Virtumonde [Archive] - Safer-Networking Forums

View Full Version : Virtumonde

Anaximenes

2008-04-30, 15:05

Hi all,

I've recently been infected with Virtumonde. As per requested, I've followed the instructions in the sticky thread, and below are my kaspersky and hijackthis logs. The kaspersky was done before I ran spybot repeatedly in safe mode, the hijackthis was done after.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, April 28, 2008 11:56:44 PM
Operating System: Microsoft Windows XP Home Edition, (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/04/2008
Kaspersky Anti-Virus database records: 729076
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 57033
Number of viruses found: 19
Number of infected objects: 60
Number of suspicious objects: 0
Duration of the scan process: 03:01:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\Jimmy\Application Data\AVG7\Log\emc.log Object is locked skipped
C:\Documents and Settings\Jimmy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Desktop\All things\BHT 2.50\Utils\Misc utils\keyfinder\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.g skipped
C:\Documents and Settings\Jimmy\Desktop\All things\BHT 2.50\Utils\Misc utils\keyfinder\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Jimmy\Desktop\All things\BHT 2.50\Utils\Misc utils\keyfinder\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Jimmy\Desktop\All things\BHT 2.50\Utils\Misc utils\keyfinder\keyfinder.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\Jimmy\Desktop\All things\BHT 2.50\Utils\Pstools\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\Jimmy\Desktop\All things\bht_2.5.exe/BHT 2.50/Utils/Misc utils/keyfinder/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.g skipped
C:\Documents and Settings\Jimmy\Desktop\All things\bht_2.5.exe/BHT 2.50/Utils/Misc utils/keyfinder/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Jimmy\Desktop\All things\bht_2.5.exe/BHT 2.50/Utils/Misc utils/keyfinder/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Jimmy\Desktop\All things\bht_2.5.exe/BHT 2.50/Utils/Misc utils/keyfinder/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Jimmy\Desktop\All things\bht_2.5.exe/BHT 2.50/Utils/Pstools/pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\Jimmy\Desktop\All things\bht_2.5.exe Infected: not-a-virus:RiskTool.Win32.PsKill.k skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\History\History.IE5\MSHist012008042820080429\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Temp\AVP65E.tmp Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Temp\AVP65F.tmp Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.ebd skipped
C:\Documents and Settings\Jimmy\Local Settings\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Jimmy\Local Settings\Temp\yazzsnet.exe/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Documents and Settings\Jimmy\Local Settings\Temp\yazzsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Jimmy\Local Settings\Temporary Internet Files\Content.IE5\EBOVRG54\CA8J4FMT Infected: not-a-virus:AdWare.Win32.Virtumonde.qrd skipped
C:\Documents and Settings\Jimmy\Local Settings\Temporary Internet Files\Content.IE5\GTU7WXAN\CAS9YNSD Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Jimmy\Local Settings\Temporary Internet Files\Content.IE5\I9H2VY1G\CAHG4711 Infected: not-a-virus:AdWare.Win32.Virtumonde.qrq skipped
C:\Documents and Settings\Jimmy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Temporary Internet Files\Content.IE5\LWDLB5TJ\CA0PQ3GT Infected: not-a-virus:AdWare.Win32.Virtumonde.qrd skipped
C:\Documents and Settings\Jimmy\Local Settings\Temporary Internet Files\Content.IE5\LWDLB5TJ\CAYB8ZC3 Infected: not-a-virus:AdWare.Win32.Virtumonde.qrq skipped
C:\Documents and Settings\Jimmy\Local Settings\Temporary Internet Files\Content.IE5\SN5NIYN9\idkfa[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped
C:\Documents and Settings\Jimmy\Local Settings\Temporary Internet Files\Content.IE5\VBLT1D5U\CA8NUVMP Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\Documents and Settings\Jimmy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jimmy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0073649.exe Infected: Trojan-Downloader.Win32.VB.ebd skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0073650.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0073672.exe Object is locked skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0073673.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0073673.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0073674.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074737.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074744.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074746.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074747.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074748.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074749.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074750.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074751.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074752.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074762.exe/data0005 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074762.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074763.exe/data0009 Infected: not-a-virus:Server-Proxy.Win32.MarketScore.k skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074763.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\A0074788.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrd skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\A0074794.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrg skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\A0074795.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrg skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\A0074797.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrd skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\A0075850.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrq skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\amrmkeca.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrj skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\De2\bwa3ui.exe Object is locked skipped
C:\WINDOWS\system32\fccyyVPj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrq skipped
C:\WINDOWS\system32\gqwxinww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrj skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jtxjxdgk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qri skipped
C:\WINDOWS\system32\mqdgkagx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped
C:\WINDOWS\system32\nbgagpbe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrt skipped
C:\WINDOWS\system32\omawtyan.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrj skipped
C:\WINDOWS\system32\pmquyiim.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qri skipped
C:\WINDOWS\system32\pnVes01\pnVes011065.exe Infected: Trojan-Downloader.Win32.VB.ebd skipped
C:\WINDOWS\system32\pxaggmme.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qrj skipped
C:\WINDOWS\system32\rqRIaYqN.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qng skipped
C:\WINDOWS\system32\sxmtacti.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qri skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\xpe\devdpll.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.am skipped
C:\WINDOWS\system32\xxywUMFV.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qng skipped
C:\WINDOWS\system32\yayyYPjj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qng skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:37, on 30/04/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\mdm.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5E172AED-A11D-49DA-8BD3-98637B2F0E79} - C:\WINDOWS\System32\wvUkIAQG.dll (file missing)
O2 - BHO: (no name) - {8482B00C-E1AC-4B73-92DB-91D03612965D} - C:\WINDOWS\System32\yayyXQjK.dll (file missing)
O2 - BHO: (no name) - {8C5BF77D-33EF-41E9-A09E-C0B8BECEA9CB} - C:\WINDOWS\System32\fccyyVPj.dll (file missing)
O2 - BHO: (no name) - {8F304139-2C85-476F-ACCE-8E225A36B400} - C:\WINDOWS\System32\vtUopQJc.dll (file missing)
O2 - BHO: (no name) - {A6C54318-5AC7-477D-B0A7-49AF5189300C} - C:\WINDOWS\System32\yayyYPjj.dll
O2 - BHO: (no name) - {DC293603-208E-44AD-8E81-DF560D05C917} - C:\WINDOWS\System32\hgGwWNfg.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [b04060cc] rundll32.exe "C:\WINDOWS\System32\rhhmobfm.dll",b
O4 - HKLM\..\Run: [BMb3735350] Rundll32.exe "C:\WINDOWS\System32\mqdgkagx.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{42F7EAF4-6A31-465F-B5BE-F763AA80DC32}: NameServer = 195.92.195.95 195.92.195.94
O20 - Winlogon Notify: yayyYPjj - C:\WINDOWS\SYSTEM32\yayyYPjj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5127 bytes

