Virtumonde and DriveCleaner 2006 [Archive]

View Full Version : Virtumonde and DriveCleaner 2006

sccook

2007-09-12, 16:08

Hi,

I've followed the how-to steps, to the best of my ability. (System Restore is off due to other system issues). I've run S&D1.5 is Safe Mode 5 times, and both items refuse to go away. Do I need to keep running it? Anyway, here's the logs. I've had to truncate Kaspersky as it exceeded the post character limit (168k characters!) Thanks much.

********************************************

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, September 12, 2007 8:29:52 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 12/09/2007
Kaspersky Anti-Virus database records: 412399
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 177447
Number of viruses found: 8
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 02:01:38

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Network

Associates\BOPDATA\_Date-20070911_Time-180838125_EnterceptExceptions.dat Object is locked

skipped
C:\Documents and Settings\All Users\Application Data\Network

Associates\BOPDATA\_Date-20070911_Time-180838125_EnterceptRules.dat Object is locked

skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common

Framework\Db\Agent_3RDTIMELUCKY.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common

Framework\Db\PrdMgr_3RDTIMELUCKY.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network

Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network

Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network

Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is

locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet

Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is

locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet

Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\sccook\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\dbdam Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\dbdao Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\dbeam Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\dbeao Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\dbm Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\fii.cf1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\fiih.ht1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\hp Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\rpm.cf1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Google\Google

Desktop\0919ccad5693\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat

Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Application

Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\History\History.IE5\index.dat Object is locked

skipped
C:\Documents and Settings\sccook\Local

Settings\History\History.IE5\MSHist012007091120070912\index.dat Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Temp\Setup(0).exe Infected:

Trojan-Downloader.Win32.ConHook.bg skipped
C:\Documents and Settings\sccook\Local Settings\Temp\Setup(1).exe Infected:

Trojan-Downloader.Win32.Small.fox skipped
C:\Documents and Settings\sccook\Local Settings\Temp\Setup(4).exe Infected:

not-a-virus:Downloader.Win32.WinFixer.m skipped
C:\Documents and Settings\sccook\Local Settings\Temp\temp.exe Infected: Trojan.Win32.Agent.bi

skipped
C:\Documents and Settings\sccook\Local Settings\Temp\~DF3DE5.tmp Object is locked

skipped
C:\Documents and Settings\sccook\Local Settings\Temp\~V5SFDYCLNTK.VbS Infected:

Trojan.VBS.Runner.o skipped
C:\Documents and Settings\sccook\Local Settings\Temporary Internet

Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\sccook\Local Settings\Temporary Internet Files\Content.IE5\index.dat

Object is locked skipped
C:\Documents and Settings\sccook\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\sccook\ntuser.dat.LOG Object is locked skipped
C:\NTDETECT.EXE Infected: Trojan.VBS.Runner.o skipped
C:\Program Files\World of Warcraft\Patches\WoW-2.1.3-to-2.2.0-enUS-Win-patch\wow-partial-1.MPQ

Object is locked skipped
C:\Program Files\World of

Warcraft\Patches\WoW-2.1.3-to-2.2.0-enUS-Win-patch\wow-partial-2.MPQ.part Object is locked

skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ljiiif.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\comdxm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\sstqqnm.dll Infected: Trojan-Downloader.Win32.ConHook.bg skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\CONFIG.SYS Object is locked skipped

F:\WINDOWS\Downloaded Program Files\gsda.dll Infected: not-a-virus:Downloader.Win32.SpyGame

skipped

Scan process completed.

*********

Logfile of HijackThis v1.99.1
Scan saved at 9:44:05 AM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\sccook\Desktop\DL's\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67d30f0d-f4fb-4a99-92b0-adedb4cc49aa} - C:\WINDOWS\system32\comdxm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\tmp2E1.tmp.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\ljiiif.dll",forkonce
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\comdxm.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\system32\comdxm.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176755849453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189176183328
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file://D:\webpull\support\disc\ASP\tools\en\bin\npseatools.cab
O20 - AppInit_DLLs: c:\windows\system32\sstqqnm.dll
O20 - Winlogon Notify: comdxm - C:\WINDOWS\SYSTEM32\comdxm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Promise Array Message Agent (RAIDmAgt) - Promise Technology, Inc. - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgAgt.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)

Shaba

2007-09-13, 17:16

Hi sccook

First of all turn system restore immediately on.

