp Infected: Trojan.Win32.Monder.bmfw 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B73.tmp Infected: Trojan.Win32.Monder.bmgf 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B74.tmp Infected: Trojan.Win32.Monder.gen 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B75.tmp Infected: Trojan.Win32.Monder.asrf 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B93.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iwr 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B94.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iej 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B95.tmp Infected: Trojan.Win32.Monder.baue 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B96.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B97.tmp Infected: Trojan.Win32.Monder.avba 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B98.tmp Infected: Trojan.Win32.Agent2.bkd 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B99.tmp Infected: Trojan.Win32.Monder.beem 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B9A.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.jts 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B9B.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iul 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B9C.tmp Infected: Trojan.Win32.Monder.asrf 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B9D.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B9E.tmp Infected: Trojan-Downloader.Win32.Agent.birf 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3B9F.tmp Infected: Trojan.Win32.Monder.avbn 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA0.tmp Infected: Trojan.Win32.Monder.avay 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA1.tmp Infected: Trojan.Win32.Monder.bjef 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA2.tmp Infected: Trojan.Win32.Monder.avay 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA5.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iee 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA6.tmp Infected: Trojan.Win32.Monder.avba 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA7.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iee 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA8.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iul 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA9.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.jts 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BAA.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iwr 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BAB.tmp Infected: Trojan.Win32.Agent2.bkd 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BAC.tmp Infected: Trojan.Win32.Monder.baue 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BAD.tmp Infected: Trojan.Win32.Monder.avbn 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BAE.tmp Infected: Trojan.Win32.Monder.avba 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BAF.tmp Infected: Trojan.Win32.Monder.atdt 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BB0.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iej 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3BB1.tmp Infected: not-a-virus:FraudTool.Win32.MSAntispyware2009.t 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\3F.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iej 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\40.tmp Infected: Trojan.Win32.Monder.baue 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\41.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\42.tmp Infected: Trojan.Win32.Monder.avba 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\43.tmp Infected: Trojan.Win32.Agent2.bkd 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\44.tmp Infected: Trojan.Win32.Monder.beem 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\45.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.jts 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\46.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iul 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\47.tmp Infected: Trojan.Win32.Monder.asrf 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\48.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.jtr 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\49.tmp Infected: Trojan-Downloader.Win32.Agent.birf 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\4A.tmp Infected: Trojan.Win32.Monder.avbn 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\4B.tmp Infected: Trojan.Win32.Monder.avay 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\4C.tmp Infected: Trojan.Win32.Monder.bjef 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\4CC4.tmp Infected: Trojan-Downloader.Win32.VB.jek 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\4D.tmp Infected: Trojan.Win32.Monder.avay 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\50.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iee 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\51.tmp Infected: Trojan.Win32.Monder.avba 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\52.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iee 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\53.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iul 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\54.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.jts 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\55.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iwr 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\56.tmp Infected: Trojan.Win32.Agent2.bkd 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\57.tmp Infected: Trojan.Win32.Monder.baue 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\58.tmp Infected: Trojan.Win32.Monder.avbn 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\59.tmp Infected: Trojan.Win32.Monder.avba 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\5A.tmp Infected: Trojan.Win32.Monder.atdt 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\5B.tmp Infected: not-a-virus:AdWare.Win32.SuperJuan.iej 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\A0275918.dll Infected: Trojan.Win32.Monder.avba 1
C:\Program Files\Trend Micro\Internet Security\Quarantine\__c00E27D0.dat Infected: Trojan.Win32.Agent.bozc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\daghzv.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.kdk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hdykrqig.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.jza 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jafijohe.dll.tmp.vir Infected: Packed.Win32.Mondera.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kohajawu.dll.tmp.vir Infected: Packed.Win32.Mondera.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kozafuli.dll.tmp.vir Infected: Packed.Win32.Mondera.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\sgvphxmt.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.kdk 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ycffeo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.jza 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ziwinuro.dll.vir Infected: Packed.Win32.Mondera.b 1

The selected area was scanned.

