Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Win32/Adware.Virtumonde Application


  • This topic is locked This topic is locked
7 replies to this topic

#1 mdale99

mdale99

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 21 March 2009 - 04:38 PM

I downloader a video converter and as I ran it NOD32 Antivirus started to quarantine several things. I shut down the installation and deleted the downloaded installation file, restarted my computer and everything ran fine for about 10 minutes then my screen went black except for my wallpaper and the 2 Vista gadgets I run on desktop. I had no mouse response. The only thing that responded on the keyboard was Ctrl/Alt/Del, which I used to restart. Same thing happened every time I start my computer, OK for 10 minutes, then black screen except for wallpaper and gadgets.


DDS (Ver_09-03-16.01) - NTFSx86
Run by michael at 14:15:22.06 on Sat 03/21/2009
Internet Explorer: 8.0.6001.18702
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1918.1297 [GMT -7:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\rundll32.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\mobsync.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\PSIService.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Realtek\InstallShield\RtHDVCpl.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Users\michael\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page =
uStart Page = hxxp://my.yahoo.com/
uSearch Bar =
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7f59e612-2348-43c1-99b7-6cbe1600cf37} - c:\windows\system32\opnNDuuT.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [RtHDVCpl.exe] c:\program files\realtek\installshield\RtHDVCpl.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [MSServer] rundll32.exe c:\windows\system32\iifgHbaA.dll,#1
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\iifgHbaA.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\opnNDuuT

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 34824]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-10-24 468224]
R3 dc3d;USBCCGP filter driver (dc3d);c:\windows\system32\drivers\dc3d.sys [2009-1-15 15360]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-2-2 23096]
S3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2009-2-2 3768]

=============== Created Last 30 ================

2009-03-21 07:19 2,869 a--sh--- c:\windows\system32\abIjknpo.ini
2009-03-21 07:19 369 a--sh--- c:\windows\system32\abIjknpo.ini2
2009-03-21 07:18 303,616 a------- c:\windows\system32\opnkjIba.dll
2009-03-21 05:57 2,909 a--sh--- c:\windows\system32\GMnnWFhk.ini
2009-03-21 05:57 369 a--sh--- c:\windows\system32\GMnnWFhk.ini2
2009-03-21 05:57 303,616 a------- c:\windows\system32\khFWnnMG.dll
2009-03-21 01:27 2,869 a--sh--- c:\windows\system32\wHQqWGgh.ini
2009-03-21 01:27 369 a--sh--- c:\windows\system32\wHQqWGgh.ini2
2009-03-21 01:27 303,616 a------- c:\windows\system32\hgGWqQHw.dll
2009-03-20 21:26 7,431 a--sh--- c:\windows\system32\TuuDNnpo.ini
2009-03-20 21:26 7,253 a--sh--- c:\windows\system32\TuuDNnpo.ini2
2009-03-20 21:26 303,616 a------- c:\windows\system32\opnNDuuT.dll
2009-03-19 05:17 <DIR> --d----- c:\programdata\vsosdk
2009-03-19 05:17 <DIR> --d----- c:\progra~2\vsosdk
2009-03-19 02:21 <DIR> --d----- C:\ConvertXtoDVD
2009-03-19 02:14 <DIR> --d----- c:\program files\Common
2009-03-19 02:14 <DIR> --d----- c:\program files\ConvertX
2009-03-17 17:50 <DIR> -cdsh--- c:\program files\common files\WindowsLiveInstaller
2009-03-17 17:50 <DIR> --d----- c:\programdata\WLInstaller
2009-03-17 16:05 <DIR> --d----- c:\program files\Moyea
2009-03-11 09:14 268,288 a------- c:\windows\system32\schannel.dll
2009-03-11 09:14 2,033,152 a------- c:\windows\system32\win32k.sys
2009-03-09 10:56 <DIR> --d----- C:\239fc5e8dce3433b81f09408
2009-03-05 09:24 102,400 a------- c:\windows\system32\tsccvid.dll
2009-03-01 05:21 0 a------- c:\windows\control.ini
2009-02-28 12:44 2,516 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-02-28 12:44 88 ---shr-- c:\windows\system32\2EEDD582D1.sys
2009-02-27 07:03 <DIR> --d----- c:\program files\MSECache
2009-02-25 14:27 7,680 a------- c:\windows\system32\spwmp.dll
2009-02-25 14:27 4,096 a------- c:\windows\system32\msdxm.ocx
2009-02-25 14:27 4,096 a------- c:\windows\system32\dxmasf.dll
2009-02-25 14:27 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-02-22 12:45 <DIR> --d----- c:\program files\common files\COWON
2009-02-22 12:45 <DIR> --d----- c:\program files\JetAudio
2009-02-22 06:07 <DIR> --d----- c:\users\michael\appdata\roaming\Foxit
2009-02-22 06:06 <DIR> --d----- c:\program files\Foxit Software
2009-02-22 05:07 <DIR> --d----- c:\programdata\NOS
2009-02-21 22:25 76 a------- c:\windows\system32\llbiirc.dll
2009-02-21 22:25 585,728 -------- c:\windows\system32\AReadyLB.dll
2009-02-21 22:25 229,376 -------- c:\windows\system32\AudDevicePlugin.dll
2009-02-21 22:25 183,129 -------- c:\windows\system32\AM Install1.INF
2009-02-21 22:25 3,851,784 a------- c:\windows\system32\D3DX9_39.dll
2009-02-21 00:51 <DIR> --d----- c:\users\michael\appdata\roaming\Moyea
2009-02-21 00:29 <DIR> --d----- c:\windows\Replay Video Capture
2009-02-20 15:52 1,736,704 a------- c:\windows\system32\javan.exe
2009-02-20 14:57 274,432 a------- c:\windows\system32\TubeFinder.exe
2009-02-20 14:57 364,544 a------- c:\windows\system32\PropertyGrid.ocx
2009-02-20 14:57 208,500 a------- c:\windows\system32\ReyXpBasics.tlb
2009-02-20 14:57 152,848 a------- c:\windows\system32\COMDLG32.OCX
2009-02-20 14:57 141,312 a------- c:\windows\system32\MSCMCFR.DLL
2009-02-20 14:57 119,568 a------- c:\windows\system32\VB6FR.DLL
2009-02-20 14:57 101,888 a------- c:\windows\system32\VB6STKIT.DLL
2009-02-20 14:57 84,512 a------- c:\windows\system32\PICCLP32.OCX
2009-02-20 14:57 32,768 a------- c:\windows\system32\CMDLGFR.DLL
2009-02-20 14:57 24,576 a------- c:\windows\system32\ControlSubX.ocx
2009-02-20 14:57 9,728 a------- c:\windows\system32\PCCLPFR.DLL
2009-02-20 08:12 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-20 08:12 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-20 08:12 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-20 08:12 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-20 08:12 80,896 a------- c:\windows\system32\MSNP.ax

