[Closed] Virtumonde won't stay dead

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

[Closed] Virtumonde won't stay dead

Options

LarrySchultz View Member Profile	Jul 8 2008, 10:11 PM Post #1
New Member Group: New Member Posts: 6 Joined: 8-July 08 Member No.: 80,141 Operating System: Windows 2K	I know I have at least one bug: Spyware Doctor calls it Trojan.virtumonde It kills it, and within minutes, the pop-ups return. I am running PCTools and CA Security. No indication how the bug gets back in (if it ever leaves). Here is the latest Hijackthis.log Any advice as to how to get my computer back would be greatly appreciated. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:07:47 PM, on 7/8/2008 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\WINNT\system32\Brmfrmps.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe C:\PowerPanel\upssrv.exe C:\WINNT\System32\svchost.exe C:\PowerPanel\upsio.exe C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINNT\system32\stisvc.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe C:\WINNT\System32\keyhook.exe C:\WINNT\SOUNDMAN.EXE C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINNT\system32\sistray.exe C:\Program Files\Hamachi\hamachi.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\mcs\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: {c8814357-8dab-405a-2f94-d9552b07255b} - {b55270b2-559d-49f2-a504-bad87534188c} - C:\WINNT\system32\kyespy.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [PPRT] C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC_Logon.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.bestmark.com/support/ScriptX.cab O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/onlinetesting...linetesting.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130650775515 O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...645/mcfscan.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power System Inc. - C:\PowerPanel\upssrv.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe O24 - Desktop Component 1: (no name) - http://milescooley.com/mc/cards/noah/noah.html -- End of file - 9588 bytes

Tomk View Member Profile	Jul 8 2008, 10:46 PM Post #2
Extrication Intern Group: Malware Team Posts: 2,267 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	Hi LarrySchultz, and Welcome to WhatTheTech My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following: I will working be on your Malware issues, this may or may not, solve other issues you have with your machine. The fixes are specific to your problem and should only be used for the issues on this machine. Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear. It's often worth reading through these instructions and printing them for ease of reference. If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry. Please reply to this thread. Do not start a new topic. Did you set that 024 in HijackThis O24 - Desktop Component 1: (no name) - http://milescooley.com/mc/cards/noah/noah.html ? If not, please do the following : Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"), Also remove the checkmark from the the Lock Desktop Items box if it is checked. Apply. Apply and Exit Display properties. Then Please download ATF Cleaner by Atribune. Download - ATF Cleaner Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. (If you use FireFox or the Opera browser To keep saved passwords, click No at the prompt.) It's normal after running ATF cleaner that the PC will be slower to boot the first time or two. Next Please download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. If an update is found, it will download and install the latest version. Once the program has loaded, select Perform quick scan, then click Scan. When the scan is complete, click OK, then Show Results to view the results. Be sure that everything is checked, and click Remove Selected. When completed, a log will open in Notepad. Please save it to a convenient location and post the results. Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it). Also "copy/paste" a new HijackThis log file into this thread. Also please describe how your computer behaves at the moment.

LarrySchultz View Member Profile	Jul 8 2008, 11:36 PM Post #3
New Member Group: New Member Posts: 6 Joined: 8-July 08 Member No.: 80,141 Operating System: Windows 2K	TomC, Thanks for your help with my problem. I was able to accomplish the first 2 tasks with no problems. Malware Anti-malware installed, but errored out and would not update (said it could not connect to the internet) I confirmed the CA Firewall is not blocking access. When I started a scan, the program looked at 4 or 5 entries then blanked from the screen. It does not show as running in tasks as an application either. When I click the icon to restart the program, I get "Malwarebytes' Anti-Malware is already running" prompt. When I started IExplore to send this reply, IE also crashed. I am using Mozilla to send the reply. Here is the latest HijackThis Log. Larry Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:26:47 PM, on 7/8/2008 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\WINNT\system32\Brmfrmps.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe C:\PowerPanel\upssrv.exe C:\WINNT\System32\svchost.exe C:\PowerPanel\upsio.exe C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\WINNT\system32\stisvc.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\Explorer.EXE C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe C:\WINNT\System32\keyhook.exe C:\WINNT\SOUNDMAN.EXE C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINNT\system32\sistray.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Documents and Settings\mcs\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O2 - BHO: {c8814357-8dab-405a-2f94-d9552b07255b} - {b55270b2-559d-49f2-a504-bad87534188c} - C:\WINNT\system32\kyespy.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [PPRT] C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC_Logon.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.bestmark.com/support/ScriptX.cab O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/onlinetesting...linetesting.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130650775515 O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...645/mcfscan.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power System Inc. - C:\PowerPanel\upssrv.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe -- End of file - 9350 bytes

