zlob/virtumonde problems [Archive] - Safer-Networking Forums

View Full Version : zlob/virtumonde problems

guiseppe

2008-04-18, 18:08

I've been fighting to clear this problem for a friend. I've updated Symantec AV and run that; also ran a fresh copy of S&D (updated) and after rebooting consistently am having trojans (ZLOB) showing up. This is causing the AV to hang and preventing explorer from running and giving me a desktop. Running in safe mode has allowed me to run the S&D and AV (again updated) and AGAIN get the problems listed above.

I've installed spyblaster for her, and am copying the combofix log for your advice. Thanks for all your assistance!

ComboFix 08-04-17.1 - Barb 04/18/2008 8:29:07.1 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\Barb\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\PC-Cleaner
C:\WINNT\pskt.ini
C:\WINNT\resources\CDBoot.dll
C:\WINNT\rs.txt
C:\WINNT\system32\215651\215651.dll
C:\WINNT\system32\byXQICVl.dll
C:\WINNT\system32\drivers\spools.exe
C:\WINNT\system32\geBuSJbx.dll
C:\WINNT\system32\hwfrlusv.ini
C:\WINNT\system32\ljJAPJDW.dll
C:\WINNT\system32\lVCIQXyb.ini
C:\WINNT\system32\lVCIQXyb.ini2
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\msram.dll
C:\WINNT\system32\rqRIyXOG.dll
C:\WINNT\Web\default.htt

----- BITS: Possible infected sites -----

hxxp://flyvideonetwork.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_Schedule
-------\Schedule

((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-18 08:22 . 08-04-18 08:22 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-18 08:22 . 05-08-25 18:19 115,920 --a------ C:\WINNT\system32\MSINET.OCX
2008-04-18 08:03 . 08-04-18 08:03 44,846 --a------ C:\Documents and Settings\Barb\cftmon.exe
2008-04-17 10:14 . 08-04-17 10:14 <DIR> d-------- C:\Documents and Settings\Barb\Application Data\TmpRecentIcons
2008-04-17 08:52 . 08-04-16 01:07 335,872 --a------ C:\WINNT\omlbpkaw.dll
2008-04-17 08:52 . 08-04-16 01:07 290,816 --a------ C:\WINNT\pmsoarbf.dll
2008-04-17 08:52 . 08-04-16 01:07 286,720 --a------ C:\WINNT\lgmxvpatfbo.dll
2008-04-17 08:52 . 08-04-16 01:07 200,704 --a------ C:\WINNT\qtvglped.dll
2008-04-17 08:52 . 08-04-16 01:07 98,304 --a------ C:\WINNT\rtqmekwg.exe
2008-04-17 08:52 . 08-04-16 01:07 98,304 --a------ C:\WINNT\npqtsrak.exe
2008-04-15 03:12 . 08-04-15 03:12 49 --a------ C:\smp.bat
2008-04-14 07:32 . 08-04-14 07:32 1,160 --a------ C:\WINNT\mozver.dat
2008-04-14 07:17 . 08-04-17 17:49 101,156 --a------ C:\WINNT\BM4f069c17.xml
2008-04-14 02:38 . 08-04-14 02:38 0 --a------ C:\WINNT\nsreg.dat
2008-04-14 02:35 . 08-04-14 05:40 <DIR> d-------- C:\SDFix
2008-04-14 01:27 . 08-04-14 01:27 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-14 00:34 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-04-14 00:34 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-04-14 00:34 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-04-14 00:34 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-04-14 00:34 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-04-14 00:25 . 08-04-14 00:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 21:09 . 08-04-18 08:34 <DIR> d-------- C:\WINNT\Resources
2008-04-13 19:49 . 08-04-18 08:34 <DIR> d-a------ C:\WINNT\system32\215651
2008-04-13 19:49 . 08-04-17 08:13 <DIR> d-------- C:\Program Files\NetProject.badvirus
2008-04-13 19:13 . 08-04-13 16:32 217,088 --a------ C:\WINNT\dsktbwfe.dll
2008-04-13 19:13 . 08-04-13 16:32 212,992 --a------ C:\WINNT\nslbvxpgagr.dll
2008-04-13 19:13 . 08-04-13 16:32 172,032 --a------ C:\WINNT\ogxtsepr.dll
2008-04-13 19:13 . 08-04-13 16:33 81,920 --a------ C:\WINNT\spnkfwad.exe
2008-04-13 19:09 . 08-04-13 19:09 94,208 --a------ C:\WINNT\system32\befqdivs.exe
2008-04-13 19:07 . 08-04-13 19:07 2 --a------ C:\1278586660
2008-04-04 20:34 . 08-02-22 03:33 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-03-29 20:16 . 04-02-23 21:42 1,386,496 --a------ C:\WINNT\system32\MSVBVM60.DLL
2008-03-29 19:55 . 08-03-29 19:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-03-22 22:50 . 08-03-22 22:50 <DIR> d-------- C:\Program Files\Oberon Media
2008-03-20 18:22 . 08-03-20 18:22 <DIR> d-------- C:\PSFonts
2008-03-20 18:22 . 08-04-06 21:04 <DIR> d-------- C:\Program Files\Finale NotePad 2007