==================== Find3M ====================

2009-03-20 13:16 150,712 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 109,056 a------- c:\windows\system32\iesysprep.dll
2009-03-08 04:33 109,568 a------- c:\windows\system32\PDMSetup.exe
2009-03-08 04:33 132,608 a------- c:\windows\system32\ieUnatt.exe
2009-03-08 04:33 107,520 a------- c:\windows\system32\RegisterIEPKEYs.exe
2009-03-08 04:33 107,008 a------- c:\windows\system32\SetIEInstalledDate.exe
2009-03-08 04:33 103,936 a------- c:\windows\system32\SetDepNx.exe
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:32 66,560 a------- c:\windows\system32\wextract.exe
2009-03-08 04:32 169,472 a------- c:\windows\system32\iexpress.exe
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-05 08:29 143,360 a------- c:\windows\inf\infstrng.dat
2009-03-05 08:29 51,200 a------- c:\windows\inf\infpub.dat
2009-02-13 12:06 86,016 a------- c:\windows\inf\infstor.dat
2009-01-31 06:00 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_dc3d_01005.Wdf
2009-01-21 00:10 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-17 03:21 319,456 a------- c:\windows\DIFxAPI.dll
2009-01-13 20:03 318,976 a------- c:\windows\system32\CF12473.exe
2009-01-12 19:38 152,904 a------- c:\windows\system32\vghd.scr
2008-12-18 14:36 174 a--sh--- c:\program files\desktop.ini
2008-12-18 14:26 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 05:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 05:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 02:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 02:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 14:15:44.75 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:02 AM

Posted 21 March 2009 - 05:17 PM

Hello, mdale99.
My name is aommaster and I will be helping you with your log.


If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Also, you may want to consider tracking this topic by either adding it to your favourites or clicking the Options button at the top of this thread.

