Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93112 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] virtumonde and more

Started by sakra , Jan 22 2008 05:41 PM

  • This topic is locked This topic is locked
7 replies to this topic

#1 sakra

sakra

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 22 January 2008 - 05:41 PM

Hey, I've done the self help stuff, and also run Symantec which removed a few things, but it's still there when I reboot. Could use some help, thanks. Spybot told me that Virtumonde was the one it could not remove.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:28:17 PM 1/22/2008

+ Scan result:



C:\System Volume Information\_restore{DCE7E42F-DDA4-438A-A319-75AE4EE20744}\RP96\A0021449.EXE -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Error during cleaning.
HKU\S-1-5-21-2000478354-2139871995-725345543-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Steven\Local Settings\Temp\isinst.exe -> Downloader.IstBar.qj : Cleaned with backup (quarantined).
C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\Program Files\SymNetDrv\SNDMon.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\Shareaza\Shareaza.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\Symantec_Client_Security\Symantec AntiVirus\vptray.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP64\A0001722.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP64\A0001724.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP64\A0001842.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP64\A0001845.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP64\A0001849.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP64\A0002047.rbf -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP64\A0002182.rbf -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP64\A0002244.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP64\A0002246.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP65\A0002268.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP65\A0002269.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP65\A0002270.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP65\A0002298.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP65\A0002300.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002326.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002411.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002412.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002422.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002441.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002442.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002443.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002444.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002445.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002474.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002478.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002480.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002481.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002539.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B43C762B-2E91-4A17-A64D-8971AB8E7535}\RP66\A0002549.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\RCX61.tmp -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ssqpm.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
[372] C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> Dropper.Agent.dgo : Cleaned with backup (quarantined).
:mozilla.106:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.10:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.12:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.13:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.149:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.14:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.15:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.16:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.17:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.18:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.19:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.20:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.21:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.225:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.22:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.237:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.23:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.24:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.25:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.26:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.27:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.28:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.29:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.30:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.31:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.32:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.33:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.348:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.34:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.356:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.35:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.377:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.38:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.39:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.43:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.585:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.9:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
J:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
J:\Documents and Settings\Administrator\Cookies\administrator@pandasoftware.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
J:\Documents and Settings\Administrator\Cookies\administrator@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
J:\Documents and Settings\Administrator\Cookies\administrator@ads.adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.734:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.Adobe : Cleaned.
:mozilla.11:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.64:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
J:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.181:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.152:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.153:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.154:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.169:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.Estat : Cleaned.
:mozilla.115:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.116:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.117:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.118:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
J:\Documents and Settings\Administrator\Cookies\administrator@ehg-lexmark.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
J:\Documents and Settings\Administrator\Cookies\administrator@ehg-vmware.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
J:\Documents and Settings\Administrator\Cookies\administrator@hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.133:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.134:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.508:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.509:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.Netflame : Cleaned.
:mozilla.180:C:\Documents and Settings\Steve\Application Data\Mozilla\Profiles\default\pu1ijsna.slt\cookies.txt -> TrackingCookie.Overture : Cleaned.
J:\Documents and Settings\Administrator\Cookies\administrator@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.576:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.Weborama : Cleaned.
:mozilla.681:C:\Documents and Settings\Steven\Application Data\Mozilla\Firefox\Profiles\8fpwfrs3.default\cookies.txt -> TrackingCookie.Webtrends : Cleaned.
J:\Documents and Settings\Administrator\Cookies\administrator@m.webtrends[2].txt -> TrackingCookie.Webtrends : Cleaned.


::Report end

And Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:40 PM, on 1/22/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armageddon.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\System32\ssqpm.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8072] command /c del "C:\WINDOWS\system32\ssqpm.dll_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9193] cmd /c del "C:\WINDOWS\system32\ssqpm.dll_tobedeleted"
O4 - HKCU\..\Run: [Shareaza] "C:\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\RunOnce: [SpybotDeletingB1222] command /c del "C:\WINDOWS\system32\ssqpm.dll_tobedeleted"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1746] cmd /c del "C:\WINDOWS\system32\ssqpm.dll_tobedeleted"
O4 - Startup: Shareaza.lnk = C:\Shareaza\Shareaza.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.s...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.s...trl/tgctlsr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5695 bytes

    Advertisements

Register to Remove

#2 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 25 January 2008 - 01:10 PM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Step 1

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.