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-18 14:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-17 16:28 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 16:27 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-17 14:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 06:28 --------- d-----w C:\Program Files\MySpace
2008-04-14 04:01 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-14 03:59 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-04-14 03:57 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-05 03:34 --------- d-----w C:\Program Files\Java
2008-03-02 09:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\SpinTop Games
2005-04-09 14:19 271 ---h--w C:\Program Files\desktop.ini
2005-04-09 14:19 21,952 ---h--w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53952518-97B4-4885-B7D6-3A274DB20792}]
08-04-13 16:32 212992 --a------ C:\WINNT\nslbvxpgagr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= "C:\Program Files\NetProject\wamdl.dll" [ ]
"{10BDE5C9-141F-4536-86D4-56883348BBA1}"= "C:\DOCUME~1\Barb\LOCALS~1\Temp\ac8zt2\sgoblxtm.dll" [ ]
"{74E5E4E8-79DD-49AC-B64B-E74822D5F3CD}"= "C:\DOCUME~1\Barb\LOCALS~1\Temp\ac8zt2\qtvglped.dll" [ ]

[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CLASSES_ROOT\clsid\{10bde5c9-141f-4536-86d4-56883348bba1}]
[HKEY_CLASSES_ROOT\sgoblxtm.1]
[HKEY_CLASSES_ROOT\TypeLib\{575D6631-F4C7-41F9-B10D-B2A3B5E3CC3C}]
[HKEY_CLASSES_ROOT\sgoblxtm]

[HKEY_CLASSES_ROOT\clsid\{74e5e4e8-79dd-49ac-b64b-e74822d5f3cd}]
[HKEY_CLASSES_ROOT\qtvglped.1]
[HKEY_CLASSES_ROOT\TypeLib\{C93DB567-3F35-408F-8DE6-2B570DB6A5A0}]
[HKEY_CLASSES_ROOT\qtvglped]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{51D81DD5-55B7-497F-95DB-D356429BB54E}"= C:\Program Files\NetProject\wamdl.dll [ ]

[HKEY_CLASSES_ROOT\clsid\{51d81dd5-55b7-497f-95db-d356429bb54e}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [06-11-30 22:49 4662776]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB5934"="command /c del C:\WINNT\system32\byXQICVl.dll" [ ]
"SpybotDeletingD4026"="cmd /c del C:\WINNT\system32\byXQICVl.dll" [ ]
"SpybotDeletingB9949"="command /c del C:\WINNT\system32\ptijpbik.dll_old" [ ]
"SpybotDeletingD6433"="cmd /c del C:\WINNT\system32\ptijpbik.dll_old" [ ]
"SpybotDeletingB855"="command /c del C:\WINNT\system32\ramdkmlv.dll_old" [ ]
"SpybotDeletingD4156"="cmd /c del C:\WINNT\system32\ramdkmlv.dll_old" [ ]
"SpybotDeletingB6578"="command /c del C:\WINNT\system32\vsulrfwh.dll_old" [ ]
"SpybotDeletingD7888"="cmd /c del C:\WINNT\system32\vsulrfwh.dll_old" [ ]
"SpybotDeletingB7069"="command /c del C:\WINNT\system32\byXQICVl.dll" [ ]
"SpybotDeletingD9230"="cmd /c del C:\WINNT\system32\byXQICVl.dll" [ ]
"SpybotDeletingB3746"="command /c del C:\WINNT\system32\byXQICVl.dll" [ ]
"SpybotDeletingD2420"="cmd /c del C:\WINNT\system32\byXQICVl.dll" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 12:05 111376 C:\WINNT\system32\mobsync.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [05-04-09 07:38 98304]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [05-04-09 07:38 151552]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [05-06-02 10:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" [05-06-23 20:27 85696]
"DXM6Patch_981116"="C:\WINNT\p_981116.exe" [98-11-30 19:04 497376]
"LVComs"="C:\WINNT\system32\LVComS.exe" [99-07-08 21:22 94720]
"QUICKCARE"="C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe" [07-05-09 18:15 198800]
"Matrox Powerdesk"="C:\WINNT\system32\PDesk\PDesk.exe" [04-09-14 11:13 684032]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe" [07-05-02 05:15 75520]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [08-01-23 15:47 847872]
"4c35af8b"="C:\WINNT\system32\vsulrfwh.dll" [ ]
"BM4f069c17"="C:\WINNT\system32\ramdkmlv.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 12:05 186640]