pskelley

2008-04-30, 17:33

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Looks like you missed this information:
http://forums.spybot.info/showthread.php?t=425

Update Your Windows XP.
You are currently using an unpatched version of Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.
After updating your Windows to SP1a, post a new HijackThis log please, using the Post Reply button.

Thanks

Anaximenes

2008-04-30, 18:49

Thanks for the response psKelley! I'm sorry, I guess I did miss the thing about SPs.

I've installed SP1a, here's the new HJT log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:47:26, on 30/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [b04060cc] rundll32.exe "C:\WINDOWS\System32\hnhmnorb.dll",b
O4 - HKLM\..\Run: [BMb3735350] Rundll32.exe "C:\WINDOWS\System32\mqdgkagx.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{42F7EAF4-6A31-465F-B5BE-F763AA80DC32}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4229 bytes

pskelley

2008-04-30, 18:58

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HJT, call it Anaximenes.exe that will work. The hackers hide their junk from HJT and after a restart we may see the infection.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

Anaximenes

2008-04-30, 19:41

As requested:

ComboFix 08-04-29.5 - Jimmy 2008-04-30 17:07:01.1 - NTFSx86
Running from: C:\Documents and Settings\Jimmy\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system\msvbvm60.dll
C:\WINDOWS\system32\bronmhnh.ini
C:\WINDOWS\system32\cJQpoUtv.ini
C:\WINDOWS\system32\cJQpoUtv.ini2
C:\WINDOWS\system32\gfNWwGgh.ini
C:\WINDOWS\system32\gfNWwGgh.ini2
C:\WINDOWS\system32\GQAIkUvw.ini
C:\WINDOWS\system32\GQAIkUvw.ini2
C:\WINDOWS\system32\hnhmnorb.dll
C:\WINDOWS\system32\jPVyyccf.ini
C:\WINDOWS\system32\jPVyyccf.ini2
C:\WINDOWS\system32\KjQXyyay.ini
C:\WINDOWS\system32\KjQXyyay.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfbomhhr.ini
C:\WINDOWS\system32\mTwHQXyb.ini
C:\WINDOWS\system32\mTwHQXyb.ini2
C:\WINDOWS\system32\naytwamo.ini
C:\WINDOWS\system32\nnnnMEur.dll
C:\WINDOWS\system32\nTutttwa.ini
C:\WINDOWS\system32\nTutttwa.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqRIaYqN.dll
C:\WINDOWS\system32\ruEMnnnn.ini
C:\WINDOWS\system32\ruEMnnnn.ini2
C:\WINDOWS\system32\sCddgMoq.ini
C:\WINDOWS\system32\sCddgMoq.ini2
C:\WINDOWS\system32\uaemgswp.dll
C:\WINDOWS\system32\xxywUMFV.dll
C:\WINDOWS\system32\yayyYPjj.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-30 17:23 . 2008-04-30 17:23 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-30 16:30 . 2008-04-30 16:30 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-30 16:30 . 2008-04-30 16:30 <DIR> d-------- C:\WINDOWS\ehome
2008-04-30 16:21 . 2002-08-29 11:41 3,494,303 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-04-30 16:20 . 2002-08-29 11:41 1,622,528 --a------ C:\WINDOWS\system32\netshell.dll
2008-04-30 16:17 . 2002-04-23 02:18 766,934 --a------ C:\WINDOWS\system32\instcat.sql
2008-04-30 16:16 . 2002-08-29 11:41 1,004,032 --a------ C:\WINDOWS\explorer.exe
2008-04-30 16:15 . 2002-08-29 11:40 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll
2008-04-30 12:58 . 2008-04-30 12:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-28 18:09 . 2008-04-28 18:09 294 --ahs---- C:\WINDOWS\system32\acekmrma.ini
2008-04-28 15:19 . 2008-04-28 18:07 354 --ahs---- C:\WINDOWS\system32\emmggaxp.ini
2008-04-28 14:27 . 2008-04-28 14:27 294 --ahs---- C:\WINDOWS\system32\wwnixwqg.ini
2008-04-24 21:56 . 2008-04-24 21:57 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-24 21:56 . 2008-04-30 17:06 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-24 18:54 . 2008-04-24 18:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-24 18:54 . 2008-04-24 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-24 18:13 . 2008-04-24 18:13 <DIR> d-------- C:\Documents and Settings\Jimmy\Application Data\Talkback