  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • When the cleaner has completed, click Tools in the Left Pane.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save, then exit Ccleaner.

Step 2

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix (C:\Combofix.txt) when you've accomplished that, along with a new HijackThis log and the CCleaner Uninstall List (install.txt)
Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#3 sakra

sakra

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 25 January 2008 - 04:02 PM

Thanks for the help, I appreciate it. Just a quick note, I've run Vundofix, and after that spybot, and it -appears- that virtumonde is gone, I'm not getting anymore warnings about W32.trats!inf from symantec (but it could be knocked out again). Anyway, I'd like your help to make sure my computer is clean. So here's the logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:56:49 PM, on 1/25/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\runservice.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armageddon.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {246E2A91-E00E-4D86-8965-598A882770BC} - C:\WINDOWS\System32\ssqpm.dll (file missing)
O2 - BHO: (no name) - {28BCCD57-0D49-4843-9053-7203061B345F} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {598F4775-6FB6-477B-9842-E0426824E077} - C:\DOCUME~1\Steven\LOCALS~1\Temp\~DP8.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {AEF85002-8302-47AB-99E5-EFCE27E39046} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.s...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.s...trl/tgctlsr.cab
O20 - Winlogon Notify: mljgf - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5991 bytes

CCleaner
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.1
Age of Empires III
America's Army
America's Army Server Manager
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AVG Anti-Spyware 7.5
Born of Blood
Caesar IV
CamGrab-2LE
CCleaner (remove only)
Combined Community Codec Pack 2006-05-01 (Remove Only)
Command & Conquer 3
Commandos 2: Men of Courage
Dawn of War - Dark Crusade
Dawn Of War - Winter Assault
DawnOfWar
DGE-530T
Direct Show Ogg Vorbis Filter (remove only)
DivX
DivX Player
DivX Web Player
Dungeon Siege 2
Exam Essentials 5.5
GTK+ Runtime 2.10.11 rev b (remove only)
Heroes of Might and Magic V
HijackThis 2.0.2
Hitman Blood Money
Indeo® Software
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
Kaspersky Online Scanner
LiveUpdate 3.0 (Symantec Corporation)
Logitech® Camera Driver
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash Player 8
Medieval - Total War ™ - Viking Invasion ™
Medieval II Total War
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual J# .NET Redistributable Package 1.1
Mozilla Firefox (2.0.0.11)
MSXML 4.0 SP2 (KB936181)
MySQL Connector/ODBC 3.51
NDAS Software 3.20.1523
NVIDIA Drivers
NvMixer
Oblivion
oggcodecs 0.71.0946
QuickTime
RealPlayer
Rome - Total War - Alexander
Rome - Total War™
Rome Total War - patch 1.3
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows XP (KB905495)
Shareaza 2.3.1.0
Sid Meier's Civilization 4
Spybot - Search & Destroy 1.4
Star Wars JK II Jedi Outcast
Starcraft
Stronghold 2
Symantec AntiVirus Client
Symantec Network Drivers Update
Trillian
Update for Windows XP (KB835409)
VideoMach 3.5.2
Voyage Century Online 1.0
WebFldrs XP
Windows Defender Signatures
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892944
Windows XP Hotfix - KB918439
Windows XP Hotfix - KB918899
Windows XP Hotfix - KB925486
WinRAR archiver
Yahoo! Install Manager
Yahoo! Messenger
zMUD 7.21.0.0

ComboFix 08-01-23.1C - Steven 2008-01-25 16:37:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1586 [GMT -5:00]
Running from: C:\Documents and Settings\Steven\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\components

