View Full Version : Need help with trojans please!!!
Slipdunk
2007-08-20, 07:55
I recently have had some nasties infect my computer including Virtumonde and win32.murlo.ff and probably a few more that the programs I have won't detect. I have pasted the most recent HJT report below, but please keep in mind that this is the only computer I have and it is on very slow dial-up, so some programs that you may request that I use may be difficult for me to download, and also that with these viruses, the computer tends to crash a little here and there. ALSO I should tell you that I downloaded a program called Vundofix.exe to *fix* Virtumonde and it found a bunch of files, deleted them, and said it was fixed, no longer shows up on any scans... Sorry to give you so much info, but I thought it might help....
Logfile of HijackThis v1.99.1
Scan saved at 1:29:52 AM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Accelerated Access\aaccess.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nancy\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
F3 - REG:win.ini: load=
F3 - REG:win.ini: run=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Accelerated Access\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\yayxvuu.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Defender] "c:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MCW Startup] "C:\Program Files\Monitor Calibration Wizard\MCW.exe" /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Uniserve Accelerated Access.lnk
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD421E6-C0E5-4E1C-BC7C-F6D62BD4F885}: NameServer = 198.6.1.125 198.6.100.125
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winqzp32 - C:\WINDOWS\SYSTEM32\winqzp32.dll
O20 - Winlogon Notify: yayxvuu - C:\WINDOWS\SYSTEM32\yayxvuu.dll
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
I am going to run Spybot S&D to see what it comes up with...I appreciate all your help in advance.
Slipdunk
2007-08-20, 08:26
Okay I just ran Spybot S&D and it came up with Virtumonde, PWSLDPinchIE, Casalemedia, and Advertising.com...Getting frustrated.....
I will wait patiently for a response, and I appreciate all of your help in advance.
Slipdunk
2007-08-20, 19:44
I just ran those two programs, and the computer runs much better, but I would still appreciate it if someone could take a look at the reports for me just to verify whether or not everything is ok.
SDFix: Version 1.99
Run by Nancy on Mon 08/20/2007 at 12:38 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
ntio256
NtmlSvc
runtime
ImagePath:
\??\C:\WINDOWS\system32\ntio256.sys
%SystemRoot%\System32\svchost.exe -k netsvcs
\??\C:\WINDOWS\System32\drivers\runtime.sys
ntio256 - Deleted
NtmlSvc - Deleted
runtime - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Service runtime2 - Deleted after Reboot
Normal Mode:
Checking Files:
Trojan Files Found:
C:\147935~1 - Deleted
C:\Documents and Settings\Nancy\Application Data\Install.dat - Deleted
C:\WINDOWS\system32\8_exception.nls - Deleted
C:\WINDOWS\system32\ntio256.sys - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIb\\RpcSandraSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIb\\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service"
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIb\\Win32\\RpcDataSrv.exe"="C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XIb\\Win32\\RpcDataSrv.exe:*:Enabled:SiSoftware Database Agent Service"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Disabled:iTunes"
"C:\\WINDOWS\\system32\\sessmgr.exe"="C:\\WINDOWS\\system32\\sessmgr.exe:*:Disabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Soulseek\\slsk.exe"="C:\\Program Files\\Soulseek\\slsk.exe:*:Disabled:SoulSeek"
"C:\\Program Files\\Morpheus\\Morpheus.exe"="C:\\Program Files\\Morpheus\\Morpheus.exe:*:Enabled:Morpheus"
"C:\\Program Files\\NetMeeting\\conf.exe"="C:\\Program Files\\NetMeeting\\conf.exe:*:Enabled:Windowsr NetMeetingr"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\WINDOWS\\TEMP\\win3F.tmp.exe"="C:\\WINDOWS\\TEMP\\win3F.tmp.exe:*:Enabled:win3F.tmp"