After that:

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- vundofix report

sccook

2007-09-14, 14:34

Thank you so much for for your reply. I really appreciate it. Here's the info you asked for:

****************************************

ComboFix 07-09-14.2 - "sccook" 2007-09-14 8:23:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534 [GMT -4:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\sccook\APPLIC~1\DriveCleaner Freeware
C:\DOCUME~1\sccook\APPLIC~1\DriveCleaner Freeware\Logs\update.log
C:\DOCUME~1\sccook\APPLIC~1\tmp2DF.tmp.exe
C:\DOCUME~1\sccook\APPLIC~1\tmp2E0.tmp.exe
C:\DOCUME~1\sccook\APPLIC~1\tmp2E1.tmp.exe
C:\DOCUME~1\sccook\Desktop\internet.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\sstqr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-08-14 to 2007-09-14 )))))))))))))))))))))))))))))))
.

2007-09-14 08:22 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-14 08:11 <DIR> d-------- C:\VundoFix Backups
2007-09-13 08:04 <DIR> d-------- C:\!KillBox
2007-09-11 18:47 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-11 18:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-09-11 17:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-10 16:24 1,113,068 --a------ C:\WINDOWS\system32\dne446a1e6.dat
2007-09-10 15:25 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-09-10 15:25 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-10 15:25 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-09-10 15:25 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-09-10 15:25 <DIR> d-------- C:\Program Files\Common Files\DriveCleaner Freeware
2007-09-10 15:10 <DIR> d-------- C:\Program Files\Shareaza
2007-09-10 15:10 <DIR> d-------- C:\DOCUME~1\sccook\APPLIC~1\Shareaza
2007-09-09 20:35 <DIR> d-------- C:\Program Files\TerraTec
2007-09-09 19:09 <DIR> d-------- C:\DOCUME~1\sccook\APPLIC~1\Steinberg
2007-09-09 19:04 598,016 --a------ C:\WINDOWS\system32\SYNSOPOS.exe
2007-09-09 19:04 348,160 --a------ C:\WINDOWS\system32\SYNSOACC.dll
2007-09-09 19:04 294,912 --a------ C:\WINDOWS\system32\SynsoNos.dll
2007-09-09 19:04 17,784 --a------ C:\WINDOWS\system32\drivers\NSynas32.sys
2007-09-09 19:04 16,896 --a------ C:\WINDOWS\system32\drivers\SynasUSB.sys
2007-09-09 19:03 <DIR> d-------- C:\Program Files\Steinberg
2007-09-07 18:32 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-08-26 16:38 <DIR> d-------- C:\DOCUME~1\sccook\APPLIC~1\Help
2007-08-26 16:34 <DIR> d-------- C:\New Folder
2007-08-26 15:02 58,368 --a------ C:\WINDOWS\pfpick.dll
2007-08-26 15:02 40,129 --a------ C:\WINDOWS\iccsigs.dat
2007-08-26 15:02 37,376 --a------ C:\WINDOWS\kpsys32.dll
2007-08-26 15:02 212,480 --a------ C:\WINDOWS\system32\pcdlib32.dll
2007-08-26 15:02 210,944 --a------ C:\WINDOWS\system32\MSVCRT10.DLL
2007-08-26 15:02 20,992 --a------ C:\WINDOWS\icccodes.dll
2007-08-26 15:02 196,608 --a------ C:\WINDOWS\kpcp32.dll
2007-08-26 15:02 133,120 --a------ C:\WINDOWS\sprof32.dll
2007-08-26 15:01 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-08-15 13:10 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-08-15 12:36 24,816 --a------ C:\WINDOWS\system32\mdimon.dll
2007-08-15 12:35 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-08-15 12:35 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2007-08-15 12:33 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-08-15 10:04 <DIR> dr-h----- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-09 19:20 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-02 18:15 --------- d-------- C:\Program Files\World of Warcraft
2007-07-22 13:54 --------- d-------- C:\DOCUME~1\sccook\APPLIC~1\Google
2007-07-22 09:50 --------- d-------- C:\Program Files\Google
2007-07-22 09:49 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-21 20:56 --------- d-------- C:\DOCUME~1\sccook\APPLIC~1\Ventrilo
2007-07-18 20:35 --------- d-------- C:\Program Files\Ventrilo
2007-07-18 20:34 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67d30f0d-f4fb-4a99-92b0-adedb4cc49aa}]
C:\WINDOWS\system32\comdxm.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PtiuPbmd"="ptipbm.dll" [2003-01-15 19:41 C:\WINDOWS\system32\ptipbm.dll]
"WUSB54Gv2"="C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe" [2004-04-19 09:19]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 15:06 C:\WINDOWS\system32\ptipbmf.dll]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-22 09:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 08:27]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-26 15:03:17]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-08-03 11:10:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\comdxm]
comdxm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\sstqqnm.dll