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 16:36 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 16:32 . 2003-03-31 07:00 245,920 -r-hs---- C:\cmldr
2008-01-25 16:32 . 2008-01-22 11:56 211 --ahs---- C:\BOOT.BAK
2008-01-25 16:24 . 2008-01-25 16:24 <DIR> d-------- C:\CCleaner
2008-01-23 14:11 . 2008-01-23 14:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-23 13:47 . 2008-01-23 14:36 1,117,460 ---hs---- C:\WINDOWS\system32\utdvvfay.ini
2008-01-22 18:32 . 2008-01-22 18:32 <DIR> d-------- C:\Trend Micro
2008-01-22 17:11 . 2008-01-22 17:11 <DIR> d-------- C:\Grisoft
2008-01-22 17:11 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-22 03:54 . 2008-01-22 03:54 0 --a------ C:\WINDOWS\VPC32.INI
2008-01-22 02:53 . 2008-01-22 02:53 <DIR> d-------- C:\Symantec_Client_Security
2008-01-22 02:15 . 2008-01-22 02:46 <DIR> d-------- C:\Norton SystemWorks
2008-01-22 01:48 . 2005-10-20 17:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-01-22 01:38 . 2004-07-01 17:08 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-01-22 01:38 . 2004-07-01 17:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-22 01:38 . 2004-07-01 17:08 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-01-22 01:38 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-22 01:38 . 2004-07-01 17:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-01-22 01:38 . 2004-07-01 17:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-01-22 01:38 . 2004-07-01 17:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-01-22 01:34 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-01-22 01:33 . 2004-08-03 14:04 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
2008-01-22 01:33 . 2004-08-03 14:04 185,624 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-01-22 01:22 . 2003-03-31 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-22 01:21 . 2001-08-17 14:07 83,712 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2008-01-22 01:21 . 2001-08-17 14:07 18,560 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2008-01-22 01:21 . 2002-08-29 01:33 16,384 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2008-01-22 01:21 . 2002-08-29 01:27 4,992 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-01-22 01:19 . 2007-07-30 19:19 1,712,984 --a------ C:\WINDOWS\system32\wuaueng.dll
2008-01-22 01:17 . 2002-08-29 01:27 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-01-22 01:17 . 2001-08-17 13:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-01-22 01:17 . 2002-08-29 01:32 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-01-22 01:11 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-01-22 01:11 . 2001-08-17 22:36 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-01-22 01:10 . 2002-08-29 01:06 182,400 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2008-01-22 01:10 . 2002-08-29 03:46 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2008-01-21 22:35 . 2008-01-23 15:20 <DIR> d-------- C:\VundoFix Backups
2008-01-18 12:56 . 2008-01-18 12:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-17 20:10 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-01-17 20:09 . 2008-01-17 20:09 <DIR> d-------- C:\Program Files\Shareaza Applications
2007-12-31 11:14 . 2007-12-31 11:14 <DIR> d-------- C:\Program Files\NDAS
2007-12-31 11:14 . 2007-06-29 17:32 372,584 --a------ C:\WINDOWS\system32\drivers\ndasfat.sys
2007-12-31 11:14 . 2007-06-29 17:32 254,440 --a------ C:\WINDOWS\system32\drivers\lfsfilt.sys
2007-12-31 11:13 . 2007-12-31 11:13 32 --a------ C:\WINDOWS\Menu.INI
2007-12-29 13:05 . 2008-01-11 17:24 <DIR> d-------- C:\Medieval II Total War