"C:\\WINDOWS\\TEMP\\winDD.tmp.exe"="C:\\WINDOWS\\TEMP\\winDD.tmp.exe:*:Enabled:winDD.tmp"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Registry Backups: - C:\SDFix\backups\backupreg.zip
Full Registry Backup: - C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
Files with Hidden Attributes:
C:\Documents and Settings\Nancy\Local Settings\Application Data\Microsoft\Messenger\slipdunk2@hotmail.com\Sharing Folders\juggaspike@hotmail.com\New Folder (3)\Thumbs.db
C:\Documents and Settings\Nancy\Desktop\Docs & Pics\eBayISAPI.dll_files\Thumbs.db
C:\WINDOWS\system32\ydlqpvsx.dllbox
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\M?crosoft.NET\attrib.exe
C:\WINDOWS\SoftwareDistribution\Download\4bff3a39d84c79b75274c24d8341568c\download\BITA4.tmp
C:\WINDOWS\SoftwareDistribution\Download\deb995e7b7d2953ec6904bd5047bd45f\BIT97.tmp
C:\WINDOWS\Temps\$b17a2e8.tmp
Finished
ComboFix 07-08-17.2 - "Nancy" 2007-08-20 12:55:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.48 [GMT -4:00]
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Nancy\Desktop.\internet explorer.lnk
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\mcroso~1.net
C:\Program Files\mcroso~1.net\attrib.exe
C:\Program Files\mcroso~1.net\M?crosoft.NET\
C:\WINDOWS\system32\winqzp32.dll
C:\WINDOWS\system32\yayvv.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\nm
((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))
2007-08-20 12:53 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-20 12:37 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-20 02:02 298,080 --a------ C:\WINDOWS\system32\mljkj.dll
2007-08-20 01:01 298,080 --a------ C:\WINDOWS\system32\xxyya.dll
2007-08-19 23:41 298,080 --a------ C:\WINDOWS\system32\byxut.dll
2007-08-19 22:41 298,080 --a------ C:\WINDOWS\system32\hggde.dll
2007-08-19 16:54 6,401 ---hs---- C:\WINDOWS\system32\qstss.bak1
2007-08-19 16:52 298,080 --a------ C:\WINDOWS\system32\sstsq.dll
2007-08-19 15:42 6,345 ---hs---- C:\WINDOWS\system32\orrqr.bak1
2007-08-19 15:41 298,080 --a------ C:\WINDOWS\system32\rqrro.dll
2007-08-18 22:23 298,080 --a------ C:\WINDOWS\system32\yabyx.dll
2007-08-17 19:06 298,080 --a------ C:\WINDOWS\system32\cbxwx.dll
2007-08-17 17:11 43,542 --a------ C:\WINDOWS\system32\opnnnol.dll
2007-08-17 17:05 298,080 --a------ C:\WINDOWS\system32\cbxxw.dll
2007-08-17 11:20 243,296 --a------ C:\WINDOWS\system32\tusrq.dll
2007-08-17 02:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BOC425
2007-08-17 01:32 235,008 --a------ C:\WINDOWS\UNBOC.EXE
2007-08-17 01:32 208,896 --a------ C:\WINDOWS\CMDLIC.DLL
2007-08-17 01:32 <DIR> d-------- C:\Program Files\Comodo
2007-08-17 01:28 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-08-17 01:10 <DIR> d-------- C:\VundoFix Backups
2007-08-16 13:52 949,340 ---hs---- C:\WINDOWS\system32\mmoqr.bak2
2007-08-16 13:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-16 12:12 38 --a------ C:\DOCUME~1\Nancy\delete.bat
2007-08-15 17:58 43,542 --a------ C:\WINDOWS\system32\jkkifgf.dll
2007-08-15 17:22 43,542 --a------ C:\WINDOWS\system32\yayxvuu.dll
2007-08-15 15:17 138,624 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2007-08-15 15:07 <DIR> d-------- C:\Program Files\Spyware Terminator
2007-08-15 15:07 <DIR> d-------- C:\DOCUME~1\Nancy\APPLIC~1\Spyware Terminator
2007-08-15 15:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spyware Terminator
2007-08-14 11:58 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-08-14 11:17 <DIR> d-------- C:\Program Files\Windows Defender
2007-08-14 10:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-08-14 04:22 93,696 --a------ C:\WINDOWS\system32\drvbep.dll
2007-08-14 03:41 131,680 --a------ C:\WINDOWS\system32\tuvuv.dll
2007-08-13 12:09 19,845 --a------ C:\WINDOWS\system32\drivers\Cpqdfw.sys
2007-08-13 12:09 18,208 --a------ C:\WINDOWS\system32\drivers\CQ_MEM.SYS
2007-08-13 12:09 154,436 --a------ C:\WINDOWS\system32\drivers\Cqcpu.sys