Tomk View Member Profile	Jul 8 2008, 11:43 PM Post #4
Extrication Intern Group: Malware Team Posts: 2,267 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	LarrySchultz, OK then. Lets try this instead. A. Please download ComboFix by sUBs from HERE or HERE directly to your Desktop. Note: If you already have ComboFix on your machine, please DELETE it from your desktop before downloading the newest version. B. Now we must disable some of your security programs so that they do not interfere with the running of our tools: SPYWARE DOCTOR Click the Spyware Doctor icon in the System Tray. Click Settings. Click Startup Settings under Pick a Category. Uncheck "Run at Windows startup". Click Apply and Exit Spyware Doctor. From within Spyware Doctor, click the "OnGuard" button on the left side. Uncheck "Activate OnGuard". (When we are done, you can reenable Spyware Doctor) C.Go to -> Run -> copy/paste the following single line command in the runbox & click OK "%userprofile%\desktop\combofix.exe" /killall DO NOT USE your computer for any other purpose while ComboFix is running. ComboFix may restart your computer, this is normal. When finished, it will produce a log, ComboFix.txt. Please post ComboFix.txt in your next reply along with a new HijackThis log. Notes: 1. Do not mouse-click Combofix's window while it is running. That may cause it to stall. 2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions. 3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser. 4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper. 5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