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 21:33 --------- d-----w C:\Program Files\Trillian
2008-01-22 23:27 --------- d-----w C:\Program Files\SymNetDrv
2008-01-22 21:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 07:54 --------- d-----w C:\Program Files\Symantec
2008-01-22 07:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-29 18:52 --------- d-----w C:\Program Files\Java
2007-11-19 06:43 264 ----a-w C:\Uninstall.bat
2006-09-11 03:11 792,651 --sh--w C:\WINDOWS\system32\fgjlm.bak1
2006-09-11 19:47 809,358 --sh--w C:\WINDOWS\system32\fgjlm.ini2
.
<pre>
----a-w			58,488 2008-01-22 07:36:21  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w		   218,240 2008-01-22 07:36:23  C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
----a-w			95,456 2008-01-22 21:31:47  C:\Program Files\SymNetDrv\SNDMon .exe
----a-w		 4,739,072 2008-01-22 21:31:57  C:\Shareaza\Shareaza .exe
----a-w			90,112 2008-01-22 21:31:49  C:\Symantec_Client_Security\Symantec AntiVirus\vptray .exe
----a-w		   145,408 2008-01-22 21:31:49  C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{246E2A91-E00E-4D86-8965-598A882770BC}]
C:\WINDOWS\System32\ssqpm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28BCCD57-0D49-4843-9053-7203061B345F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{598F4775-6FB6-477B-9842-E0426824E077}]
C:\DOCUME~1\Steven\LOCALS~1\Temp\~DP8.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEF85002-8302-47AB-99E5-EFCE27E39046}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [ ]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [ ]
"DAEMON Tools"="C:\DAEMON Tools\daemon.exe" [ ]
"!AVG Anti-Spyware"="C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]

C:\Documents and Settings\Steve\Start Menu\Programs\Startup\
Trillian.lnk - C:\Trillian\trillian.exe [2005-03-15 1646592]

C:\Documents and Settings\Steven\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-12-11 1873280]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-06-29 17:32:52 236520]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgf]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyCatcher Reminder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\System32\DRIVERS\lfsfilt.sys [2007-06-29 17:32]
R0 lpx;LPX Protocol;C:\WINDOWS\System32\DRIVERS\lpx.sys [2007-06-29 17:32]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-06-29 17:32]
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2006-05-20 11:04]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\System32\DRIVERS\ndasbus.sys [2007-06-29 17:32]
S3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\System32\DRIVERS\m4cxw2k3.sys [2005-03-10 06:42]
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\System32\DRIVERS\ndasscsi.sys [2007-06-29 17:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60c6bffa-e7f0-11da-bfc1-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f90cee6-c3a3-11db-a61e-000c6edf278a}]
\Shell\AutoRun\command - I:\AutorunShim.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89652819-8194-11db-a5c0-000c6edf278a}]
\Shell\AutoRun\command - H:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8694e84-4e77-11dc-b3e8-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 16:45:59
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-01-25 16:55:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-25 21:55:15
.
2008-01-22 18:41:40 --- E O F ---

#4 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 26 January 2008 - 06:32 AM

Hi :)

I understand that downloading music and other files may be important to you; however, the Peer-to-Peer programs that you are using to do that, even if they are not infected with malware, will bring malware into your system. Therefore, the chances of you becoming infected again are very high. This obviously can result in disabling your computer and could even lead to someone stealing sensitive personal data from your computer. Beyond the inconvenience this causes you, these programs also tend to use your computer as a server to spread more infection all over the internet, so your computer becomes a part of the malware problem.

Remember that no matter how clean the program you're using for Peer-to-Peer filesharing may be, it offers no guarantees regarding the cleanliness of files you may choose to download. All files available via Peer-to-Peer filesharing carry a high risk, particularly those that offer you illegitimate methods of using legitimate software programs without paying for them. Any program or file that offers you the ability to access non-freeware programs at no cost, e.g., pirated software and/or cracks/key generators for gaining access to legitimate software, is 100% guaranteed to contain malware.

Here is some information that looks at the rates of infection:

http://www.benedelman.org/spyware/p2p/

With that being said, I recommend that you remove the following Peer-to-Peer program(s):

(Click on Start, then Control Panel. Double click on Add or Remove Programs)

Shareaza 2.3.1.0

Also remove the following programs:

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1

Then download and install Java Runtime Environment (JRE) 6 Update 4.

