-
Vundo BHO
Hi first I want to say what a great forum you have here. As the title implies I ran a scan with Malwarebytes and it found these two objects.
To give some history I have been dealing with the malware issue for a few days. I first realized it when running a Spybot system scan. At that time I had a 'Virtumonde' among a couple of other obscure (to me) items. I tried removing them with Spybot, which is a great tool, but is not very good @ removal. I found this site and read through some of the threads on 'Virtumonde' and followed the instructions on what closely resembled my issue. Which was to run Combofix, which I did.
I know I should have had more experience to run it but as many times as I have reinstalled my OS in the past, I wasn't too worried.
In any case I no longer have the 'Virtumonde'. And I thought all was fine as I had run the Malwarebytes scan after reboot and it said all was fine.
This morning I woke and ran another scan and found these two objects. To give more history, I did nothing after I completed the operations but play Delta Force II online and visit SilgradTower.com
I do realize now I should have posted first. I thank you in advance.
Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:49:40 PM, on 12/24/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [CPM9b5057d7] Rundll32.exe "c:\winnt\system32\kohuhoro.dll",a
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: WampServer.lnk = D:\wamp\wampserver.exe (User 'Default user')
O4 - Startup: WampServer.lnk = D:\wamp\wampserver.exe
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1211595917500
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: wampapache - Apache Software Foundation - d:\wamp\apache2\bin\Apache.exe
O23 - Service: wampmysqld - Unknown owner - d:\wamp\mysql\bin\mysqld-nt.exe
--
End of file - 6826 bytes
-
Hello again. It is not that I am impatient but with the holiday I figured I might be waiting awhile.
Anyway, I reviewed more threads and applied as instructed as far as java and pdf readers.
1. I removed Acrobat Reader abd installed Foxit Reader.
2. I removed all Java programs and reinstalled the latest platform.
3. I changed my ActiveX controls in 'internet security settings' to prompt before downloading signed controls and disabled downloading unsigned controls.
4. I ran Malwarebytes and removed the objects.
5. I ran Combofix with Teatimer unabled.
6. I ran Malwarebytes with no detection after numerous reboots.
7. I ran Kaspersky Online Scan with no detection.
I am listing my HJT scan and Kaspersky Scan below. While I am not recommending anyone do what I have done, unless that is, you can risk screwing up your data, I have recommended this site to a couple of other people. I have to say that reading the threads of others and the professional and knowledgeable assistance in those threads goes way beyond anything I have ever seen. If my system passes your inspection please conclude this thread. Thank you again.
Malwarebytes' Anti-Malware 1.31
Database version: 1538
Windows 5.0.2195 Service Pack 4
12/24/2008 8:33:32 PM
mbam-log-2008-12-24 (20-33-32).txt
Scan type: Quick Scan
Objects scanned: 40582
Time elapsed: 2 minute(s), 49 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm9b5057d7 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
ComboFix 08-12-24.01 - GIGA1 12/24/2008 20:34:21.6 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.2047.1600 [GMT -5:00]
Running from: c:\documents and settings\GIGA1\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 23:57 --------- d-----w c:\program files\AskBarDis
2008-12-24 22:48 --------- d-----w c:\program files\Foxit Software
2008-12-24 22:48 --------- d-----w c:\documents and settings\GIGA1\Application Data\Foxit
2008-12-24 22:47 410,984 ----a-w c:\winnt\system32\deploytk.dll
2008-12-24 22:47 --------- d-----w c:\program files\Sun
2008-12-24 22:47 --------- d-----w c:\program files\Java
2008-12-24 19:15 --------- d-----w c:\documents and settings\GIGA1\Application Data\Avira
2008-12-24 18:48 --------- d-----w c:\program files\Trend Micro
2008-12-24 01:10 --------- d-----w c:\program files\Avira
2008-12-24 01:10 --------- d-----w c:\documents and settings\All Users\Application Data\Avira
2008-12-23 22:22 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-23 22:22 --------- d-----w c:\documents and settings\GIGA1\Application Data\Malwarebytes
2008-12-23 22:22 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-23 19:02 --------- d-----w c:\program files\Creative
2008-12-23 18:57 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-23 18:20 --------- d-----w c:\documents and settings\GIGA1\Application Data\Creative
2008-12-23 18:08 --------- d-----w c:\program files\Common Files\Reallusion
2008-12-23 18:07 --------- d-----w c:\program files\Common Files\Creative
2008-12-22 15:39 --------- d-----w c:\program files\NifTools
2008-12-22 15:39 --------- d-----w c:\program files\ImageConverter Plus
2008-12-20 20:18 --------- d-----w c:\program files\CPUMon