2008-04-24 17:16 . 2008-04-29 19:18 109,738 --a------ C:\WINDOWS\BMb3735350.xml
2008-04-24 17:07 . 2008-04-29 23:14 1,889 --a------ C:\WINDOWS\wininit.ini
2008-04-23 21:35 . 2008-04-23 21:35 <DIR> d-------- C:\WINDOWS\system32\xpe
2008-04-23 21:35 . 2008-04-23 21:35 <DIR> d-------- C:\WINDOWS\system32\pnVes01
2008-04-23 21:35 . 2008-04-23 21:35 <DIR> d-------- C:\WINDOWS\system32\De2
2008-04-23 21:35 . 2008-04-23 21:35 <DIR> d-------- C:\Temp\zvebs14
2008-04-23 21:35 . 2008-04-23 21:35 <DIR> d-------- C:\Temp\kvebs14
2008-04-23 21:35 . 2008-04-30 17:08 <DIR> d-------- C:\Temp
2008-03-17 16:03 . 2008-03-17 16:03 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-17 14:03 . 2008-03-17 14:02 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-17 14:03 . 2008-03-17 14:03 2,540 --a------ C:\WINDOWS\unins000.dat
2008-03-15 20:59 . 2008-03-15 20:59 <DIR> d-------- C:\LEMMINGS
2008-03-15 20:59 . 1994-08-24 01:00 188,960 --a------ C:\WINDOWS\system\WINGDE.DLL
2008-03-15 20:59 . 1994-09-21 01:00 92,208 --a------ C:\WINDOWS\system\WING.DLL
2008-03-15 20:59 . 1994-09-21 01:00 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2008-03-15 20:59 . 1994-09-21 01:00 6,736 --a------ C:\WINDOWS\system\WINGDIB.DRV
2008-03-15 20:59 . 1994-09-21 01:00 5,024 --a------ C:\WINDOWS\system\WINGPAL.WND
2008-03-15 20:59 . 2008-03-17 22:42 322 --a------ C:\WINDOWS\winlemm.ini
2008-03-14 01:04 . 2008-03-14 01:04 244 --ah----- C:\sqmnoopt03.sqm
2008-03-14 01:04 . 2008-03-14 01:04 232 --ah----- C:\sqmdata03.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 17:07 --------- d-----w C:\Documents and Settings\Jimmy\Application Data\BitTorrent
2008-03-20 01:07 --------- d-----w C:\Program Files\JazzWare
2008-03-18 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-17 14:27 --------- d-----w C:\Documents and Settings\Jimmy\Application Data\DNA
2008-03-17 13:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-11-08 22:14 63,608 ----a-w C:\Documents and Settings\Jimmy\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E172AED-A11D-49DA-8BD3-98637B2F0E79}]
C:\WINDOWS\System32\wvUkIAQG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8482B00C-E1AC-4B73-92DB-91D03612965D}]
C:\WINDOWS\System32\yayyXQjK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C5BF77D-33EF-41E9-A09E-C0B8BECEA9CB}]
C:\WINDOWS\System32\fccyyVPj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F304139-2C85-476F-ACCE-8E225A36B400}]
C:\WINDOWS\System32\vtUopQJc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC293603-208E-44AD-8E81-DF560D05C917}]
C:\WINDOWS\System32\hgGwWNfg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-08-10 16:37 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2008-01-19 12:55 579072]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" [2008-01-19 12:55 406528]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"BMb3735350"="C:\WINDOWS\System32\mqdgkagx.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe" [2007-12-12 21:18 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyYPjj]
yayyYPjj.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-08-10 16:37 61440 C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 16:24 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-18 14:09 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"iPodService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 17:26:49
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-04-30 17:36:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-30 16:36:31