LarrySchultz View Member Profile	Jul 9 2008, 12:25 AM Post #5
New Member Group: New Member Posts: 6 Joined: 8-July 08 Member No.: 80,141 Operating System: Windows 2K	TomK, Combofox run is complete, here are the log file results. On a side note, when I turned spyware doctor back on, it found another Trojan: trojan.generic, software/wget. So I suspect they still have a way in? (PS the Spyare disable directions made no sense, but I was able to stop the services so they did not interfere). Larry Thanks for all the help, but I must head to bed now (must get up for work in 5 hours) ComboFix 08-07-08.5 - mcs 07/08/2008 22:54:55.1 - NTFSx86 Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.778 [GMT -7:00] Running from: C:\temp\ComboFix.exe Command switches used :: /killall WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINNT\cookies.ini C:\WINNT\Downloaded Program Files\setup.inf C:\WINNT\pskt.ini C:\WINNT\system32\config\SAM.SAV C:\WINNT\system32\ffkomiqd.ini C:\WINNT\system32\gyuohomq.dll C:\WINNT\system32\hfmgevtr.dll C:\WINNT\system32\kyespy.dll C:\WINNT\system32\mcrh.tmp C:\WINNT\system32\mdm.exe C:\WINNT\system32\MTDJPXbc.ini C:\WINNT\system32\MTDJPXbc.ini2 C:\WINNT\system32\xcoisfcw.ini C:\WINNT\system32\xcoisfcw.ini2 C:\WINNT\system32\xcoisfcw.tmp C:\WINNT\system32\ynkstlku.dll C:\WINNT\Web\default.htt . ((((((((((((((((((((((((( Files Created from 2008-06-09 to 2008-07-09 ))))))))))))))))))))))))))))))) . 2008-07-08 22:46 . 08-07-08 22:46 2,608,075 --a------ C:\Temp\ComboFix.exe 2008-07-08 22:16 . 08-07-08 22:16 <DIR> d-------- C:\Documents and Settings\mcs\Application Data\Malwarebytes 2008-07-08 22:15 . 08-07-08 22:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-07-08 22:15 . 08-07-08 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-08 22:15 . 08-07-08 22:15 1,774,048 --a------ C:\Temp\mbam-setup.exe 2008-07-08 22:15 . 08-07-07 17:35 34,296 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys 2008-07-08 22:15 . 08-07-07 17:35 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys 2008-07-08 22:12 . 08-07-08 22:12 50,688 --a------ C:\Temp\ATF-Cleaner.exe 2008-07-07 21:58 . 08-07-07 21:58 0 --a------ C:\WINNT\system32\REN13F.tmp 2008-07-07 21:56 . 08-07-07 21:56 0 --a------ C:\WINNT\system32\REN139.tmp 2008-07-07 21:48 . 08-07-07 21:48 <DIR> d-------- C:\Program Files\Sun 2008-07-07 21:48 . 08-07-07 21:48 0 --a------ C:\WINNT\system32\REN128.tmp 2008-07-07 18:41 . 08-07-07 18:39 159,880 --a------ C:\WINNT\system32\drivers\pctfw2.sys 2008-07-07 18:39 . 08-07-07 18:41 <DIR> d-------- C:\Program Files\Common Files\PC Tools 2008-07-07 18:35 . 08-07-07 18:35 743,280 --a------ C:\Temp\PCTResetSD.exe 2008-07-03 09:35 . 08-07-08 22:52 <DIR> d-------- C:\Program Files\Spyware Doctor 2008-07-03 09:35 . 08-07-03 09:35 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools 2008-07-03 09:35 . 08-06-10 21:22 81,288 --a------ C:\WINNT\system32\drivers\iksyssec.sys 2008-07-03 09:35 . 08-06-02 15:19 66,952 --a------ C:\WINNT\system32\drivers\iksysflt.sys 2008-07-03 09:35 . 08-06-02 15:19 42,376 --a------ C:\WINNT\system32\drivers\ikfilesec.sys 2008-07-03 09:35 . 08-06-02 15:19 29,576 --a------ C:\WINNT\system32\drivers\kcom.sys 2008-07-02 19:00 . 08-07-02 19:00 54,156 --ah----- C:\WINNT\QTFont.qfn 2008-07-02 19:00 . 08-07-02 19:00 1,409 --a------ C:\WINNT\QTFont.for 2008-07-01 01:00 . 08-07-01 01:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Jasc Software Inc 2008-07-01 00:06 . 08-07-01 00:06 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM 2008-06-30 23:26 . 08-06-30 23:26 13,380,712 --a------ C:\Temp\sdsetup.exe 2008-06-30 21:46 . 08-07-07 22:51 <DIR> d-------- C:\WINNT\CAVTemp 2008-06-30 18:01 . 08-06-30 18:59 <DIR> d-------- C:\VundoFix Backups 2008-06-30 18:01 . 08-06-30 18:01 119,808 --a------ C:\Temp\VundoFix.exe 2008-06-30 17:52 . 08-06-30 17:52 93 --a------ C:\WINNT\wininit.ini 2008-06-30 14:36 . 08-06-30 14:36 <DIR> d-------- C:\Documents and Settings\mcs\Application Data\Spybot - Search & Destroy 2008-06-28 22:42 . 08-06-30 21:00 110,481 --a------ C:\WINNT\BMdf44013b.xml 2008-06-26 19:09 . 