View Full Version : virtumonde strikes again
I have managed to get myself infected with virtumonde (not really sure if it's malware or a virus, but I do know that it IS annoying)
I have tried several methods to remove it, all to no avail.
Vundofix and FXVMonde.exe can not find it.
Spyware Doctor finds
-Trojan.virtumonde
-Adware.advertising
-Application.trackingCookies
since i have the freeware version of Spyware Doctor I cannot use it to fix the problem (but I doubt it would work anyway as everything else has failed)
Spybot Search and Destroy finds
-Doubleclick
-Mediaplex
-Virtumonde
-Virtumonde.dll
Every time i try and clean those files it says that it has succesfully done the job, but it never seems to actually get the job done.
Below is my hijackthis log... please help.
Logfile of HijackThis v1.99.1
Scan saved at 6:38:02 PM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\McAfee\Common Framework\FrameworkService.exe
G:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
G:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\BCMSMMSG.exe
G:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
G:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\CTHELPER.EXE
G:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "G:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "G:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ISTray] "G:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [780d8c0b] rundll32.exe "C:\WINDOWS\system32\xykugdjr.dll",b
O4 - HKLM\..\Run: [BM7b3ebf97] Rundll32.exe "C:\WINDOWS\system32\drnkbpjc.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Marc\Application Data\Microsoft\dtsc\10390.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: g:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - G:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - G:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - G:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - G:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - G:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - G:\Program Files\Spyware Doctor\pctsSvc.exe
Thanks,
Marc
shelf life
2008-05-31, 15:01
hi,
Download combofix from one of these links and save it to your Desktop:
http://subs.geekstogo.com/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.
Thanks a lot for the help. Here are the two log files. Also, I stopped Spybot Search and Destroy before running ComboFix, but it restarted at some point during the process. Just wanted to alert you to this in case it could have screwed something up. Thanks again for all the help.
ComboFix 08-05-29.1 - Marc 2008-05-31 12:37:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1614 [GMT -4:00]
Running from: C:\Documents and Settings\Marc\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BM7b3ebf97.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cfunfylr.dll
C:\WINDOWS\system32\drnkbpjc.dll
C:\WINDOWS\system32\dxnkibbk.ini
C:\WINDOWS\system32\efcApNgF.dll
C:\WINDOWS\system32\FgNpAcfe.ini
C:\WINDOWS\system32\FgNpAcfe.ini2
C:\WINDOWS\system32\fwnakmto.ini
C:\WINDOWS\system32\hhabtmon.dll
C:\WINDOWS\system32\HjlklUvw.ini
C:\WINDOWS\system32\HjlklUvw.ini2
C:\WINDOWS\system32\hnruqoyw.dll
C:\WINDOWS\system32\huwpamrr.dll
C:\WINDOWS\system32\kgtwhlny.dll
C:\WINDOWS\system32\lqridkhc.dll
C:\WINDOWS\system32\luitxjyw.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mwdysfia.dll
C:\WINDOWS\system32\mwfrbutc.dll
C:\WINDOWS\system32\nomtbahh.ini
C:\WINDOWS\system32\noYyJkkj.ini
C:\WINDOWS\system32\noYyJkkj.ini2
C:\WINDOWS\system32\npipbyna.dll
C:\WINDOWS\system32\NXbKmnpo.ini
C:\WINDOWS\system32\NXbKmnpo.ini2
C:\WINDOWS\system32\ohdlysws.ini
C:\WINDOWS\system32\OppqqBeg.ini
C:\WINDOWS\system32\OppqqBeg.ini2
C:\WINDOWS\system32\penutlpj.dll
C:\WINDOWS\system32\qXwvDfhk.ini
C:\WINDOWS\system32\qXwvDfhk.ini2
C:\WINDOWS\system32\rjdgukyx.ini
C:\WINDOWS\system32\sclgcndv.dll
C:\WINDOWS\system32\swsyldho.dll
C:\WINDOWS\system32\tveitero.dll
C:\WINDOWS\system32\vdncglcs.ini
C:\WINDOWS\system32\vtUopPJd.dll
C:\WINDOWS\system32\wfhgwemi.dll
C:\WINDOWS\system32\wwwnchun.dll
C:\WINDOWS\system32\wwyFNqss.ini
C:\WINDOWS\system32\wwyFNqss.ini2
C:\WINDOWS\system32\wyjxtiul.dll
C:\WINDOWS\system32\xykugdjr.dll
C:\WINDOWS\system32\YGPoqBeg.ini
C:\WINDOWS\system32\YGPoqBeg.ini2
.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.