Pre-Run: 39,801,380,864 bytes free
Post-Run: 40,618,496,000 bytes free

161

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:39:21, on 30/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\Anaximenes.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5E172AED-A11D-49DA-8BD3-98637B2F0E79} - C:\WINDOWS\System32\wvUkIAQG.dll (file missing)
O2 - BHO: (no name) - {8482B00C-E1AC-4B73-92DB-91D03612965D} - C:\WINDOWS\System32\yayyXQjK.dll (file missing)
O2 - BHO: (no name) - {8C5BF77D-33EF-41E9-A09E-C0B8BECEA9CB} - C:\WINDOWS\System32\fccyyVPj.dll (file missing)
O2 - BHO: (no name) - {8F304139-2C85-476F-ACCE-8E225A36B400} - C:\WINDOWS\System32\vtUopQJc.dll (file missing)
O2 - BHO: (no name) - {DC293603-208E-44AD-8E81-DF560D05C917} - C:\WINDOWS\System32\hgGwWNfg.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BMb3735350] Rundll32.exe "C:\WINDOWS\System32\mqdgkagx.dll",s
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O20 - Winlogon Notify: yayyYPjj - yayyYPjj.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 4867 bytes

pskelley

2008-04-30, 20:18

Thanks for returning your information, proceed carefully and in the numbered order.

1) You have evidence of two antivirus programs running, this is not a good thing, see this:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

C:\Program Files\Alwil Software\Avast4\
C:\PROGRAM FILES~1\Grisoft\AVGFRE~1\
(uninstall one of those)

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open notepad and copy/paste the text in the codebox below into it:

File::
C:\WINDOWS\System32\mqdgkagx.dll
C:\WINDOWS\system32\acekmrma.ini
C:\WINDOWS\system32\emmggaxp.ini
C:\WINDOWS\system32\wwnixwqg.ini