2007-08-13 12:09 <DIR> d-------- C:\WINDOWS\cpqdiag
2007-08-06 12:55 <DIR> d-------- C:\Program Files\Wisdom-soft ScreenHunter 5 Free
2007-07-26 10:34 <DIR> d-------- C:\Program Files\Accelerated Access
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-16 14:53 --------- d-------- C:\Program Files\themexp
2007-08-13 13:08 --------- d-------- C:\Program Files\Compaq
2007-08-13 12:09 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-28 18:45 --------- d-------- C:\Program Files\Winamp
2007-07-28 12:21 --------- d-------- C:\Program Files\MSN Messenger
2007-07-18 14:17 --------- d-------- C:\DOCUME~1\Nancy\APPLIC~1\Apple Computer
2007-05-02 04:00 1638400 --a------ C:\WINDOWS\prefetch\325-6546-67445\4548454-75474-6745\yopza_v500(2).exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84D8A0A-E708-42B6-90CA-9C30956A87C6}]
2007-08-15 17:22 43542 --a------ C:\WINDOWS\system32\yayxvuu.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe" [2005-06-03 03:52]
"ATIPTA"="Atiptaxx.exe" [2001-09-19 13:20 C:\WINDOWS\system32\atiptaxx.exe]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-04-25 11:44]
"Windows Defender"="c:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"cpqek"="C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe" [2002-03-01 10:40]
"SpywareTerminator"="C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe" [2007-08-15 15:07]
"BOC-425"="C:\PROGRA~1\Comodo\CBOClean\BOC425.exe" [2007-08-08 19:49]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"MCW Startup"="C:\Program Files\Monitor Calibration Wizard\MCW.exe" [2002-12-20 18:06]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Uniserve Accelerated Access.lnk - C:\Program Files\Accelerated Access\aaccess.exe [2007-07-26 10:34:52]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{C84D8A0A-E708-42B6-90CA-9C30956A87C6}"= C:\WINDOWS\system32\yayxvuu.dll [2007-08-15 17:22 43542]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxvuu]
yayxvuu.dll 2007-08-15 17:22 43542 C:\WINDOWS\system32\yayxvuu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HijackThis startup scan]
C:\Documents and Settings\Nancy\Desktop\HijackThis.exe /startupscan
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
C:\Program Files\Essentials Codec Pack\update.exe -silent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]
R1 ClntMgmt.sys;ClntMgmt;C:\WINDOWS\system32\Drivers\ClntMgmt.sys
R1 sp_rsdrv2;Spyware Terminator Driver 2;\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
R2 cpqdfw;Diagnostics Driver;\??\C:\WINDOWS\system32\drivers\cpqdfw.sys
R2 cq_mem;Diagnostics Memory Driver;\??\C:\WINDOWS\system32\drivers\cq_mem.sys
R2 cqcpu;Diagnostics CPU Driver;\??\C:\WINDOWS\system32\drivers\cqcpu.sys
R2 CseMgmt.sys;Compaq Service and Support Driver;\??\C:\WINDOWS\system32\drivers\csemgmt.sys
R3 ati2mpab;ati2mpab;C:\WINDOWS\system32\DRIVERS\ati2mpab.sys
R3 BOCDRIVE;BOClean Kernel Monitor.;\??\C:\Program Files\Comodo\CBOClean\BOCDRIVE.sys
R3 Maestro;ESS Maestro2E Audio Driver (WDM);C:\WINDOWS\system32\drivers\essm2e.sys
S3 hexmagic;hexmagic;\??\C:\WINDOWS\system32\drivers\hexmagic.sys
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\system32\DRIVERS\LSRTNDS.SYS
S3 MSW;Microsoft Broadband Networking Driver;C:\WINDOWS\system32\DRIVERS\MSWNDS51.sys
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\NSNDIS5.SYS
S3 RTCore32;RTCore32;\??\C:\Documents and Settings\Nancy\Desktop\rm clock\RTCore32.sys
S3 SANDRA;SANDRA;\??\C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Sandra.sys
S3 SNPP106;PC Camera (6029 CIF);C:\WINDOWS\system32\DRIVERS\snpp106.sys
Contents of the 'Scheduled Tasks' folder
2007-04-27 16:13:25 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 13:07:58
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-20 13:13:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-20 13:13
--- E O F ---
I just ran a Quick Scan in Windows Defender and it came up with Vitumonde.o Time:1:35pm I quarantined the file with winows defender and it said that it had been quarantined....now what???
