Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde


  • Please log in to reply
1 reply to this topic

#1 john baptist

john baptist

  • Members
  • 118 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Galloway NJ
  • Local time:06:10 AM

Posted 01 July 2009 - 08:36 PM

Referred here from: http://www.bleepingcomputer.com/forums/t/236259/cwindowssystem32mmbhltpfdll/ ~ OB

1. I believe it became infected when someone tried to download a file and disabled mcafee

2. PC will only run in safe mode otherwise it becomes stuck in a reboot loop.

3. The malware has disabled system recovery and mcafee

4. You have run several infection removal programs including Malwarebytes, SDFix, and ComboFix; all found and removed several files including virtumonde.sdn. They all detected and attempted to remove mmbhlfp.dll, but were unsuccessful.

5. In addition, when I attempted to run ComboFix the malware prevented it from running. I was able to run ComboFix after downloading a new, renamed copy.

6. I have modified the registry in order to run regedit, and have removed some registry lines referring to files (reader_exe) that I thought to be malicious

7. I ran tfc.exe


8. None of your symptoms have improved.

9. I have posted logs below as instructed

DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by HP_Administrator at 21:18:56.96 on Wed 07/01/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1534.1157 [GMT -4:00]

FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
svchost.exe C:\WINDOWS\TEMP\VRT3.tmp
C:\WINDOWS\System32\reader_s.exe
C:\Documents and Settings\HP_Administrator\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearch Page =
uSearch Bar =
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q305&bd=pavilion&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mURLSearchHooks: H - No File
BHO: {3c189bb2-b417-4ed8-8f37-275e3a578394} - c:\windows\system32\mmbhltpf.dll
BHO: : {a366c088-9038-4b36-93cc-480210f5f12e} - c:\windows\system32\kquhfid.dll
TB: HP view: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\program files\hp\digital imaging\bin\HPDTLK02.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [rru] c:\windows\tempie\rru.exe
uRun: [nvd32_r] rundll32.exe "c:\documents and settings\hp_administrator\application data\unobi.dll" s
uRun: [DiskChk help] rundll32.exe "c:\documents and settings\all users\proto.dll" run
uRunOnce: [SpybotDeletingB1286] command /c del "c:\windows\system32\mmbhltpf.dll"
uRunOnce: [SpybotDeletingD3578] cmd /c del "c:\windows\system32\mmbhltpf.dll"
uRunOnce: [SpybotDeletingB6461] command /c del "c:\documents and settings\hp_administrator\reader_s.exe"
uRunOnce: [SpybotDeletingD6159] cmd /c del "c:\documents and settings\hp_administrator\reader_s.exe"
uRunOnce: [SpybotDeletingB6120] command /c del "c:\windows\system32\reader_s.exe"
uRunOnce: [SpybotDeletingD9062] cmd /c del "c:\windows\system32\reader_s.exe"
uRunOnce: [SpybotDeletingB3871] command /c del "c:\windows\system32\mmbhltpf.dll"
uRunOnce: [SpybotDeletingD2257] cmd /c del "c:\windows\system32\mmbhltpf.dll"
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [zzzHPSETUP] f:\setup.exe \RESET
mRun: [HPHmon06] c:\windows\system32\hphmon06.exe
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [reader_s] c:\windows\system32\reader_s.exe
mRun: [services] c:\windows\services.exe
mRunOnce: [VundoFix] "c:\documents and settings\hp_administrator\desktop\new folder (2)\vundofix.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
dRun: [kell] c:\program files\manson\liser.exe
dRun: [Windows System Recover!] c:\windows\temp\notepad.exe
dRun: [reader_s] c:\documents and settings\hp_administrator\reader_s.exe
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\fmnupd32.exe
StartupFolder: c:\documents and settings\hp_administrator\start menu\programs\startup\zqosys32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\hp_administrator\start menu\programs\imvu\Run IMVU.lnk
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\pokerstars.net\PokerStarsUpdate.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://pcpitstop.com/betapit/PCPitStop.CAB
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9732FB42-C321-11D1-836F-00A0C993F125} - hxxp://www.pcpitstop.com/mhLbl.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - hxxp://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: dwhmesmo - kquhfid.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R0 mbsslcwm;mbsslcwm;c:\windows\system32\drivers\mbsslcwm.sys [2004-8-10 23424]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2006-12-26 201320]
R2 WinDefend;WinDefend;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S1 b2022c46;b2022c46;c:\windows\system32\drivers\b2022c46.sys [2009-6-13 103998]
S1 fb11786d;fb11786d;c:\windows\system32\drivers\fb11786d.sys --> c:\windows\system32\drivers\fb11786d.sys [?]
S2 hnjfrtbu;Floppy Disk Controller Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 35840]
S2 McProxy;McProxy;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2006-12-26 34304]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\McrdSvc.exe [2005-10-20 34304]
S2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 35840]
S2 mxfjxrtus435tiksr5735dghdsgwy80;mxfjxrtus435tiksr5735dghdsgwy80;c:\windows\mxfjxrtus435tiksr5735dghdsgwy81.exe [2009-6-16 34304]
S2 podmena;podmena;c:\windows\system32\svchost.exe -k podmena [2004-8-10 35840]
S2 vfyyuj;vfyyuj;c:\windows\system32\drivers\rihkgto.sys [2009-6-21 61440]
S3 isadisk;isadisk;c:\windows\system32\isadisk.sys [2004-8-10 2304]
S3 jbridgep;jbridgep;\??\c:\docume~1\hp_adm~1\locals~1\temp\jbridgep.sys --> c:\docume~1\hp_adm~1\locals~1\temp\jbridgep.sys [?]
S3 laguna;laguna;c:\windows\system32\drivers\cl546xm.sys [2009-7-1 248064]
S3 McSysmon;McSysmon;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2006-12-26 34304]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2006-12-26 79304]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2006-12-26 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2006-12-26 33832]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2006-12-26 40488]
S3 protect;protect;c:\windows\system32\drivers\protect.sys [2009-6-26 18944]