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {5E172AED-A11D-49DA-8BD3-98637B2F0E79} - C:\WINDOWS\System32\wvUkIAQG.dll (file missing)
O2 - BHO: (no name) - {8482B00C-E1AC-4B73-92DB-91D03612965D} - C:\WINDOWS\System32\yayyXQjK.dll (file missing)
O2 - BHO: (no name) - {8C5BF77D-33EF-41E9-A09E-C0B8BECEA9CB} - C:\WINDOWS\System32\fccyyVPj.dll (file missing)
O2 - BHO: (no name) - {8F304139-2C85-476F-ACCE-8E225A36B400} - C:\WINDOWS\System32\vtUopQJc.dll (file missing)
O2 - BHO: (no name) - {DC293603-208E-44AD-8E81-DF560D05C917} - C:\WINDOWS\System32\hgGwWNfg.dll (file missing)
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [BMb3735350] Rundll32.exe "C:\WINDOWS\System32\mqdgkagx.dll",s
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O20 - Winlogon Notify: yayyYPjj - yayyYPjj.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log, a new HJT log and tell me how the computer is running.

Thanks

Anaximenes

2008-04-30, 21:05

Thanks so much, pskelley! I've done as you said - the computer seems to be running fine, and Rundll and its friends don't seem to have showed up post-reboot. I have noticed a couple of new things in my process list in task manager though (which I checked to see if Rundll & Co. were present), these are "wuauclt.exe" and "alg.exe". Are those meant to be there?

Anyway, here are the logs:

ComboFix 08-04-29.5 - Jimmy 2008-04-30 18:36:01.2 - NTFSx86
Running from: C:\Documents and Settings\Jimmy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jimmy\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\acekmrma.ini
C:\WINDOWS\system32\emmggaxp.ini
C:\WINDOWS\System32\mqdgkagx.dll
C:\WINDOWS\system32\wwnixwqg.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\acekmrma.ini
C:\WINDOWS\system32\emmggaxp.ini
C:\WINDOWS\system32\wwnixwqg.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-30 18:32 . 2008-04-30 18:32 <DIR> d-------- C:\WINDOWS\LastGood
2008-04-30 18:32 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-30 18:32 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-30 18:32 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-30 18:32 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-30 17:23 . 2008-04-30 17:23 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-30 16:30 . 2008-04-30 16:30 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-30 16:30 . 2008-04-30 16:30 <DIR> d-------- C:\WINDOWS\ehome
2008-04-30 16:21 . 2002-08-29 11:41 3,494,303 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-04-30 16:20 . 2002-08-29 11:41 1,622,528 --a------ C:\WINDOWS\system32\netshell.dll
2008-04-30 16:17 . 2002-04-23 02:18 766,934 --a------ C:\WINDOWS\system32\instcat.sql
2008-04-30 16:16 . 2002-08-29 11:41 1,004,032 --a------ C:\WINDOWS\explorer.exe
2008-04-30 16:15 . 2002-08-29 11:40 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll
2008-04-30 12:58 . 2008-04-30 12:58 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 21:56 . 2008-04-24 21:57 <DIR> d-------- C:\Documents and Settings\Administrator
2008-04-24 21:56 . 2008-04-30 18:33 1,024 --ah----- C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-04-24 18:54 . 2008-04-24 18:54 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-24 18:54 . 2008-04-24 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-24 18:13 . 2008-04-24 18:13 <DIR> d-------- C:\Documents and Settings\Jimmy\Application Data\Talkback
2008-04-24 17:16 . 2008-04-29 19:18 109,738 --a------ C:\WINDOWS\BMb3735350.xml
2008-04-24 17:07 . 2008-04-29 23:14 1,889 --a------ C:\WINDOWS\wininit.ini
2008-04-23 21:35 . 2008-04-23 21:35 <DIR> d-------- C:\WINDOWS\system32\xpe
2008-04-23 21:35 . 2008-04-23 21:35 <DIR> d-------- C:\WINDOWS\system32\pnVes01
2008-04-23 21:35 . 2008-04-23 21:35 <DIR> d-------- C:\WINDOWS\system32\De2
2008-04-23 21:35 . 2008-04-23 21:35 <DIR> d-------- C:\Temp\zvebs14
2008-04-23 21:35 . 2008-04-23 21:35 <DIR> d-------- C:\Temp\kvebs14
2008-04-23 21:35 . 2008-04-30 17:08 <DIR> d-------- C:\Temp
2008-03-17 16:03 . 2008-03-17 16:03 <DIR> d-------- C:\Program Files\Alwil Software
2008-03-17 14:03 . 2008-03-17 14:02 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-17 14:03 . 2008-03-17 14:03 2,540 --a------ C:\WINDOWS\unins000.dat
2008-03-15 20:59 . 2008-03-15 20:59 <DIR> d-------- C:\LEMMINGS
2008-03-15 20:59 . 1994-08-24 01:00 188,960 --a------ C:\WINDOWS\system\WINGDE.DLL
2008-03-15 20:59 . 1994-09-21 01:00 92,208 --a------ C:\WINDOWS\system\WING.DLL
2008-03-15 20:59 . 1994-09-21 01:00 12,800 --a------ C:\WINDOWS\system32\WING32.DLL
2008-03-15 20:59 . 1994-09-21 01:00 6,736 --a------ C:\WINDOWS\system\WINGDIB.DRV
2008-03-15 20:59 . 1994-09-21 01:00 5,024 --a------ C:\WINDOWS\system\WINGPAL.WND
2008-03-15 20:59 . 2008-03-17 22:42 322 --a------ C:\WINDOWS\winlemm.ini
2008-03-14 01:04 . 2008-03-14 01:04 244 --ah----- C:\sqmnoopt03.sqm
2008-03-14 01:04 . 2008-03-14 01:04 232 --ah----- C:\sqmdata03.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-05 17:07 --------- d-----w C:\Documents and Settings\Jimmy\Application Data\BitTorrent
2008-03-20 01:07 --------- d-----w C:\Program Files\JazzWare
2008-03-18 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-17 14:27 --------- d-----w C:\Documents and Settings\Jimmy\Application Data\DNA
2008-03-17 13:06 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2007-11-08 22:14 63,608 ----a-w C:\Documents and Settings\Jimmy\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-04-30_17.35.59.22 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 16:24:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-30 17:27:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-26 04:16:24 75,544 ----a-w C:\WINDOWS\LastGood\System32\cdm.dll
+ 2005-05-26 04:16:30 465,176 ----a-w C:\WINDOWS\LastGood\System32\wuapi.dll
+ 2005-05-26 04:16:30 124,184 ----a-w C:\WINDOWS\LastGood\System32\wuauclt.exe
+ 2005-05-26 04:16:30 1,343,768 ----a-w C:\WINDOWS\LastGood\System32\wuaueng.dll
+ 2005-05-26 04:16:30 127,256 ----a-w C:\WINDOWS\LastGood\System32\wucltui.dll
+ 2005-05-26 04:16:30 41,240 ----a-w C:\WINDOWS\LastGood\System32\wups.dll
+ 2005-05-26 04:16:30 18,200 ----a-w C:\WINDOWS\LastGood\System32\wups2.dll
+ 2005-05-26 04:16:30 173,536 ----a-w C:\WINDOWS\LastGood\System32\wuweb.dll
- 2005-05-26 04:16:24 75,544 ----a-w C:\WINDOWS\system32\cdm.dll
+ 2007-07-30 18:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
- 2005-05-26 04:16:24 75,544 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2007-07-30 18:19:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
- 2005-05-26 04:16:30 124,184 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2007-07-30 18:19:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2005-05-26 04:16:30 1,343,768 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2007-07-30 18:19:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
- 2008-04-30 15:43:57 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-30 17:30:22 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-30 15:43:57 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-30 17:30:22 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-07-30 18:18:40 33,624 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
+ 2007-07-30 18:19:12 43,352 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll
- 2005-05-26 04:16:30 465,176 ----a-w C:\WINDOWS\system32\wuapi.dll
+ 2007-07-30 18:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
- 2005-05-26 04:16:30 124,184 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2007-07-30 18:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
- 2005-05-26 04:16:30 1,343,768 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2007-07-30 18:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
- 2005-05-26 04:16:30 127,256 ----a-w C:\WINDOWS\system32\wucltui.dll
+ 2007-07-30 18:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
- 2005-05-26 04:16:30 173,536 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2007-07-30 18:19:28 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
- 2008-04-30 16:25:01 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_370.dat
+ 2008-04-30 17:28:44 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_370.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5E172AED-A11D-49DA-8BD3-98637B2F0E79}]
C:\WINDOWS\System32\wvUkIAQG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8482B00C-E1AC-4B73-92DB-91D03612965D}]
C:\WINDOWS\System32\yayyXQjK.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8C5BF77D-33EF-41E9-A09E-C0B8BECEA9CB}]
C:\WINDOWS\System32\fccyyVPj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8F304139-2C85-476F-ACCE-8E225A36B400}]
C:\WINDOWS\System32\vtUopQJc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC293603-208E-44AD-8E81-DF560D05C917}]
C:\WINDOWS\System32\hgGwWNfg.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-08-10 16:37 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"BMb3735350"="C:\WINDOWS\System32\mqdgkagx.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyYPjj]
yayyYPjj.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2004-08-10 16:37 61440 C:\PROGRA~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 16:24 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-07-18 14:09 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"iPodService"=3 (0x3)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