08-07-08 22:57 152,506 --a------ C:\WINNT\system32\drivers\kmxcfg.u2k0 2008-06-26 19:09 . 08-07-08 22:57 64 --a------ C:\WINNT\system32\drivers\kmxcfg.u2k7 2008-06-26 19:09 . 08-07-08 22:57 64 --a------ C:\WINNT\system32\drivers\kmxcfg.u2k6 2008-06-26 19:09 . 08-07-08 22:57 64 --a------ C:\WINNT\system32\drivers\kmxcfg.u2k5 2008-06-26 19:09 . 08-07-08 22:57 64 --a------ C:\WINNT\system32\drivers\kmxcfg.u2k4 2008-06-26 19:09 . 08-07-08 22:57 64 --a------ C:\WINNT\system32\drivers\kmxcfg.u2k3 2008-06-26 19:09 . 08-07-08 22:57 64 --a------ C:\WINNT\system32\drivers\kmxcfg.u2k2 2008-06-26 19:09 . 08-07-08 22:57 64 --a------ C:\WINNT\system32\drivers\kmxcfg.u2k1 2008-06-26 19:07 . 08-06-26 19:07 0 --a------ C:\WINNT\1 2008-06-26 18:58 . 08-06-26 18:58 880,560 --a------ C:\WINNT\system32\drivers\vetefile.sys 2008-06-26 18:58 . 08-06-26 18:58 108,368 --a------ C:\WINNT\system32\drivers\veteboot.sys 2008-06-26 18:50 . 08-06-26 18:50 <DIR> d-------- C:\Program Files\Common Files\Scanner 2008-06-26 18:50 . 08-06-26 18:50 <DIR> d-------- C:\Program Files\CA 2008-06-26 18:50 . 08-06-26 18:57 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\CA 2008-06-26 18:50 . 07-08-20 13:37 99,592 --a------ C:\WINNT\system32\isafeif.dll 2008-06-26 18:50 . 07-08-20 13:26 79,424 --a------ C:\WINNT\system32\vetredir.dll 2008-06-26 18:50 . 07-08-20 13:37 75,016 --a------ C:\WINNT\system32\isafprod.dll 2008-06-26 18:50 . 07-08-20 13:38 32,264 --a------ C:\WINNT\system32\drivers\vetmonnt.sys 2008-06-26 18:50 . 07-08-20 13:38 26,376 --a------ C:\WINNT\system32\drivers\vet-filt.sys 2008-06-26 18:50 . 07-08-20 13:38 21,512 --a------ C:\WINNT\system32\drivers\vetfddnt.sys 2008-06-26 18:50 . 07-08-20 13:38 21,128 --a------ C:\WINNT\system32\drivers\vet-rec.sys 2008-06-26 18:44 . 08-06-26 18:45 45,145,784 --a------ C:\Temp\iss_en_32.exe 2008-06-26 16:18 . 08-06-26 16:18 56,912 --a------ C:\Documents and Settings\mcs\g2mdlhlpx.exe 2008-06-25 13:32 . 08-06-25 13:32 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\LogMeIn 2008-06-21 14:39 . 08-06-21 14:40 7,496,920 --a------ C:\Temp\Firefox Setup 3.0.exe 2008-06-16 11:25 . 08-06-16 11:25 <DIR> d-------- C:\ClamWinPortable 2008-06-15 23:11 . 08-06-15 23:11 <DIR> d-------- C:\fsaua.data 2008-06-15 19:52 . 08-07-08 22:19 928,852 ---h----- C:\WINNT\ShellIconCache 2008-06-15 19:09 . 08-01-07 07:30 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-07-09 05:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-09 05:25 --------- d-----w C:\Documents and Settings\mcs\Application Data\Hamachi 2008-07-08 12:54 --------- d-----w C:\Program Files\LogMeIn 2008-07-08 04:57 --------- d-----w C:\Program Files\Java 2008-07-08 04:56 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-07-03 16:35 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Hamachi 2008-06-30 23:28 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-27 02:09 --------- d-----w C:\Program Files\Network Associates 2008-06-27 02:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates 2008-06-26 23:18 --------- d-----w C:\Program Files\Citrix 2008-06-11 21:29 --------- d-----w C:\Documents and Settings\mcs\Application Data\Canon 2008-05-28 19:33 83,288 ----a-w C:\WINNT\system32\LMIRfsClientNP.dll 2008-05-28 19:32 24,608 ----a-w C:\WINNT\system32\LMIport.dll 2008-05-28 19:32 23,736 ----a-w C:\WINNT\system32\lmimirr.dll 2008-05-28 19:32 10,040 ----a-w C:\WINNT\system32\lmimirr2.dll 2008-05-22 07:18 --------- d-----w C:\Program Files\Common Files\Adobe 2008-05-22 07:15 --------- d-----w C:\Documents and Settings\mcs\Application Data\AdobeUM 2006-01-22 23:40 58,368 ----a-w C:\Program Files\MFInstall.exe 2005-12-08 22:08 17 ----a-w C:\Program Files\stng259.opt 2005-12-08 21:53 1,122,311 ----a-w C:\Program Files\stng259.exe 2005-10-30 01:58 271 ---h--w C:\Program Files\desktop.ini 2005-10-30 01:58 21,952 ---h--w C:\Program Files\folder.htt 1999-12-07 12:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SiS Windows KeyHook"="C:\WINNT\System32\keyhook.exe" [04-05-12 17:22 249856] "OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [03-05-08 13:00 49152] "SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [03-10-14 