=============== Created Last 30 ================

2009-07-01 21:13 248,064 a------- c:\windows\system32\drivers\cl546xm.sys
2009-07-01 21:13 170,880 a------- c:\windows\system32\cl546x.dll
2009-07-01 21:13 111,232 a------- c:\windows\system32\cl5465.dll
2009-07-01 21:12 74,240 a------- c:\windows\services.exe
2009-07-01 21:12 67,584 a------- c:\windows\system32\1B.tmp
2009-07-01 21:12 20,480 a------- c:\documents and settings\hp_administrator\reader_s.exe
2009-07-01 21:12 120 a------- c:\windows\system32\18.tmp
2009-06-29 21:24 1 a------- c:\windows\system32\17.tmp
2009-06-29 21:24 84 a------- c:\windows\system32\11.tmp
2009-06-26 21:57 a-dshr-- C:\autorun.inf
2009-06-26 21:55 18,944 a---h--- c:\windows\system32\drivers\protect.sys
2009-06-26 21:55 67,584 a------- c:\windows\system32\16.tmp
2009-06-26 21:55 48,128 a------- c:\windows\system32\reader_s.exe
2009-06-26 21:55 84 a------- c:\windows\system32\10.tmp
2009-06-22 20:45 1 a------- c:\windows\system32\15.tmp
2009-06-22 20:45 108 a------- c:\windows\system32\14.tmp
2009-06-22 20:14 1 a------- c:\windows\system32\D.tmp
2009-06-22 20:14 108 a------- c:\windows\system32\C.tmp
2009-06-22 20:04 1 a------- c:\windows\system32\B.tmp
2009-06-22 20:04 108 a------- c:\windows\system32\6.tmp
2009-06-22 19:49 --d----- c:\docume~1\hp_adm~1\applic~1\bxokewmw
2009-06-22 19:28 1 a------- c:\windows\system32\13.tmp
2009-06-22 19:28 108 a------- c:\windows\system32\12.tmp
2009-06-22 18:48 1 a------- c:\windows\system32\F.tmp
2009-06-22 18:47 108 a------- c:\windows\system32\E.tmp
2009-06-22 18:29 1 a------- c:\windows\system32\A.tmp
2009-06-22 18:29 108 a------- c:\windows\system32\9.tmp
2009-06-22 18:14 1 a------- c:\windows\system32\5.tmp
2009-06-22 18:14 108 a------- c:\windows\system32\4.tmp
2009-06-22 17:45 1 a------- c:\windows\system32\8.tmp
2009-06-22 17:45 108 a------- c:\windows\system32\7.tmp
2009-06-22 17:26 1 a------- c:\windows\system32\101.tmp
2009-06-22 17:26 108 a------- c:\windows\system32\100.tmp
2009-06-22 16:45 1 a------- c:\windows\system32\FD.tmp
2009-06-22 16:45 108 a------- c:\windows\system32\FC.tmp
2009-06-22 16:27 1 a------- c:\windows\system32\F9.tmp
2009-06-22 16:27 108 a------- c:\windows\system32\F8.tmp