Step 1

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

File::

C:\WINDOWS\system32\utdvvfay.ini
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\fgjlm.ini2

Folder::

C:\VundoFix Backups

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{246E2A91-E00E-4D86-8965-598A882770BC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28BCCD57-0D49-4843-9053-7203061B345F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{598F4775-6FB6-477B-9842-E0426824E077}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEF85002-8302-47AB-99E5-EFCE27E39046}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljgf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyCatcher Reminder]

RenV::

C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
C:\Program Files\SymNetDrv\SNDMon .exe
C:\Shareaza\Shareaza .exe
C:\Symantec_Client_Security\Symantec AntiVirus\vptray .exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 2

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Step 3

In your next reply, please post:

  • the Combofix log (C:\Combofix.txt)
  • the Malwarebytes' Anti-Malware report
  • a new HijackThis log

Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#5 sakra

sakra

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 26 January 2008 - 09:46 AM

I think that's everything. Here's the logs.

ComboFix 08-01-23.1C - Steven 2008-01-26 10:29:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.1554 [GMT -5:00]
Running from: C:\Documents and Settings\Steven\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steven\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\utdvvfay.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\awvvt.dll.bad
C:\VundoFix Backups\dbdmjvbf.dll.bad
C:\VundoFix Backups\ljjjjjg.dll.bad
C:\VundoFix Backups\mpqss.ini.bad
C:\VundoFix Backups\mpqss.ini2.bad
C:\VundoFix Backups\ssqpm.dll.bad
C:\VundoFix Backups\tvvwa.ini.bad
C:\VundoFix Backups\tvvwa.ini2.bad
C:\VundoFix Backups\yafvvdtu.dll.bad
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\system32\fgjlm.bak1
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\utdvvfay.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-26 10:27 . 2008-01-26 10:27 <DIR> d-------- C:\Program Files\Sun
2008-01-26 10:27 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-26 10:24 . 2008-01-26 10:24 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-25 16:36 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-25 16:32 . 2003-03-31 07:00 245,920 -r-hs---- C:\cmldr
2008-01-25 16:32 . 2008-01-22 11:56 211 --ahs---- C:\BOOT.BAK
2008-01-25 16:24 . 2008-01-25 16:24 <DIR> d-------- C:\CCleaner
2008-01-23 14:11 . 2008-01-23 14:11 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-22 18:32 . 2008-01-22 18:32 <DIR> d-------- C:\Trend Micro
2008-01-22 17:11 . 2008-01-22 17:11 <DIR> d-------- C:\Grisoft
2008-01-22 17:11 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-22 13:44 . 2008-01-22 16:31 145,408 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-01-22 03:54 . 2008-01-22 03:54 0 --a------ C:\WINDOWS\VPC32.INI
2008-01-22 02:53 . 2008-01-22 02:53 <DIR> d-------- C:\Symantec_Client_Security
2008-01-22 02:15 . 2008-01-22 02:46 <DIR> d-------- C:\Norton SystemWorks
2008-01-22 01:48 . 2005-10-20 17:33 991,232 --a------ C:\WINDOWS\system32\esent.dll
2008-01-22 01:38 . 2004-07-01 17:08 361,984 --a--c--- C:\WINDOWS\system32\dllcache\qmgr.dll
2008-01-22 01:38 . 2004-07-01 17:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-01-22 01:38 . 2004-07-01 17:08 331,776 --a--c--- C:\WINDOWS\system32\dllcache\winhttp.dll
2008-01-22 01:38 . 2004-07-01 17:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-01-22 01:38 . 2004-07-01 17:08 17,408 --a--c--- C:\WINDOWS\system32\dllcache\qmgrprxy.dll
2008-01-22 01:38 . 2004-07-01 17:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-01-22 01:38 . 2004-07-01 17:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-01-22 01:34 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-01-22 01:33 . 2004-08-03 14:04 185,624 --a------ C:\WINDOWS\system32\iuengine.dll
2008-01-22 01:33 . 2004-08-03 14:04 185,624 --a--c--- C:\WINDOWS\system32\dllcache\iuengine.dll
2008-01-22 01:22 . 2003-03-31 07:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-01-22 01:21 . 2001-08-17 14:07 83,712 --a------ C:\WINDOWS\system32\drivers\NABTSFEC.sys
2008-01-22 01:21 . 2001-08-17 14:07 18,560 --a------ C:\WINDOWS\system32\drivers\WSTCODEC.SYS
2008-01-22 01:21 . 2002-08-29 01:33 16,384 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2008-01-22 01:21 . 2002-08-29 01:27 4,992 --a------ C:\WINDOWS\system32\drivers\MSTEE.sys
2008-01-22 01:19 . 2007-07-30 19:19 1,712,984 --a------ C:\WINDOWS\system32\wuaueng.dll
2008-01-22 01:17 . 2002-08-29 01:27 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2008-01-22 01:17 . 2001-08-17 13:59 50,048 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-01-22 01:17 . 2002-08-29 01:32 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-01-22 01:11 . 2001-08-17 22:37 117,248 --a------ C:\WINDOWS\system32\ksproxy.ax
2008-01-22 01:11 . 2001-08-17 22:36 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2008-01-22 01:10 . 2002-08-29 01:06 182,400 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2008-01-22 01:10 . 2002-08-29 03:46 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2008-01-18 12:56 . 2008-01-18 12:56 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-01-17 20:09 . 2008-01-17 20:09 <DIR> d-------- C:\Program Files\Shareaza Applications
2007-12-31 11:14 . 2007-12-31 11:14 <DIR> d-------- C:\Program Files\NDAS
2007-12-31 11:14 . 2007-06-29 17:32 372,584 --a------ C:\WINDOWS\system32\drivers\ndasfat.sys
2007-12-31 11:14 . 2007-06-29 17:32 254,440 --a------ C:\WINDOWS\system32\drivers\lfsfilt.sys
2007-12-31 11:13 . 2007-12-31 11:13 32 --a------ C:\WINDOWS\Menu.INI
2007-12-29 13:05 . 2008-01-11 17:24 <DIR> d-------- C:\Medieval II Total War