11:22 155648] "PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [05-03-17 15:25 57393] "IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [05-03-17 15:45 40960] "ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [05-11-11 19:30 995328] "NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [04-10-29 14:50 4620288] "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [07-08-03 16:09 63048] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [08-03-16 00:37 98304] "cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [07-08-16 22:19 177416] "PPRT"="C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC_Logon.exe" [07-01-04 12:10 21520] "QOELOADER"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" [08-06-26 18:50 14088] "CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [07-08-20 13:36 230664] "cafwc"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe" [08-06-26 18:58 1193224] "capfasem"="C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe" [08-06-26 18:58 173320] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [08-03-25 04:28 144784] "Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe] "SoundMan"="SOUNDMAN.EXE" [04-02-09 01:54 65024 C:\WINNT\SOUNDMAN.EXE] "nwiz"="nwiz.exe" [04-10-29 14:50 921600 C:\WINNT\system32\nwiz.exe] C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\ hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2007-10-18 18:32:18 619048] C:\Documents and Settings\mcs\Start Menu\Programs\Startup\ Hamachi.lnk - C:\Program Files\Hamachi\hamachi.exe [2007-10-18 18:32:18 619048] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-20 18:15:54 65588] Utility Tray.lnk - C:\WINNT\system32\sistray.exe [2004-12-30 12:28:06 335872] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "disablecad"= 0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW] 07-05-18 13:30 79368 C:\WINNT\system32\UmxWNP.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= mmdrv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "PCTVOICE"=pctspk.exe "dc7732a7"=rundll32.exe "C:\WINNT\system32\wcfsiocx.dll",b R0 KmxStart;KmxStart;C:\WINNT\system32\DRIVERS\kmxstart.sys [07-10-18 10:24 ] R1 KmxAgent;KmxAgent;C:\WINNT\system32\DRIVERS\kmxagent.sys [07-05-18 13:30 ] R1 KmxFile;KmxFile;C:\WINNT\system32\DRIVERS\KmxFile.sys [07-05-18 13:30 ] R1 KmxFw;KmxFw;C:\WINNT\system32\DRIVERS\kmxfw.sys [07-10-18 14:21 ] R1 pctfw2;pctfw2;C:\WINNT\system32\drivers\pctfw2.sys [08-07-07 18:39 ] R2 KmxCF;KmxCF;C:\WINNT\system32\DRIVERS\KmxCF.sys [07-10-18 10:24 ] R2 KmxSbx;KmxSbx;C:\WINNT\system32\DRIVERS\KmxSbx.sys [07-11-02 12:09 ] R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [08-02-28 15:31 ] R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINNT\system32\drivers\LMIRfsDriver.sys [08-03-07 13:39 ] R2 UmxAgent;HIPS Event Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe [07-10-18 10:24 ] R2 UmxCfg;HIPS Configuration Interpreter;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe [07-10-18 10:24 ] R2 UmxPol;HIPS Policy Manager;C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe [07-05-18 13:30 ] R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINNT\system32\Drivers\BrSerIf.sys [04-09-29 04:24 ] R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINNT\system32\Drivers\BrUsbSer.sys [04-01-10 05:28 ] R3 KmxCfg;KmxCfg;C:\WINNT\system32\DRIVERS\kmxcfg.sys [07-09-13 15:15 ] R3 PPCtlPriv;PPCtlPriv;C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe [07-08-16 21:10 ] R3 usbhub20;USB 2.0 Root Hub Support;C:\WINNT\system32\DRIVERS\usbhub20.sys [03-06-19 12:05 ] S1 sglfb;sglfb;C:\WINNT\system32\drivers\sglfb.sys [99-12-07 05:00 ] S2 AcronisAgent;Acronis Remote Agent;C:\Program Files\Common Files\Acronis\Agent\agent.exe [] S2 AcronisBackupServerService;Acronis Backup Server Service;C:\Program Files\Acronis\BackupServer\backupserver.exe [] S2 GroupServer;Acronis Group Server;C:\Program Files\Acronis\GroupServer\GroupServer.exe [] S3 BT2KNDFL;Bluetooth LAN Access Server Driver - Filter;C:\WINNT\system32\DRIVERS\bt2kndfl.sys [05-05-31 15:08 ] S3 BTPCCARD;Bluetooth BCSP Transport for Pc Card;C:\WINNT\system32\Drivers\BTPCBCSP.SYS [] S3 