#12 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 13 March 2009 - 07:42 AM

Hello bbing,

During combofix trend blocked catchme.txt even though I have security diabled? It prompted for ui and I blocked it??? should I have let it run?

Yes. You have to allow it so we will be able to fix your pc.

Part of your Combofix which shows that Firewall is enabled.

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *enabled*


It's your Trendmicro firewall which blocked catchme.txt
Please try to disable your firewall too, before running Combofix again. If this is not able, allow catchme.exe
----------------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

c:\Program Files\32nd America's Cup\VskAC32.exe

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/206273/virtumonde-infection/?p=1175162
    
    Collect::
    c:\windows\system32\hanayupu.dll
    c:\windows\system32\konovozo.dll
    c:\windows\system32\gamofepu.dll
    c:\windows\system32\zayewegi.dll
    c:\windows\system32\siyesohi.dll
    c:\windows\system32\kikububu.dll
    c:\windows\system32\tewetopi.dll
    c:\windows\system32\piwuhapi.dll
    c:\windows\system32\nowuvaku.dll
    c:\windows\system32\njtjahmc.dll
    c:\windows\system32\torelire.dll
    c:\windows\system32\eswgpboy.dll
    c:\windows\system32\vayojema.dll
    c:\windows\system32\rsoqhdwa.dll
    c:\windows\system32\renawevu.dll
    c:\windows\system32\leydieid.dll
    c:\windows\system32\nehafote.dll
    c:\windows\system32\garavebu.dll
    c:\windows\system32\dupodayu.dll
    c:\windows\system32\yorerufo.dll
    c:\windows\system32\tuhjkjet.dll
    c:\windows\system32\fahihufo.dll
    c:\windows\system32\zogonaha.dll
    c:\windows\system32\patafudi.dll
    c:\windows\system32\neyuvena.dll
    c:\windows\system32\giletisa.dll
    c:\windows\system32\rovokoko.dll
    c:\windows\system32\bapemode.dll
    c:\windows\system32\revulazo.dll
    c:\windows\system32\zifewiba.dll
    c:\windows\system32\hiwawijo.dll
    c:\windows\system32\fepuzega.dll
    c:\windows\system32\kgeeiahv.dll
    c:\windows\system32\donilowi.dll
    c:\windows\system32\woferezi.dll
    c:\windows\system32\ndhiqc.dll
    c:\windows\system32\lunuhofu.dll
    c:\windows\system32\vemewofo.dll
    c:\windows\system32\feyajute.dll
    c:\windows\system32\fiyobubi.dll
    c:\windows\system32\sewepedo.dll
    c:\windows\system32\dirupahu.dll
    c:\windows\system32\vezipoyo.dll
    c:\windows\system32\yamadeko.dll
    c:\windows\system32\xwtawhvo.dll
    c:\windows\system32\wcygdcin.dll
    c:\windows\system32\komabagi.dll
    c:\windows\system32\dudukomi.dll
    c:\windows\system32\lawapuvo.dll
    c:\windows\system32\xnjfuarv.dll
    c:\windows\system32\wkjvmilf.dll
    c:\windows\system32\hijusuza.dll
    c:\windows\system32\lobuzosi.dll
    c:\windows\system32\vaetmrkt.dll
    c:\windows\system32\npmgydnf.dll
    c:\windows\system32\jujijano.dll
    c:\windows\system32\kikuvupi.dll
    c:\windows\system32\niyihese.dll
    c:\windows\system32\jogopamo.dll
    c:\windows\system32\tybnkygt.dll
    c:\windows\system32\swdvgtrc.dll
    c:\windows\system32\acweeaco.dll
    c:\windows\system32\memfvyeb.dll
    c:\windows\system32\rwlljqvd.dll
    c:\windows\system32\saxhpxsr.dll
    c:\windows\system32\dacwwwiq.dll
    c:\windows\system32\gdfxyexe.dll
    c:\windows\system32\hqdhyapt.dll
    c:\windows\system32\kppfodrp.dll
    c:\windows\system32\wlxyjtga.dll
    c:\windows\system32\qwoeahgq.dll
    c:\windows\system32\ebbifbhb.dll
    c:\windows\system32\rtpuymbo.dll
    c:\windows\system32\rvajqmto.dll
    c:\windows\system32\hoqfxanu.dll
    c:\windows\system32\wiueqcqh.dll
    c:\windows\system32\tovmekrj.dll
    c:\windows\system32\rlakuerc.dll
    c:\windows\system32\ercoqykg.dll
    c:\windows\system32\kalmqkhv.dll
    c:\windows\system32\umwowkjh.dll
    