2009-06-22 16:06 578,560 a------- c:\windows\system32\dllcache\user32.dll
2009-06-22 15:51 --d----- c:\windows\ERUNT
2009-06-22 15:50 --d----- C:\SDFix
2009-06-22 11:31 --d----- C:\VundoFix Backups
2009-06-21 19:32 62,465 a------- c:\documents and settings\hp_administrator\bleep you.exe
2009-06-21 16:45 46,080 a------- c:\windows\system32\knfgd32.dll
2009-06-21 16:45 36,133 a------- c:\windows\system32\kld
2009-06-21 12:55 664 a------- c:\windows\system32\d3d9caps.dat
2009-06-21 12:48 182,656 a------- c:\windows\system32\dllcache\ndis.sys
2009-06-21 12:46 4,122,368 a----r-- c:\windows\system32\drivers\alcxwdm.sys.bak
2009-06-21 12:23 61,440 a------- c:\windows\system32\drivers\rihkgto.sys
2009-06-16 19:09 2 ----h--- c:\windows\ro122689.dat
2009-06-16 07:23 --d----- c:\windows\DLL
2009-06-16 07:22 --d-h--- c:\windows\system32\3361
2009-06-16 07:22 108,336 a------- c:\windows\system32\MSWINSCK.OCX
2009-06-16 07:22 175,616 a------- c:\windows\system32\tpsaxyd.exe
2009-06-16 07:22 34,304 a------- c:\windows\mxfjxrtus435tiksr5735dghdsgwy81.exe
2009-06-16 07:22 --dshr-- c:\program files\Manson
2009-06-13 19:48 1 ----h--- c:\windows\bf23567.dat
2009-06-13 19:48 2 ----h--- c:\windows\ro123222.dat
2009-06-13 19:48 2 ----h--- c:\windows\ro123198.dat
2009-06-13 19:48 2 ----h--- c:\windows\ro123290.dat
2009-06-13 19:47 103,998 a------- c:\windows\system32\drivers\b2022c46.sys
2009-06-09 19:46 --d----- c:\program files\podmena
2009-06-09 19:46 1 ----h--- c:\windows\msmark2.dat
2009-06-09 19:46 1 ----h--- c:\windows\f23567.dat
2009-06-09 19:46 46,592 a---h--- c:\windows\freddy46.exe
2009-06-09 19:46 2 ----h--- c:\windows\ro122390.dat
2009-06-09 19:46 2 ----h--- c:\windows\ro122366.dat
2009-06-09 19:46 2 ----h--- c:\windows\ro122458.dat
2009-06-09 19:44 92,051 a------- c:\documents and settings\hp_administrator\doolbman.exe
2009-06-09 19:44 23,040 a------- c:\documents and settings\hp_administrator\5.exe
2009-06-09 19:44 119 a------- c:\documents and settings\hp_administrator\dummy.bat
2009-06-09 07:56 36,352 a------- c:\documents and settings\all users\proto.dll
2009-06-09 07:55 55,808 a------- c:\docume~1\hp_adm~1\applic~1\unobi.dll