openhci;Microsoft USB Open Host Controller Driver;C:\WINNT\system32\DRIVERS\openhci.sys [03-06-19 12:05 ] S3 sxuptp;SXUPTP Driver;C:\WINNT\system32\DRIVERS\sxuptp.sys [] Newly Created Service - IPNAT Newly Created Service - RASAUTO Newly Created Service - SHAREDACCESS . Contents of the 'Scheduled Tasks' folder "2008-07-08 13:40:03 C:\WINNT\Tasks\CAAntiSpywareScan_Daily as administrator at 5 50 AM.job" - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-07-08 23:00:18 Windows 5.0.2195 Service Pack 4 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2008-07-08 23:08:15 - machine was rebooted ComboFix-quarantined-files.txt 2008-07-09 06:07:21 Pre-Run: 11,255,324,672 bytes free Post-Run: 11,231,887,360 bytes free 206 --- E O F --- 2008-05-28 13:06:54 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:17, on 2008-07-08 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Boot mode: Normal Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe C:\WINNT\system32\Brmfrmps.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe C:\PowerPanel\upssrv.exe C:\WINNT\System32\svchost.exe C:\PowerPanel\upsio.exe C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe C:\Program Files\LogMeIn\x86\RaMaint.exe C:\Program Files\LogMeIn\x86\LogMeIn.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\stisvc.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfsem.exe C:\WINNT\System32\keyhook.exe C:\WINNT\SOUNDMAN.EXE C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe C:\Program Files\LogMeIn\x86\LMIGuardian.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe C:\WINNT\system32\wuauclt.exe C:\WINNT\system32\sistray.exe C:\Program Files\Hamachi\hamachi.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAPPActiveProtection.exe C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe C:\WINNT\explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Spyware Doctor\pctsAuxs.exe C:\Program Files\Spyware Doctor\pctsSvc.exe C:\Program Files\Spyware Doctor\pctsTray.exe C:\Documents and Settings\mcs\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINNT\System32\keyhook.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" O4 - HKLM\..\Run: [PPRT] C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC_Logon.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spam\QSP-5.1.18.0\QOELoader.exe" O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" O4 - HKLM\..\Run: [cafwc] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\cafw.exe -cl O4 - HKLM\..\Run: [capfasem] C:\Program Files\CA\CA Internet Security Suite\CA Personal Firewall\capfasem.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe" O4 - Startup: Hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: Utility Tray.lnk = C:\WINNT\system32\sistray.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.bestmark.com/support/ScriptX.cab O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://config.skillcheck.com/onlinetesting...linetesting.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1130650775515 O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://c.ancestry.com/cab/ImageViewer/MFImgVwr.cab O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://ca.com/us/securityadvisor/virusinfo/webscan.cab O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...645/mcfscan.cab O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/RACtrl.cab O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Brother Industries, Ltd. - C:\WINNT\system32\Brmfrmps.exe O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe O23 - Service: UPS Service (CyberPowerUPS) - Cyber Power System Inc. - C:\PowerPanel\upssrv.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe O23 - Service: HIPS Event Manager (UmxAgent) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxAgent.exe O23 - Service: HIPS Configuration Interpreter (UmxCfg) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxCfg.exe O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe O23 - Service: HIPS Policy Manager (UmxPol) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxPol.exe O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe -- End of file - 9753 bytes