R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 Nsynas32;Nsynas32;C:\WINDOWS\system32\drivers\Nsynas32.sys
R3 BENDER;Pinnacle AV/DV2 Capture;C:\WINDOWS\system32\drivers\bender.sys
R3 EntDrv51;EntDrv51;\??\C:\WINDOWS\system32\drivers\EntDrv51.sys
R3 FTEventService;FTEVTBDG;\??\C:\Program Files\Promise Technology, Inc\Promise Array Management\FTEVTBDG.sys
S3 ews88mt;EWS88 WDM Audio;C:\WINDOWS\system32\drivers\ews88wdm.sys
S3 SynasUSB;SynasUSB;C:\WINDOWS\system32\drivers\SynasUSB.sys

*Newly Created Service* - ENTDRV51
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-14 08:26:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-14 8:27:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-14 08:27
.
--- E O F ---

**************************************

VundoFix V6.5.8

Checking Java version...

Sun Java not detected
Scan started at 8:11:49 AM 9/14/2007

Listing files found while scanning....

C:\WINDOWS\fiiijl.ini
C:\WINDOWS\fiiijl.ini2
C:\WINDOWS\fiiijl.tmp
C:\WINDOWS\ljiiif.dll
C:\WINDOWS\system32\tmp2E1.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\fiiijl.ini
C:\WINDOWS\fiiijl.ini Has been deleted!

Attempting to delete C:\WINDOWS\fiiijl.ini2
C:\WINDOWS\fiiijl.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\fiiijl.tmp
C:\WINDOWS\fiiijl.tmp Has been deleted!

Attempting to delete C:\WINDOWS\ljiiif.dll
C:\WINDOWS\ljiiif.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tmp2E1.tmp.dll
C:\WINDOWS\system32\tmp2E1.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

******************************************

Logfile of HijackThis v1.99.1
Scan saved at 8:29:13 AM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgAgt.exe
C:\Program Files\Promise Technology, Inc\Promise Array Management\MsgSvr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\sccook\Desktop\DL's\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67d30f0d-f4fb-4a99-92b0-adedb4cc49aa} - C:\WINDOWS\system32\comdxm.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [WUSB54Gv2] C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InvokeSvc3.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1176755849453
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189176183328
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - file://D:\webpull\support\disc\ASP\tools\en\bin\npseatools.cab
O20 - AppInit_DLLs: c:\windows\system32\sstqqnm.dll
O20 - Winlogon Notify: comdxm - comdxm.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Promise Array Message Agent (RAIDmAgt) - Promise Technology, Inc. - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgAgt.exe
O23 - Service: Promise Array Message Server (RAIDmSvr) - Unknown owner - C:\Program Files\Promise Technology, Inc.\Promise Array Management\MsgSvr.exe
O23 - Service: WUSB54Gv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe (file missing)

Shaba

2007-09-14, 17:59

Hi

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Please click this link-->Jotti (http://virusscan.jotti.org/)

When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.

C:\WINDOWS\system32\dne446a1e6.dat

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Shaba

2007-09-21, 18:08

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.