==================== Find3M ====================

2009-06-21 12:48 182,656 a------- c:\windows\system32\drivers\ndis.sys
2009-06-21 12:23 1,896 a------- c:\program files\gmsyzfm.txt
2009-06-20 18:24 34,304 a------- c:\windows\system32\wbem\wmiapsrv.exe
2009-06-20 18:23 34,304 a------- c:\windows\system32\vssvc.exe
2009-06-20 18:23 34,304 a------- c:\windows\system32\ups.exe
2009-06-20 18:23 34,304 a------- c:\windows\system32\tlntsvr.exe
2009-06-20 18:23 34,304 a------- c:\windows\system32\smlogsvc.exe
2009-06-20 18:22 34,304 a------- c:\windows\system32\spoolsv.exe
2009-06-20 18:22 34,304 a------- c:\windows\system32\scardsvr.exe
2009-06-20 18:22 34,304 a------- c:\windows\system32\rsvp.exe
2009-06-20 18:22 34,304 a------- c:\windows\system32\locator.exe
2009-06-20 18:20 34,304 a------- c:\windows\system32\HPZipm12.exe
2009-06-20 18:18 34,304 a------- c:\windows\system32\netdde.exe
2009-06-20 18:18 34,304 a------- c:\windows\system32\msdtc.exe
2009-06-20 18:17 34,304 a------- c:\windows\system32\mnmsrvc.exe
2009-06-20 18:14 34,304 a------- c:\windows\system32\imapi.exe
2009-06-20 18:13 135,680 a------- c:\windows\system32\taskmgr.exe
2009-06-20 18:13 34,304 a------- c:\windows\system32\fxssvc.exe
2009-06-20 18:10 34,304 a------- c:\windows\system32\clipsrv.exe
2009-06-20 18:10 34,304 a------- c:\windows\system32\cisvc.exe
2009-06-20 18:09 34,304 a------- c:\windows\system32\ati2sgag.exe
2009-06-20 18:09 34,304 a------- c:\windows\system32\alg.exe
2009-06-17 05:38 283,648 a------- c:\windows\winhlp32.exe
2009-06-17 05:38 110,592 a------- c:\windows\unvise32qt.exe
2009-06-17 05:38 25,600 a------- c:\windows\twunk_32.exe
2009-06-17 05:38 15,360 a------- c:\windows\TASKMAN.EXE
2009-06-17 05:38 57,442 a------- c:\windows\slrundll.exe
2009-06-17 05:38 146,432 a------- c:\windows\regedit.exe
2009-06-17 05:37 69,120 a------- c:\windows\notepad.exe
2009-06-17 05:37 306,688 a------- c:\windows\IsUninst.exe
2009-06-17 05:37 23,040 a------- c:\windows\kb913800.exe
2009-06-17 05:37 10,752 a------- c:\windows\hh.exe
2009-06-17 05:37 143,360 a----r-- c:\windows\bwUnin-6.3.2.62.exe
2009-06-17 05:37 81,920 a------- c:\windows\ALCXMNTR.EXE
2009-06-17 05:36 339,968 a------- c:\windows\alcupd.exe
2009-06-17 05:36 241,664 a------- c:\windows\Alcrmv.exe
2009-06-17 05:36 64,512 a------- c:\windows\agrsmdel.exe
2009-06-16 19:56 602,112 a------- c:\windows\soundman.exe
2009-06-16 19:54 15,360 a------- c:\windows\system32\ctfmon.exe
2009-06-16 19:53 684,032 a------- c:\windows\system32\hphmon06.exe
2009-06-16 19:53 1,033,728 a------- c:\windows\explorer.exe
2009-06-16 19:53 33,280 a------- c:\windows\system32\rundll32.exe
2009-06-13 15:35 733,588 a------- c:\windows\system32\kungsfapxvlflf.dat
2008-01-27 01:28 530 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2005-09-16 14:29 251 a------- c:\program files\wt3d.ini

============= FINISH: 21:19:42.23 ===============


DDS (Ver_09-06-26.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/6/2005 1:11:06 PM
System Uptime: 7/1/2009 9:11:23 PM (0 hours ago)