2008-12-20 01:26 --------- d-----w c:\program files\PPSOFT.DK
2008-12-18 21:53 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-18 21:53 --------- d-----w c:\program files\Any DVD Converter Professional
2008-12-18 21:53 --------- d-----w c:\documents and settings\GIGA1\Application Data\Any DVD Converter Professional
2008-12-18 15:24 --------- d-----w c:\documents and settings\GIGA1\Application Data\Ahead
2008-12-18 15:23 --------- d-----w c:\documents and settings\All Users\Application Data\LightScribe
2008-12-18 15:10 --------- d-----w c:\program files\Common Files\LightScribe
2008-12-18 15:06 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-12-18 15:05 --------- d-----w c:\program files\Common Files\Ahead
2008-12-18 15:01 --------- d-----w c:\program files\Nero
2008-12-18 15:01 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-12-11 02:25 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-12-11 02:24 --------- d---a-w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-04 00:59 38,496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys
2008-12-04 00:59 15,504 ----a-w c:\winnt\system32\drivers\mbam.sys
2008-12-02 21:20 --------- d-----w c:\documents and settings\GIGA1\Application Data\Sierra
2008-12-02 21:17 43,520 ----a-w c:\winnt\system32\CmdLineExt03.dll
2008-12-02 20:40 --------- d-----w c:\program files\CDA Converter Plus
2008-11-30 02:58 685,056 ----a-w c:\winnt\is-T48HF.exe
2008-11-30 02:44 --------- d-----w c:\program files\AVS4YOU
2008-11-30 02:43 --------- d-----w c:\program files\Common Files\AVSMedia
2008-11-30 02:43 --------- d-----w c:\documents and settings\GIGA1\Application Data\AVS4YOU
2008-11-30 02:43 --------- d-----w c:\documents and settings\All Users\Application Data\AVS4YOU
2008-11-23 00:18 --------- d-----w c:\program files\MP3BookHelper
2008-08-16 18:58 724 ----a-w c:\documents and settings\GIGA1\Application Data\hexplorer.dat
2008-08-16 18:58 4 ----a-w c:\documents and settings\GIGA1\Application Data\mclip.dat
2008-05-24 15:49 66,484 ----a-w c:\documents and settings\All Users\Application Data\firstlsp.reg.dat
2008-05-24 01:36 271 ---h--w c:\program files\desktop.ini
2008-05-24 01:36 21,952 ---h--w c:\program files\folder.htt
2002-07-24 12:00 32,528 ----a-w c:\winnt\inf\wbfirdma.sys
.
((((((((((((((((((((((((((((( snapshot@Tue 2008-12-23_19.50.12.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-12 17:29:14 94,465 ----a-w c:\winnt\system32\avsda.dll
+ 2008-12-24 01:17:05 64,448 ----a-w c:\winnt\system32\drivers\avgntdd.sys
+ 2008-01-21 23:11:27 18,496 ----a-w c:\winnt\system32\drivers\avgntmgr.sys
+ 2008-12-24 01:17:05 75,072 ----a-w c:\winnt\system32\drivers\avipbb.sys
+ 2007-03-01 15:34:22 28,352 ----a-w c:\winnt\system32\drivers\ssmdrv.sys
- 2008-12-10 04:40:09 144,792 ----a-w c:\winnt\system32\java.exe
+ 2008-12-24 22:47:36 144,792 ----a-w c:\winnt\system32\java.exe
- 2008-12-10 04:40:09 144,792 ----a-w c:\winnt\system32\javaw.exe
+ 2008-12-24 22:47:36 144,792 ----a-w c:\winnt\system32\javaw.exe
- 2008-12-10 04:40:09 148,888 ----a-w c:\winnt\system32\javaws.exe
+ 2008-12-24 22:47:36 148,888 ----a-w c:\winnt\system32\javaws.exe
+ 2008-12-25 01:28:39 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_268.dat
+ 2008-12-25 01:34:08 16,384 ----atw c:\winnt\system32\Perflib_Perfdata_388.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
11/18/08 12:58p 333192 --a------ c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [11/18/08 12:58p 333192]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [11/18/08 12:58p 333192]
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [06/27/07 07:03p 152872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [06/28/07 11:43a 8466432]
"NvMediaCenter"="c:\winnt\System32\NvMcTray.dll" [06/28/07 11:43a 81920]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" [12/23/08 08:17p 266497]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [12/24/08 05:47p 136600]
"nwiz"="nwiz.exe" [06/28/07 11:43a 1626112 c:\winnt\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [04/04/06 04:44p 16120832 c:\winnt\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 02:05p 186640]
c:\documents and settings\GIGA1\Start Menu\Programs\Startup\
WampServer.lnk - d:\wamp\wampserver.exe [2004-06-27 1101824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneV]
--a------ 06/14/04 10:54a 200704 c:\program files\Gigabyte\ET5\GUI.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--a------ 06/25/07 08:47a 1057064 c:\program files\Nero\Nero 7\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 09/04/07 03:40p 6856704 c:\program files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 03/17/08 11:05a 570664 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SecurDisc]
--a------ 06/25/07 08:47a 1629480 c:\program files\Nero\Nero 7\InCD\NBHGui.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"bizivozure"=Rundll32.exe "c:\winnt\system32\yujetata.dll",s
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
R0 avgntmgr;avgntmgr;c:\winnt\system32\DRIVERS\avgntmgr.sys [2008-12-23 18496]