    File::
    C:\Program Files\Trend Micro\Internet Security\Quarantine\1953.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\1963.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\1964.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\1965.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\1966.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\1B36.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\1B37.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\1B38.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\1B39.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\399D.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B71.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B72.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B73.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B74.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B75.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B93.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B94.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B95.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B96.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B97.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B98.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B99.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B9A.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B9B.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B9C.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B9D.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B9E.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3B9F.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA0.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA1.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA2.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA5.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA6.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA7.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA8.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BA9.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BAA.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BAB.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BAC.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BAD.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BAE.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BAF.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BB0.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3BB1.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\3F.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\40.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\41.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\42.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\43.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\44.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\45.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\46.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\47.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\48.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\49.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\4A.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\4B.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\4C.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\4CC4.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\4D.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\50.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\51.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\52.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\53.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\54.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\55.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\56.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\57.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\58.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\59.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\5A.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\5B.tmp
    C:\Program Files\Trend Micro\Internet Security\Quarantine\A0275918.dll 
    C:\Program Files\Trend Micro\Internet Security\Quarantine\__c00E27D0.dat
    
    Folder::
    C:\Program Files\Common Files\Real\Toolbar
    
    Reglock::
    [HKEY_USERS\Administrator\Software\Microsoft\Multimedia\1;~?| QM?????????MPWV?6???E_^??*SUl$ ??tK}]
    [HKEY_USERS\Administrator\Software\Microsoft\Multimedia\?q?+?NQRQP??????V??????[?_^?U?Qe?*VW} ?}3?1;~?| QM??????C???MPWV?6???E_^??*SUl$ ??tK}]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it log.bat
Please save it on your desktop.

@echo off
swreg query HKU>c:\log.txt
exit


Double click log.bat which is located on your desktop. A window will open and close. This is normal.

Now go on your C:\ drive, find:
C:\log.txt open it in notepad, and post the contents back here.
----------------------------------------------
There is infection in your Outlook folder. Please empty your Outlook email folder.
----------------------------------------------
Post back:
Jotti results.
Combofix report.
C:\log.txt

Edited by chryssi2001, 13 March 2009 - 09:35 AM.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#13 bbing

bbing
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 13 March 2009 - 03:27 PM

Scanner results
Scan taken on 13 Mar 2009 20:06:54 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing


ComboFix 09-03-12.01 - Administrator 2009-03-13 13:18:45.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.445 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\program files\Trend Micro\Internet Security\Quarantine\__c00E27D0.dat
c:\program files\Trend Micro\Internet Security\Quarantine\1953.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\1963.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\1964.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\1965.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\1966.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\1B36.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\1B37.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\1B38.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\1B39.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\399D.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B71.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B72.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B73.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B74.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B75.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B93.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B94.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B95.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B96.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B97.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B98.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B99.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B9A.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B9B.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B9C.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B9D.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B9E.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3B9F.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BA0.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BA1.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BA2.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BA5.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BA6.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BA7.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BA8.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BA9.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BAA.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BAB.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BAC.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BAD.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BAE.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BAF.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BB0.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3BB1.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\3F.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\40.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\41.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\42.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\43.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\44.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\45.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\46.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\47.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\48.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\49.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\4A.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\4B.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\4C.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\4CC4.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\4D.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\50.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\51.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\52.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\53.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\54.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\55.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\56.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\57.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\58.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\59.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\5A.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\5B.tmp
c:\program files\Trend Micro\Internet Security\Quarantine\A0275918.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\Real\Toolbar
c:\program files\Common Files\Real\Toolbar\BarControl.dll
c:\program files\Common Files\Real\Toolbar\RealBar.dll
c:\windows\system32\acweeaco.dll
c:\windows\system32\bapemode.dll
c:\windows\system32\dacwwwiq.dll
c:\windows\system32\dirupahu.dll
c:\windows\system32\donilowi.dll
c:\windows\system32\dudukomi.dll
c:\windows\system32\dupodayu.dll
c:\windows\system32\ebbifbhb.dll
c:\windows\system32\ercoqykg.dll
c:\windows\system32\eswgpboy.dll
c:\windows\system32\fahihufo.dll
c:\windows\system32\fepuzega.dll
c:\windows\system32\feyajute.dll
c:\windows\system32\fiyobubi.dll
c:\windows\system32\gamofepu.dll
c:\windows\system32\garavebu.dll
c:\windows\system32\gdfxyexe.dll
c:\windows\system32\giletisa.dll
c:\windows\system32\hanayupu.dll
c:\windows\system32\hijusuza.dll
c:\windows\system32\hiwawijo.dll
c:\windows\system32\hoqfxanu.dll
c:\windows\system32\hqdhyapt.dll
c:\windows\system32\jogopamo.dll
c:\windows\system32\jujijano.dll
c:\windows\system32\kalmqkhv.dll
c:\windows\system32\kgeeiahv.dll
c:\windows\system32\kikububu.dll
c:\windows\system32\kikuvupi.dll
c:\windows\system32\komabagi.dll
c:\windows\system32\konovozo.dll
c:\windows\system32\kppfodrp.dll
c:\windows\system32\lawapuvo.dll
c:\windows\system32\leydieid.dll
c:\windows\system32\lobuzosi.dll
c:\windows\system32\lunuhofu.dll
c:\windows\system32\memfvyeb.dll
c:\windows\system32\ndhiqc.dll
c:\windows\system32\nehafote.dll
c:\windows\system32\neyuvena.dll
c:\windows\system32\niyihese.dll
c:\windows\system32\njtjahmc.dll
c:\windows\system32\nowuvaku.dll
c:\windows\system32\npmgydnf.dll
c:\windows\system32\patafudi.dll
c:\windows\system32\piwuhapi.dll
c:\windows\system32\qwoeahgq.dll
c:\windows\system32\renawevu.dll
c:\windows\system32\revulazo.dll
c:\windows\system32\rlakuerc.dll
c:\windows\system32\rovokoko.dll
c:\windows\system32\rsoqhdwa.dll
c:\windows\system32\rtpuymbo.dll
c:\windows\system32\rvajqmto.dll
c:\windows\system32\rwlljqvd.dll
c:\windows\system32\saxhpxsr.dll
c:\windows\system32\sewepedo.dll
c:\windows\system32\siyesohi.dll
c:\windows\system32\swdvgtrc.dll
c:\windows\system32\tewetopi.dll
c:\windows\system32\torelire.dll
c:\windows\system32\tovmekrj.dll
c:\windows\system32\tuhjkjet.dll
c:\windows\system32\tybnkygt.dll
c:\windows\system32\umwowkjh.dll
c:\windows\system32\vaetmrkt.dll
c:\windows\system32\vayojema.dll
c:\windows\system32\vemewofo.dll
c:\windows\system32\vezipoyo.dll
c:\windows\system32\wcygdcin.dll
c:\windows\system32\wiueqcqh.dll
c:\windows\system32\wkjvmilf.dll
c:\windows\system32\wlxyjtga.dll
c:\windows\system32\woferezi.dll
c:\windows\system32\xnjfuarv.dll
c:\windows\system32\xwtawhvo.dll
c:\windows\system32\yamadeko.dll
c:\windows\system32\yorerufo.dll
c:\windows\system32\zayewegi.dll
c:\windows\system32\zifewiba.dll
c:\windows\system32\zogonaha.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-13 to 2009-03-13 )))))))))))))))))))))))))))))))
.