*Newly Created Service* - ALG
*Newly Created Service* - CATCHME
*Newly Created Service* - IPNAT
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 18:40:52
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-30 18:47:54
ComboFix-quarantined-files.txt 2008-04-30 17:47:49
ComboFix2.txt 2008-04-30 16:36:42

Pre-Run: 40,654,737,408 bytes free
Post-Run: 40,647,315,456 bytes free

171

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:01:32, on 30/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Anaximenes.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 2819 bytes

pskelley

2008-04-30, 21:40

Thanks for returning your information and the feedback. Use http://www.google.com/
when you need information like that;
wuauclt.exe > http://www.liutilities.com/products/wintaskspro/processlibrary/wuauclt/
alg.exe > http://www.liutilities.com/products/wintaskspro/processlibrary/alg/
If there is doubt, use a free scanner like: http://virusscan.jotti.org/

Looks like you kept Avast and removed AVG. I do not see Avast in running programs, check to make sure there are no problems. Make sure it is running and update the program to make sure it is updating properly, then run a system scan to make sure it is scanning properly.

Remove combofix and the C:\Qoobox\Quarantine\ folder, then run a new Kaspersky Online Scan. I need to see what is left to resolve. Please use these settings:

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks...Phil

Anaximenes

2008-05-01, 00:59

Avast is working fine as far as I can see, I closed all the stuff running in the system tray before the scan because it said to close other applications (or something along those lines) explaining why it wasn't in running proccesses).

Anyway, got rid of combobox and the quarantine folder.

Here's my new Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 30, 2008 10:56:30 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/04/2008
Kaspersky Anti-Virus database records: 655650
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 57499
Number of viruses found: 6
Number of infected objects: 42
Number of suspicious objects: 0
Duration of the scan process: 02:38:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Jimmy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\History\History.IE5\MSHist012008043020080501\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Temp\AVP620.tmp Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Temp\AVP621.tmp Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Temp\AVP835.tmp Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Temp\AVP836.tmp Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jimmy\Local Settings\Temporary Internet Files\Content.IE5\OD2ROL2V\2DB0EAF9379295CD196CA226A4D216[1].jpg Object is locked skipped
C:\Documents and Settings\Jimmy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jimmy\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0073649.exe Infected: Trojan-Downloader.Win32.VB.ebd skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0073650.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0073672.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0073674.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074737.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074744.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074746.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074747.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074748.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074749.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074750.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074751.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074752.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074762.exe/data0005 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP287\A0074762.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\A0074788.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\A0074792.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\A0074794.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\A0074795.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\A0074796.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\A0074797.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP288\A0075850.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0075872.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0075876.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0075877.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0075879.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0075880.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0075881.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0076886.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0076887.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0076888.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0076889.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0076890.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0076891.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP289\A0076892.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP291\A0079661.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP291\A0079662.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP291\A0079663.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP291\A0079664.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP291\A0079665.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{17AE6CD4-9FB6-47A5-B033-84538415D3B0}\RP293\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\De2\bwa3ui.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pnVes01\pnVes011065.exe Infected: Trojan-Downloader.Win32.VB.ebd skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley

2008-05-01, 01:22

Thanks for returning you scan results and the feedback, proceed like this.

1) Delete the folder in red and contents
C:\WINDOWS\system32\De2\bwa3ui.exe ------> Trojan-Downloader.Win32.Small.buy

2) Delete the folder in red and contents
C:\WINDOWS\system32\pnVes01\pnVes011065.exe ------> Trojan-Downloader.Win32.VB.ebd

3) Empty the Recycle Bin on the Desktop and restart the computer

4) Follow these directions to clean infected System Restore files:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Follow the directions and the next KOS will be clean, no need to post a clean scan.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Anaximenes

2008-05-01, 01:40

Done, and everything's looking fine!

I can't thank you enough Phil, I owe you one.

I'll be more careful in the future!

Thanks - Jim