C:\Documents and Settings\Barb\Start Menu\Programs\Startup\
Webshots.lnk - C:\Program Files\Webshots\Launcher.exe [2005-04-27 21:05:55 45056]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"HIRsIrk1xU"= C:\Documents and Settings\All Users\Application Data\jujqpoxi\hkfudqre.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= file:///C:\WINNT\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"omlbpkaw"= {0240EF8F-C1C0-40DB-B76C-A939A81A0ADA} - C:\WINNT\omlbpkaw.dll [08-04-16 01:07 335872]
"pmsoarbf"= {8B8584AD-FF0C-42D7-A159-214F517F68FA} - C:\WINNT\pmsoarbf.dll [08-04-16 01:07 290816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnlmlm]
opnlmlm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUlMfCs]
vtUlMfCs.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINNT\system32\byXQICVl

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"OfotoNow USB Detection"=C:\WINNT\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

R3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 05:22 ]
S3 CCCP106;CIF USB Camera (2110A);C:\WINNT\system32\DRIVERS\cccp106.sys [03-04-28 04:03 ]
S3 cwcspud3;Crystal SoundFusion(tm) SPuD3 Driver;C:\WINNT\system32\drivers\cwcspud3.sys [99-11-11 08:13 ]
S3 G200;G200;C:\WINNT\system32\DRIVERS\g200mini.sys [04-09-14 11:33 ]
S3 LVCam;Logitech USB Video Camera;C:\WINNT\system32\DRIVERS\LVCD.sys [99-07-08 21:21 ]
S3 mga64;mga64;C:\WINNT\system32\DRIVERS\mga64m.sys [99-11-29 10:47 ]
S3 Philipscam1;Philips 645 Digital Camera; Video;C:\WINNT\system32\DRIVERS\philcam1.sys []

.
Contents of the 'Scheduled Tasks' folder
"2008-03-17 11:00:00 C:\WINNT\Tasks\Disk Cleanup.job"
- C:\WINNT\System32\cleanmgr.exe
"2008-04-13 10:00:00 C:\WINNT\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
"2007-01-13 10:14:40 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 08:44:38
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-04-18 8:54:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-18 15:53:09

Pre-Run: 6,507,896,832 bytes free
Post-Run: 8,425,156,608 bytes free
.
2008-04-12 02:44:27 --- E O F ---

pskelley

2008-04-18, 22:45

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Please read the directions posted at the top of the forum and pinned above, including this one:
http://forums.spybot.info/showthread.php?t=16806

Do NOT run 'fixes' before helpers have analyzed HJT/KAV scans

ComboFix is not a general purpose cleaning tool. Please do not use this tool without supervision
If you still need help, DO NOT run and post a Kaspersky Online Scan now until I request it, follow these directions:

Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

Thanks

guiseppe

2008-04-19, 06:17

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:20 PM, on 4/18/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
C:\WINNT\system32\mgabg.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\msdtc.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\WINNT\system32\LVComS.exe
C:\WINNT\system32\PDesk\PDesk.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\WINNT\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DVA Storm - {53952518-97B4-4885-B7D6-3A274DB20792} - C:\WINNT\nslbvxpgagr.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - C:\Program Files\NetProject\wamdl.dll (file missing)
O3 - Toolbar: sgoblxtm - {10BDE5C9-141F-4536-86D4-56883348BBA1} - C:\DOCUME~1\Barb\LOCALS~1\Temp\ac8zt2\sgoblxtm.dll (file missing)
O3 - Toolbar: qtvglped - {74E5E4E8-79DD-49AC-B64B-E74822D5F3CD} - C:\DOCUME~1\Barb\LOCALS~1\Temp\ac8zt2\qtvglped.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINNT\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINNT\system32\LVComS.exe
O4 - HKLM\..\Run: [QUICKCARE] C:\Program Files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [4c35af8b] rundll32.exe "C:\WINNT\system32\vsulrfwh.dll",b
O4 - HKLM\..\Run: [BM4f069c17] Rundll32.exe "C:\WINNT\system32\ramdkmlv.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [HIRsIrk1xU] C:\Documents and Settings\All Users\Application Data\jujqpoxi\hkfudqre.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Barb\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O15 - Trusted Zone: www.ipns.com
O15 - Trusted Zone: *.myspace.com
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/PogoWebLauncherInstaller.CAB
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163037390546
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/bejeweled2/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{35796278-225F-471F-BBE1-24CFCD88423B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B058926-B5CB-481C-990E-F18E592C70EF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF7899AD-122F-4132-8E6A-A451A31CBB0E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - Winlogon Notify: opnlmlm - opnlmlm.dll (file missing)
O20 - Winlogon Notify: vtUlMfCs - vtUlMfCs.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Barb/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINNT\privacy_danger\index.htm

--
End of file - 10962 bytes

pskelley

2008-04-19, 09:21

Thanks for returning your HJT log, You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
You have several infections that are very nasty and can be hard to remove. One of them is normally removed before combofix is run for the Vundo infection. Do not expect this to be easy or fast. First I need some information, get that for me like this.

http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post only the C:\rapport.txt

Thanks

pskelley

2008-04-26, 11:13

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.