2009-03-10 13:57 . 2009-03-10 13:57 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-03-10 13:57 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-10 13:56 . 2009-03-10 13:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-10 13:56 . 2009-03-10 13:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-10 13:56 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-05 09:11 . 2009-03-05 09:11 <DIR> d-------- c:\windows\system32\Interactive
2009-02-24 18:01 . 2009-02-24 18:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\HouseCall 6.6
2009-02-24 17:52 . 2009-02-24 17:50 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-22 18:51 . 2008-07-30 12:05 50,192 --a------ c:\windows\system32\drivers\tmactmon.sys
2009-02-22 18:51 . 2008-07-30 12:05 49,680 --a------ c:\windows\system32\drivers\tmevtmgr.sys
2009-02-22 18:41 . 2009-02-23 14:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-22 18:33 . 2008-11-26 18:39 1,195,384 --a------ c:\windows\system32\drivers\vsapint.sys
2009-02-22 18:33 . 2008-11-26 18:42 205,328 --a------ c:\windows\system32\drivers\tmxpflt.sys
2009-02-22 18:33 . 2008-11-26 18:42 36,368 --a------ c:\windows\system32\drivers\tmpreflt.sys
2009-02-22 18:29 . 2009-02-22 18:30 <DIR> d-------- c:\program files\Trend Micro™ Internet Security
2009-02-21 11:07 . 2008-07-30 12:05 144,912 --a------ c:\windows\system32\drivers\tmcomm.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-13 20:19 --------- d-----w c:\program files\Common Files\Real
2009-03-11 19:11 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-11 16:09 --------- d-----w c:\documents and settings\All Users\Application Data\32nd America's Cup
2009-02-25 00:50 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-02-25 00:31 --------- d-----w c:\program files\Java
2009-02-24 00:05 --------- d-----w c:\program files\Google
2009-02-23 01:51 --------- d-----w c:\program files\Trend Micro
2009-02-21 16:08 --------- d-----w c:\program files\IEForge
2009-02-21 16:04 --------- d-----w c:\program files\DAS Trader DEMO
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2009-01-17 04:35 3,594,752 ----a-w c:\windows\system32\dllcache\mshtml.dll
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-12-19 16:23 16,384 ----a-w c:\windows\DCEBoot.exe
2008-12-19 09:10 70,656 ------w c:\windows\system32\dllcache\ie4uinit.exe
2008-12-19 09:10 13,824 ------w c:\windows\system32\dllcache\ieudinit.exe
2008-12-19 05:25 634,024 ------w c:\windows\system32\dllcache\iexplore.exe
2008-12-19 05:23 161,792 ------w c:\windows\system32\dllcache\ieakui.dll
2001-12-04 00:09 90,112 ----a-w c:\program files\internet explorer\plugins\DjVuControl.dll
2007-08-15 16:53 56 --sh--r c:\windows\system32\AD9D73BE74.sys
2007-08-20 15:32 2,098 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-08-21 01:52 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082020080821\index.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-03-22_ 9.16.57.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-13 17:46:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4e4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-13 143360]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-06-20 6725632]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"EPSON Stylus Photo RX500"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2K1.EXE" [2003-06-02 99840]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-09-13 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-07-10 270648]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2007-01-24 198128]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2005-03-04 622592]
"DLCQCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll" [2006-06-07 106496]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-30 970808]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-24 148888]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-07-30 497008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-17 110592]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2005-09-15 1720320]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-11-04 724992]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 14:08 110592 c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"= myokent.dll
"msvideo9"= SDVC03.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"c:\\Program Files\\Atari\\Test Drive Unlimited\\TestDriveUnlimited.exe"=
"c:\\Program Files\\32nd America's Cup\\VskAC32.exe"=
"c:\\WINDOWS\\system32\\dlcqcoms.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mobsync.exe"=
"c:\\Program Files\\iPod\\bin\\iPodService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-02-22 49680]
R2 TmPfw;Trend Micro Personal Firewall;c:\program files\Trend Micro\Internet Security\TmPfw.exe [2009-02-22 492888]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2009-02-22 36368]
R2 TmProxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-02-22 677128]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-07-30 334352]
S3 DJUSB;DMM Controller;c:\windows\system32\drivers\DM2.sys [2001-01-11 10758]
S3 DVC;USB DVC Svc;c:\windows\system32\drivers\DVC.sys [2005-12-06 38604]
.
Contents of the 'Scheduled Tasks' folder