I am going to run spybot s&d again to see what it comes up with.
Slipdunk
2007-08-21, 18:54
Logfile of HijackThis v1.99.1
Scan saved at 12:52:34 PM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Accelerated Access\aaccess.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nancy\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Accelerated Access\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\yayxvuu.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Defender] "c:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MCW Startup] "C:\Program Files\Monitor Calibration Wizard\MCW.exe" /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Uniserve Accelerated Access.lnk
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD421E6-C0E5-4E1C-BC7C-F6D62BD4F885}: NameServer = 198.6.1.125 198.6.100.125
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: yayxvuu - C:\WINDOWS\SYSTEM32\yayxvuu.dll
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
12:53 PM 8/21/2007
Slipdunk
2007-08-21, 20:02
Here is my most recent HJT report, but please keep in mind that I am on dial up, so I can't download large programs very easily.
Logfile of HijackThis v1.99.1
Scan saved at 2:00:24 PM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Accelerated Access\aaccess.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Nancy\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PBlockHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Accelerated Access\PBHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {C84D8A0A-E708-42B6-90CA-9C30956A87C6} - C:\WINDOWS\system32\yayxvuu.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Windows Defender] "c:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [cpqek] C:\Program Files\Compaq\Compaq EAB Software\cpqek.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [BOC-425] C:\PROGRA~1\Comodo\CBOClean\BOC425.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MCW Startup] "C:\Program Files\Monitor Calibration Wizard\MCW.exe" /s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Uniserve Accelerated Access.lnk
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0DD421E6-C0E5-4E1C-BC7C-F6D62BD4F885}: NameServer = 198.6.1.125 198.6.100.125
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: yayxvuu - C:\WINDOWS\SYSTEM32\yayxvuu.dll
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
Hello.
Apprantly you have missed our stickied topics.
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Please Post ONLY The Logs We Ask For, (http://forums.spybot.info/showthread.php?t=16806)
Please see: The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)
We usually get to people before that, however by posting so much one may cause a delay. :eek:
Regards.
Slipdunk
2007-08-22, 09:16
I still need help. My computer is messed up and I can't fix it. I am on DIAL-UP internet, so I cannot use the Kaspersky Online Scanner as it just takes TOO long to run.
I do have the latest Trendmicro HJT installed. The problems I am having are: Slow computer performance, randomly named .dll's and other files, unknown BHO;s, un-removable files and more... I recently had Virtumonde, and I downloaded Vundofix.exe to "fix" Virtumonde, but it came back as Virtumonde.o, windows defender detected it and put it into quarantine. Currently I have no anti-virus program, but I have installed: Latest Spybot S&D, Spyware Terminator,Comodo BOClean v4.25, Spyware Blaster, AVG anti-rootkit free, and I also have downloaded SDFix.exe and Combofix.exe
I would really appreciate some help. Thanks.
Hello.
Because of the volume of posts to your own topic, helpers may have thought you were already being assisted.
As posted previously, for people waiting who have not resolved their problem, we have a sticky topic:
The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)
However if members waiting for assistance do not post there, their topic is archived after seven days.
If you need the thread re-opened, please send me a private message (pm) and provide a link.