Tomk View Member Profile	Jul 9 2008, 10:37 AM Post #6
Extrication Intern Group: Malware Team Posts: 2,267 Joined: 27-December 07 From: Sisters, OR Member No.: 75,503 Operating System: xp	LarrySchultz, COMBOFIX-Script Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below: CODE KILLALL:: File:: C:\WINNT\system32\REN13F.tmp C:\WINNT\system32\REN139.tmp C:\WINNT\system32\REN128.tmp C:\WINNT\BMdf44013b.xml C:\WINNT\system32\wcfsiocx.dll Registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "dc7732a7"=- Driver:: AcronisAgent AcronisBackupServerService GroupServer BTPCCARD sxuptp Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop. Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply. CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall. Then Please go to Kaspersky website and perform an online antivirus scan. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply. In your next reply please provide: ComboFix.txt Kaspersky report New HijackThis log taken after everything else completed

LarrySchultz

Jul 11 2008, 06:31 PM

Post #7

New Member

Group: New Member
Posts: 6
Joined: 8-July 08
Member No.: 80,141
Operating System: Windows 2K

After a few rough days at work (with this machine off), re-installation of Java and multible scans, I was able to complete the tasks requested.

Though the machine is much better, we suspect there is still something amiss (though it may just be fallout from the various infections and a topic for another thread to fix).

Here are the results of the three scans after the required repairs.
ComboFix 08-07-09.4 - mcs 2008-07-09 22:54:22.1 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.731 [GMT -7:00]
Running from: C:\Documents and Settings\mcs\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mcs\Desktop\cfscript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\BMdf44013b.xml
C:\WINNT\system32\REN128.tmp
C:\WINNT\system32\REN139.tmp
C:\WINNT\system32\REN13F.tmp
C:\WINNT\system32\wcfsiocx.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\BMdf44013b.xml
C:\WINNT\system32\REN128.tmp
C:\WINNT\system32\REN139.tmp
C:\WINNT\system32\REN13F.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ACRONISAGENT
-------\Legacy_ACRONISBACKUPSERVERSERVICE
-------\Legacy_GROUPSERVER
-------\Service_AcronisAgent
-------\Service_AcronisBackupServerService
-------\Service_BTPCCARD
-------\Service_GroupServer
-------\Service_sxuptp

((((((((((((((((((((((((( Files Created from 2008-06-10 to 2008-07-10 )))))))))))))))))))))))))))))))
.

2008-07-09 22:51 . 08-07-09 22:52 2,609,418 --a------ C:\Temp\ComboFix.exe
2008-07-09 08:17 . 08-07-09 08:17 <DIR> d-------- C:\WINNT\system32\127.0.0.1
2008-07-08 22:16 . 08-07-08 22:16 <DIR> d-------- C:\Documents and Settings\mcs\Application Data\Malwarebytes
2008-07-08 22:15 . 08-07-08 22:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-08 22:15 . 08-07-08 22:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-08 22:15 . 08-07-08 22:15 1,774,048 --a------ C:\Temp\mbam-setup.exe
2008-07-08 22:15 . 08-07-07 17:35 34,296 --a------ C:\WINNT\system32\drivers\mbamcatchme.