R1 avgntdd;avgntdd;c:\winnt\system32\DRIVERS\avgntdd.sys [2008-12-23 64448]
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;"c:\program files\Avira\AntiVir PersonalEdition Premium\avmailc.exe" [2008-12-23 164097]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;"c:\program files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE" [2008-12-23 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;"c:\program files\Avira\AntiVir PersonalEdition Premium\avesvc.exe" [2008-12-23 41217]
R3 openhci;Microsoft USB Open Host Controller Driver;c:\winnt\system32\DRIVERS\openhci.sys [2002-07-24 24784]
R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\winnt\system32\DRIVERS\livecamv.sys [2008-12-23 31616]
R3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\DRIVERS\usbhub20.sys [2008-05-23 49776]
S2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe []
S4 InCDFat;Nero InCD FAT 32 File System;c:\winnt\system32\drivers\InCDFat.sys [2007-06-25 139560]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2008-12-23 c:\winnt\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [07/30/08 02:45p]
2008-12-23 c:\winnt\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [08/14/08 01:39p]
.
.
------- Supplementary Scan -------
.
mLocal Page = about:blank
uInternet Settings,ProxyOverride = <local>
IE: &Check Spelling - c:\program files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
IE: &ieSpell Options - c:\program files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm -
LSP: avsda.dll
LSP: %SystemRoot%\system32\msafd.dll
O16 -: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
c:\winnt\Downloaded Program Files\DirectAnimation Java Classes.osd
O16 -: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
c:\winnt\Downloaded Program Files\Microsoft XML Parser for Java.osd
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 20:35:07
Windows 5.0.2195 Service Pack 4 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\winnt\system32\Perflib_Perfdata_aa0.dat 16384 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(200)
c:\winnt\system32\wzcdlg.dll
c:\winnt\system32\WZCSAPI.DLL
- - - - - - - > 'lsass.exe'(264)
c:\winnt\system32\avsda.dll
.
Completion time: 12/24/2008 20:35:51
ComboFix-quarantined-files.txt 2008-12-25 01:35:31
ComboFix2.txt 2008-12-25 01:20:20
ComboFix3.txt 2008-12-24 00:50:49
Pre-Run: 4,454,924,288 bytes free
Post-Run: 4,445,622,272 bytes free
180
Malwarebytes' Anti-Malware 1.31
Database version: 1538
Windows 5.0.2195 Service Pack 4
12/25/2008 9:33:28 PM
mbam-log-2008-12-25 (21-33-28).txt
Scan type: Quick Scan
Objects scanned: 41329
Time elapsed: 3 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:36:58 PM, on 12/25/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
d:\wamp\apache2\bin\Apache.exe
d:\wamp\mysql\bin\mysqld-nt.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
D:\wamp\apache2\bin\Apache.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\WINNT\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
D:\wamp\wampserver.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Premium\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT Startup: WampServer.lnk = D:\wamp\wampserver.exe (User 'Default user')
O4 - Startup: WampServer.lnk = D:\wamp\wampserver.exe
O8 - Extra context menu item: &Check Spelling - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\ieSpell.dll/SPELLOPTION.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\ieSpell.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1230220705906
O23 - Service: Avira AntiVir Premium MailGuard (AntiVirMailService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avmailc.exe
O23 - Service: Avira AntiVir Premium Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\sched.exe
O23 - Service: Avira AntiVir Premium Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avguard.exe
O23 - Service: Avira AntiVir Premium WebGuard (antivirwebservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
O23 - Service: Avira AntiVir Premium MailGuard helper service (AVEService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Premium\avesvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\NBHRegInCDSrv.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: wampapache - Apache Software Foundation - d:\wamp\apache2\bin\Apache.exe
O23 - Service: wampmysqld - Unknown owner - d:\wamp\mysql\bin\mysqld-nt.exe
--
End of file - 7283 bytes
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 25, 2008
Operating System: Microsoft Windows 2000 Professional Service Pack 4 (build 2195)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 26, 2008 00:20:00
Records in database: 1515494
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\GIGA1\Start Menu\Programs\Startup
C:\Program Files
C:\WINNT
Scan statistics:
Files scanned: 20481
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:21:59
No malware has been detected. The scan area is clean.
The selected area was scanned.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