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-26 15:29 --------- d-----w C:\Program Files\SymNetDrv
2008-01-26 15:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-26 15:28 --------- d-----w C:\Program Files\Trillian
2008-01-26 15:27 --------- d-----w C:\Program Files\Java
2008-01-22 21:31 145,408 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
2008-01-22 21:30 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-22 07:54 --------- d-----w C:\Program Files\Symantec
2007-11-19 06:43 36,734 ----a-w C:\WINDOWS\system32\OggDSuninst.exe
2007-11-19 06:43 264 ----a-w C:\Uninstall.bat
2007-11-13 21:15 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-11-04 03:00 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
.

((((((((((((((((((((((((((((( snapshot@2008-01-25_16.55.05.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 21:37:06 1,200,128 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-26 15:28:57 1,200,128 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-25 21:37:06 978,944 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-26 15:28:57 978,944 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-25 21:37:06 5,357,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-26 15:28:57 1,200,128 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-26 15:28:58 5,357,568 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\NTUSER.DAT
+ 2008-01-26 15:28:58 978,944 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\UsrClass.dat
- 2008-01-25 21:37:06 978,944 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 15:28:58 1,138,688 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2007-09-25 03:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-12-14 05:57:22 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-09-25 03:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-12-14 05:57:24 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-09-25 04:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-12-14 06:59:16 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [ ]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [ ]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [ ]
"DAEMON Tools"="C:\DAEMON Tools\daemon.exe" [ ]
"!AVG Anti-Spyware"="C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25 6731312]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

C:\Documents and Settings\Steve\Start Menu\Programs\Startup\
Trillian.lnk - C:\Trillian\trillian.exe [2005-03-15 1646592]

C:\Documents and Settings\Steven\Start Menu\Programs\Startup\
Trillian.lnk - C:\Program Files\Trillian\trillian.exe [2007-12-11 1873280]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe [2007-06-29 17:32:52 236520]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Messenger"=2 (0x2)