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • RSIT Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 mdale99

mdale99
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:02 PM

Posted 21 March 2009 - 06:39 PM

aommaster,
Here is information you requested. I hope this is the format that you wanted it..cut/paste. If not I'm sorry. I'm new here and my computer knowledge is limited.


info.txt logfile of random's system information tool 1.06 2009-03-21 16:24:48

======Uninstall list======

2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Canon MP Navigator EX 1.0-->"C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini
Canon MX310 series-->"C:\Windows\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX310_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MX310_series /L0x0009
Canon My Printer-->C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint EX-->C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Canon Utilities Solution Menu-->C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini
Convert X to DVD 3.4.7.121-->MsiExec.exe /I{4C335AD4-6821-4028-9A6C-13943762DB55}
COWON Media Center - jetAudio Basic-->C:\Program Files\InstallShield Installation Information\{DF8195AF-8E6F-4487-A0EE-196F7E3F4B8A}\setup.exe -runfromtemp -l0x0009 -removeonly
ESET NOD32 Antivirus-->MsiExec.exe /I{4EAE8F8E-0C2E-4814-9A04-635AFB9050AA}
Foxit PDF IFilter-->MsiExec.exe /I{4448ABF6-786D-4C3D-A49D-7BB237E6DD17}
Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Java™ 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs-->MsiExec.exe /X{90120000-00B2-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Moyea YouTube FLV Downloader version: 2.0.6.0-->"C:\Program Files\Moyea\YouTube FLV Downloader\unins000.exe"
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Revo Uninstaller 1.80-->C:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
ScanSoft OmniPage SE 4-->MsiExec.exe /X{B2F3DBD9-A9D2-4838-B45D-C917DAB32BC3}
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office OneNote 2007 (KB950130)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F1B2401C-B610-4BF2-AA1C-52C55827A8F4}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Security Update for Outlook 2007 (KB946983)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_PCI_HSF\UIU32m.exe -U -I*.INF
Student and Home Edition-->"C:\Program Files\Britannica 9.0\Student and Home Edition\Uninstall_Student and Home Edition\Uninstall Student and Home Edition.exe"
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
TeraCopy 2.0 beta 4a-->"C:\Program Files\TeraCopy\unins000.exe"
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb959141)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {CC6191C2-B0CE-473C-AD77-61EA3497D796}
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
Vista Shortcut Manager-->MsiExec.exe /I{47609E69-4C5E-48B1-A889-24C6B82B5C04}
Visual C++ 9.0 ATL (x86) WinSXS MSM-->MsiExec.exe /I{CEC8F2E3-AC9A-357C-BFCB-BFAC37C4AC50}
Visual C++ 9.0 CRT (x86) WinSXS MSM-->MsiExec.exe /I{0138F525-6C8A-333F-A105-14AE030B9A54}
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Mail-->MsiExec.exe /I{184E7118-0295-43C4-B72C-1D54AA75AAF7}
Windows Live OneCare safety scanner-->RunDll32.exe "C:\Program Files\Windows Live Safety Center\wlscCore.dll",UninstallFunction WLSC_SCANNER_PRODUCT
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: ESET NOD32 Antivirus 3.0
AS: ESET NOD32 Antivirus 3.0
AS: Windows Defender (disabled)

======System event log======

Computer Name: m-PC
Event Code: 46
Message: Crash dump initialization failed!
Record Number: 116060
Source Name: volmgr
Time Written: 20090321232223.081648-000
Event Type: Error
User:

Computer Name: m-PC
Event Code: 46
Message: Crash dump initialization failed!
Record Number: 116065
Source Name: volmgr
Time Written: 20090321232228.900485-000
Event Type: Error
User:

Computer Name: m-PC
Event Code: 15016
Message: Unable to initialize the security package Kerberos for server side authentication. The data field contains the error number.
Record Number: 116067
Source Name: Microsoft-Windows-HttpEvent
Time Written: 20090321232243.252577-000
Event Type: Error
User:

Computer Name: m-PC
Event Code: 14329
Message: Service 'WMPNetworkSvc' did not start correctly because the registry could not be updated due to error '0x80070006'. If possible, reinstall Windows Media Player.
Record Number: 116071
Source Name: Microsoft-Windows-WMPNSS-Service
Time Written: 20090321232308.000000-000
Event Type: Error
User:

Computer Name: m-PC
Event Code: 7000
Message: The adfs service failed to start due to the following error:
The system cannot find the file specified.
Record Number: 116105
Source Name: Service Control Manager
Time Written: 20090321232415.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: m-PC
Event Code: 6000
Message: The winlogon notification subscriber <GPClient> was unavailable to handle a notification event.
Record Number: 17978
Source Name: Microsoft-Windows-Winlogon
Time Written: 20090321183055.000000-000
Event Type: Warning
User:

Computer Name: m-PC
Event Code: 1000
Message: Faulting application iexplore.exe, version 8.0.6001.18702, time stamp 0x49b3ad2e, faulting module urlmon.dll, version 8.0.6001.18702, time stamp 0x49b3ad4e, exception code 0xc0000005, fault offset 0x0003e819, process id 0xf40, application start time 0x01c9aa79c055eedc.
Record Number: 18098
Source Name: Application Error
Time Written: 20090321230726.000000-000
Event Type: Error
User:

Computer Name: m-PC
Event Code: 1000
Message: Faulting application iexplore.exe, version 8.0.6001.18702, time stamp 0x49b3ad2e, faulting module urlmon.dll, version 8.0.6001.18702, time stamp 0x49b3ad4e, exception code 0xc0000005, fault offset 0x0003e819, process id 0xcc, application start time 0x01c9aa79d4b11d5c.
Record Number: 18099
Source Name: Application Error
Time Written: 20090321230748.000000-000
Event Type: Error
User:

Computer Name: m-PC
Event Code: 1000
Message: Faulting application iexplore.exe, version 8.0.6001.18702, time stamp 0x49b3ad2e, faulting module urlmon.dll, version 8.0.6001.18702, time stamp 0x49b3ad4e, exception code 0xc0000005, fault offset 0x0003e819, process id 0xbc0, application start time 0x01c9aa79ddecd2bc.
Record Number: 18101
Source Name: Application Error
Time Written: 20090321230801.000000-000
Event Type: Error
User:

Computer Name: m-PC
Event Code: 1000
Message: Faulting application iexplore.exe, version 8.0.6001.18702, time stamp 0x49b3ad2e, faulting module urlmon.dll, version 8.0.6001.18702, time stamp 0x49b3ad4e, exception code 0xc0000005, fault offset 0x0003e819, process id 0x84c, application start time 0x01c9aa79e41bc51c.
Record Number: 18102
Source Name: Application Error
Time Written: 20090321230810.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: m-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 31976
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090321232443.517982-000
Event Type: Audit Failure
User:

Computer Name: m-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 31977
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090321232443.564782-000
Event Type: Audit Failure
User:

Computer Name: m-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 31978
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090321232443.627182-000
Event Type: Audit Failure
User:

Computer Name: m-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 31979
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090321232443.705182-000
Event Type: Audit Failure
User:

Computer Name: m-PC
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume1\Windows\System32\drivers\tcpip.sys
Record Number: 31980
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090321232443.751982-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Ulead Systems\MPEG
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 107 Stepping 1, AuthenticAMD
"PROCESSOR_REVISION"=6b01
"NUMBER_OF_PROCESSORS"=2

-----------------EOF-----------------

Attached Files

  • Attached File  log.txt   19.97KB   104 downloads


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:02 AM

Posted 23 March 2009 - 07:01 PM

Thanks for posting your log.

Logs take a while to process due to intensive research that must be done. Please give me some time to look over your logs and I will post back soon :thumbup2:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:02 AM

Posted 23 March 2009 - 09:28 PM

Sorry for the delay. I'm still working on a fix for you :thumbup2:

Edited by aommaster, 23 March 2009 - 09:28 PM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:02 AM

Posted 24 March 2009 - 05:40 PM

Hello, mdale99.
In the future, please make sure that when you post your logs, you copy and post them into your post rather than attach them. It makes it easier for me to look through them :thumbup2:

My apologies, again, for the delay.




One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.




Download HostsXpert.zip
  • Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  • Double-click HostsXpert.exe to run the program.
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click "Restore Microsoft's Hosts file" and then click "OK".
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
NEXT:

We need to execute an OTMoveIt3 script
  • Please download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double click the Posted Image icon on your desktop.
  • Paste the following code under the Posted Image area. Do not include the word "Code".
    :files
    C:\Windows\system32\abIjknpo.ini2
    C:\Windows\system32\abIjknpo.ini
    C:\Windows\system32\opnkjIba.dll
    C:\Windows\system32\GMnnWFhk.ini2
    C:\Windows\system32\GMnnWFhk.ini
    C:\Windows\system32\khFWnnMG.dll
    C:\Windows\system32\wHQqWGgh.ini2
    C:\Windows\system32\wHQqWGgh.ini
    C:\Windows\system32\hgGWqQHw.dll
    C:\Windows\system32\839ae04a-.txt
    C:\Windows\system32\TuuDNnpo.ini2
    C:\Windows\system32\TuuDNnpo.ini
    C:\Windows\system32\opnNDuuT.dll
    
    :Reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F59E612-2348-43C1-99B7-6CBE1600CF37}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A0EA946B-8E37-4A8A-B485-0AE5E50441DB}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "authentication packages"=hex(7):msv1_0
  • Push the large Posted Image button.
  • OTMI3 may ask to reboot the machine. Please do so if asked.
  • Copy/Paste the contents under the Posted Image line here in your next reply.
  • If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

NEXT:

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\2EEDD582D1.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

NEXT:

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan.
    If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If you encounter any problems while downloading the updates, manually download them from here
    and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



In your next reply, please include the following:
  • OTMoveIt Log
  • Jotti Log
  • MBAM Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,289 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:02 AM

Posted 27 March 2009 - 11:04 AM

Hello mdale99
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:07:02 PM

Posted 01 April 2009 - 07:44 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users