Motherboard: MSI | | ALBACORE
Processor: AMD Athlon™ 64 Processor 3500+ | Socket 939 | 2188/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 225 GiB total, 172.781 GiB free.
D: is FIXED (FAT32) - 8 GiB total, 1.39 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Reader 6.0.1
Advanced X Video Converter
Age of Empires III
Age of Mythology
Age of Mythology - The Titans Expansion
AGEIA PhysX v2.6.0
Agere Systems PCI Soft Modem
AIM 6
Aim Plugin for QQ Games
AIMTunes
AiO_Scan
AiOSoftware
Alive Video Converter (version 3.1.8.6)
AOL Instant Messenger
ATI Control Panel
ATI Display Driver
AusLogics Disk Defrag
AutoUpdate
BufferChm
CameraDrivers
Card And Board Deluxe Suite
CCleaner (remove only)
Copy
CP_AtenaShokunin1Config
cp_dwSharkTaleAlbums1
cp_dwSharkTaleCards1
cp_dwShrek2Albums1
cp_dwShrek2Cards1
CP_PLSBusinessFlyers
CreativeProjects
CreativeProjectsTemplates
Critical Update for Windows Media Player 11 (KB959772)
CueTour
Destinations
Director
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DocProc
DocumentViewer
Fax
GameTap
GemMaster Mystic
Go Fish
Graffiti Studio 2.0
Guild Wars
Help and Support Additions
HijackThis 1.99.1
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
HP Boot Optimizer
HP Deskjet 3840
HP Deskjet Printer Preload
HP Help and Support 4.0
HP Image Zone 4.8.6
HP Image Zone for Media Center PC
HP Image Zone Plus 4.8.6
HP Photosmart Cameras 4.0
HP Photosmart Cameras 4.5
HP Product Assistant
HP PSC & OfficeJet 4.7
HP Software Update
HP Tunes
HPIZplus450
HpSdpAppCoreApp
HPSystemDiagnostics
IMVU Avatar chat software (BETA)
InstantShare
IntelliMover Data Transfer Demo
InterActual Player
InterVideo WinDVD Player
iTunes
J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 2
Java™ 6 Update 5
KBD
LimeWire 4.10.0
LS_HSI
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Media Center Extender
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
Multimedia Fusion Developer 2
muvee autoProducer 4.0
muvee autoProducer unPlugged - HPD
Otto
Overland
PanoStandAlone
PC-Doctor for Windows
PhotoGallery
Photosmart 320,370,7400,8100,8400 Series
Picasa 2
PrintScreen
PS2
PSPrinters06
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QFolder
QQ Games
QQ Pool
QuickProjects
QuickTime
Readme
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI NIC Driver
RegScrubXP 3.25
Remove Microsoft Money 2005 installer
Remove Quicken New User Edition installer
Rome - Total War™
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
SkinsHP1
Sonic Encoders
Sonic Express Labeler
Sonic MyDVD Plus
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Star Wars Empire at War
The Flame Object for MMF 2
The Weather Channel Desktop
TrayApp
Unload
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
Updates from HP
Virtual DJ - Atomix Productions
WebFldrs XP
WebReg
WinAVI Video Converter
Windows Defender
Windows Defender Signatures
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See KB889858 for more information]
Windows Media Player 11
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB890629
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB905589
Windows XP Media Center Edition 2005 KB925766
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

6/26/2009 9:56:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
6/26/2009 9:56:21 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK8 Fips
6/26/2009 9:56:21 PM, error: Service Control Manager [7023] - The srservice service terminated with the following error: The system cannot find the file specified.
6/26/2009 9:56:21 PM, error: Service Control Manager [7000] - The mcmscsvc service failed to start due to the following error: The system cannot find the file specified.
6/26/2009 9:55:17 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
6/26/2009 9:55:13 PM, error: SRService [104] - The System Restore initialization process failed.

==== End Of File ===========================

Edited by Orange Blossom, 01 July 2009 - 08:49 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:10 PM

Posted 02 July 2009 - 08:05 AM

Hi,

I have bad news for you :thumbup2:

I see you're dealing with Virut on top of the other nasty malware you are dealing with. In that case, it's unfortunately a lost case - Game over situation and a format and reinstall is the fastest and especially the safest solution.

You may want to read this why:
Virut and other File infectors - Throwing in the Towel?

So, I suggest you to start backup all of your valuable data/documents/pictures/movies/songs/etc.. Do NOT backup any applications/installers and Do NOT backup any .exe/.scr/.htm/.html/.xml/.zip/.rar files...
This because these files may be infected as well. If you back them up and replace them afterwards, it will infect your computer again.


Read here for instructions how to format and reinstall Windows: http://web.mit.edu/ist/products/winxp/adva...all-format.html
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users