R0 lfsfilt;Lean File Sharing;C:\WINDOWS\System32\DRIVERS\lfsfilt.sys [2007-06-29 17:32]
R0 lpx;LPX Protocol;C:\WINDOWS\System32\DRIVERS\lpx.sys [2007-06-29 17:32]
R1 ndasfat;NDAS FAT;C:\WINDOWS\system32\DRIVERS\ndasfat.sys [2007-06-29 17:32]
R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2006-05-20 11:04]
R3 ndasbus;NDAS Bus Driver;C:\WINDOWS\System32\DRIVERS\ndasbus.sys [2007-06-29 17:32]
S3 m4cxw2k3;NDIS5.1 Miniport Driver for D-Link PCI Express Ethernet Controller;C:\WINDOWS\System32\DRIVERS\m4cxw2k3.sys [2005-03-10 06:42]
S3 ndasscsi;NDAS SCSI Miniport Driver;C:\WINDOWS\System32\DRIVERS\ndasscsi.sys [2007-06-29 17:32]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60c6bffa-e7f0-11da-bfc1-806d6172696f}]
\Shell\AutoRun\command - D:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f90cee6-c3a3-11db-a61e-000c6edf278a}]
\Shell\AutoRun\command - I:\AutorunShim.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89652819-8194-11db-a5c0-000c6edf278a}]
\Shell\AutoRun\command - H:\OblivionLauncher.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e8694e84-4e77-11dc-b3e8-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 10:34:07
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\NavLogon.dll
.
Completion time: 2008-01-26 10:34:39
ComboFix-quarantined-files.txt 2008-01-26 15:34:25
ComboFix2.txt 2008-01-25 21:55:18
.
2008-01-22 18:41:40 --- E O F ---


Malwarebytes' Anti-Malware version 1.00
Database version: 285

Scan type: Quick Scan
Objects scanned: 24482
Time elapsed: 4 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41:52 AM, on 1/26/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\runservice.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.armageddon.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.s...trl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.s...trl/tgctlsr.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DefWatch - Symantec Corporation - C:\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

--
End of file - 5563 bytes

#6 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 26 January 2008 - 11:32 AM

Hi :)

Open HijackThis, perform a scan and put a check next to the following items (if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

Close all programs except HijackThis and click on Fix checked.

Congratulations, your log looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:

Click Start then Run....

  • Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)

    Posted Image

  • This will uninstall Combofix.

Make your Internet Explorer More Secure

  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab.
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.

  • Change the Download signed ActiveX controls to Prompt.
  • Change the Download unsigned ActiveX controls to Disable.
  • Change the Initialise and script ActiveX controls not marked as safe to Disable.
  • Change the Installation of desktop items to Prompt.
  • Change the Launching programs and files in an IFRAME to Prompt.
  • Change the Navigate sub-frames across different domains to Prompt.
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.

  • Next press the Apply button and then the OK to exit the Internet Properties page.

Use a Firewall - Without a firewall your computer is susceptible to being hacked and taken over. The Windows firewall isn't sufficient as it only monitors incoming connections.

Here are a few (free) firewalls, please download and install one of them:


Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install WinPatrol - An excellent startup manager, notifies you if programs are added to startup, allows delayed startup, ... A must have! An installation guide can be found here: http://www.winpatrol.com/download.html

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial can be found here: http://www.bleepingc...tutorial49.html

Install IE-Spyad - IE-Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here: http://www.spywarewa...rce.htm#IESPYAD

Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.

You can also read this excellent article by TonyKlein: So how did I get infected in the first place?

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted! - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infection you had was Vundo (Virtumundo).
Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

#7 sakra

sakra

    New Member

  • New Member
  • Pip
  • 4 posts

Posted 26 January 2008 - 12:25 PM

Thanks for the help.

#8 Simon V.

Simon V.

    MRU Emeritus

  • Authentic Member
  • PipPipPipPip
  • 897 posts

Posted 26 January 2008 - 12:27 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.
Trained at Malware Removal University - A Cooperative Effort with WhatTheTech Classroom.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·