2009-03-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\y0h0f3cm.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.icmag.com/ic/member.php?u=8805
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Common Files\fluxDVD\APIX\NPAPIX.dll
FF - plugin: c:\program files\Common Files\fluxDVD\BrowserIntegration\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\Common Files\mpDRM\NPMPDRM.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa2.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\IGN\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de680400}\plugins\npCinemaNowPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAdbESD.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPAPIX.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPFluxBrowserHelper.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npitunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMPDRM.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-13 13:22:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCQCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCQtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1895414656-1668171972-2534002818-500\Software\Microsoft\Multimedia\1;~| QMMPWV6E_^*SUl$ tK}]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1895414656-1668171972-2534002818-500\Software\Microsoft\Multimedia\q+NQRQPV[_^UQe*VW} }31;~| QMCMPWV6E_^*SUl$ tK}]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5C082286-DD56-6B96-110FABAC317C22E3}\{17077DA0-F2D9-EF48-DBC13F521337D931}\{A783887F-564D-BBBA-662193019693FEBC}*]
"NRDFOBLVNAUE2QOGEQXAH1Y2DD1"=hex:01,00,01,00,00,00,00,00,b0,0a,ac,41,7a,16,04,
de,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1616)
c:\windows\system32\myokent.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'lsass.exe'(1672)
c:\windows\system32\myokent.dll
.
Completion time: 2009-03-13 13:25:18
ComboFix-quarantined-files.txt 2009-03-13 20:25:12
ComboFix2.txt 2009-03-12 21:10:47
ComboFix3.txt 2009-03-22 16:18:06
ComboFix4.txt 2009-03-11 15:42:17

Pre-Run: 2,694,717,440 bytes free
Post-Run: 2,686,087,168 bytes free

356 --- E O F --- 2009-03-11 19:05:05

#14 bbing

bbing
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:12:18 PM

Posted 13 March 2009 - 03:29 PM

SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©

HKEY_USERS

HKEY_USERS\.DEFAULT

HKEY_USERS\S-1-5-19

HKEY_USERS\S-1-5-19_Classes

HKEY_USERS\S-1-5-20

HKEY_USERS\S-1-5-20_Classes

HKEY_USERS\S-1-5-21-1895414656-1668171972-2534002818-500

HKEY_USERS\S-1-5-21-1895414656-1668171972-2534002818-500_Classes

HKEY_USERS\S-1-5-18

#15 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 14 March 2009 - 02:07 AM

Hello bbinq,

Nice job.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    RegNull::
    [HKEY_USERS\S-1-5-21-1895414656-1668171972-2534002818-500\Software\Microsoft\Multimedia\1;~o| QMeYyyeeOyyMPWVe6?yyE_^EA*SUl$ iUtK}]
    [HKEY_USERS\S-1-5-21-1895414656-1668171972-2534002818-500\Software\Microsoft\Multimedia\yqo+oNQRQPeauyyAVIe?Oyy[C_^AUiQeu*VW} y}3y1;~o| QMeYyyeeCOyyMPWVe6?yyE_^EA*SUl$ iUtK}]
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users