2008-05-30 18:49 . 2008-05-31 12:47 4,958,588 --------- C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-10031102}.BAK
2008-05-30 17:48 . 2008-05-30 17:48 <DIR> d-------- C:\Program Files
2008-05-30 15:43 . 2008-05-30 15:43 <DIR> d-------- G:\Program Files\CCleaner
2008-05-30 15:28 . 2008-05-30 15:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-30 09:17 . 2008-05-30 09:20 <DIR> d-------- G:\Program Files\Spyware Doctor
2008-05-30 09:17 . 2008-05-30 09:17 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\PC Tools
2008-05-30 09:17 . 2008-05-31 12:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 09:17 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-30 09:17 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-30 09:17 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-30 09:17 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-29 22:44 . 2008-05-29 23:29 <DIR> d-------- C:\VundoFix Backups
2008-05-29 19:23 . 2004-04-08 17:51 939,368 --a------ C:\WINDOWS\system32\Flash.ocx
2008-05-29 19:23 . 2003-11-19 14:59 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-05-29 19:23 . 2004-05-11 10:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-05-29 19:23 . 2004-02-05 21:53 389,120 --a------ C:\WINDOWS\system32\ACTSKN43.OCX
2008-05-29 19:23 . 2004-01-09 11:54 188,416 --a------ C:\WINDOWS\system32\actsplash.ocx
2008-05-29 19:23 . 2004-03-09 00:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-05-29 19:23 . 2000-07-15 06:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-05-29 19:23 . 2001-03-28 23:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-05-29 19:23 . 1999-01-26 20:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-05-29 18:10 . 2008-05-30 18:20 1,152 --a------ C:\WINDOWS\wininit.ini
2008-05-29 17:43 . 2008-05-30 09:21 <DIR> d-------- G:\Program Files\Spybot - Search & Destroy
2008-05-29 17:43 . 2008-05-30 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 17:10 . 2008-05-29 17:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-29 17:10 . 2008-05-29 17:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-28 20:02 . 2008-05-29 22:49 <DIR> d-------- G:\Program Files\PowerISO
2008-05-28 19:39 . 2008-05-28 21:48 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\Vso
2008-05-28 19:39 . 2008-05-28 19:39 87,608 --a------ C:\Documents and Settings\Marc\Application Data\inst.exe
2008-05-28 19:39 . 2008-05-28 19:39 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-28 19:39 . 2008-05-28 19:39 47,360 --a------ C:\Documents and Settings\Marc\Application Data\pcouffin.sys
2008-05-28 19:38 . 2008-05-28 21:46 <DIR> d-------- G:\Program Files\DVDFab 5
2008-05-28 17:30 . 2008-05-28 17:30 <DIR> d-------- G:\Program Files\Common Files\Canon
2008-05-28 17:24 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-28 17:24 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-28 17:24 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-28 17:24 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-28 17:23 . 2008-05-28 17:23 <DIR> d-------- G:\Program Files\Canon
2008-05-28 17:23 . 2003-02-12 18:09 380,928 --a------ C:\WINDOWS\system32\psCamDat.dll
2008-05-28 17:23 . 2002-12-10 21:10 356,352 --a------ C:\WINDOWS\system32\pscDcd.dll
2008-05-28 17:23 . 2003-02-21 15:23 212,992 --a------ C:\WINDOWS\system32\pscParse.dll
2008-05-28 17:23 . 2003-03-13 11:46 139,264 --a------ C:\WINDOWS\system32\pscDvlp.dll
2008-05-28 17:23 . 2003-08-01 10:37 117,760 --a------ C:\WINDOWS\system32\CNDPTPU.dll
2008-05-28 17:23 . 2003-08-01 10:37 57,344 --a------ C:\WINDOWS\system32\CNDPTPC.dll
2008-05-20 23:26 . 2008-05-20 23:39 3,072,054 --a------ C:\WINDOWS\ACD Wallpaper.bmp
2008-05-20 22:27 . 2008-05-20 22:27 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\Pegasys Inc
2008-05-20 21:02 . 2008-05-20 21:02 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\ACD Systems
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- G:\Program Files\Common Files\ACD Systems
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- G:\Program Files\ACD Systems
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-05-20 20:58 . 2008-05-20 20:58 10,368 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-05-20 20:54 . 2008-05-20 20:54 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-20 20:43 . 2008-05-20 20:43 <DIR> d-------- G:\Program Files\Common Files\Macrovision Shared
2008-05-20 20:43 . 2008-05-20 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-20 18:57 . 2008-05-20 18:57 <DIR> d-------- G:\Program Files\uTorrent
2008-05-20 18:57 . 2008-05-30 18:34 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\uTorrent
2008-05-12 21:53 . 2008-05-12 21:53 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-12 21:53 . 2008-05-12 21:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-12 21:53 . 2008-05-12 21:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-12 21:51 . 2008-05-12 21:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-12 21:51 . 2008-05-12 21:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-12 21:49 . 2008-05-12 21:49 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-05-12 21:49 . 2008-05-12 21:49 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-05-12 21:49 . 2008-05-12 21:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-12 21:49 . 2008-05-12 21:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-10 16:55 . 2008-05-10 16:56 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\DivX
2008-05-10 16:54 . 2008-05-20 22:13 <DIR> d-------- G:\Program Files\DivX
2008-04-26 19:23 . 2008-04-27 20:59 <DIR> d-------- G:\Program Files\mIRC
2008-04-26 19:23 . 2008-04-27 21:04 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\mIRC
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 21:10 --------- d-----w G:\Program Files\Mozilla Thunderbird
2008-05-21 00:43 --------- d-----w G:\Program Files\Common Files\Adobe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 20:30 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-03-21 20:30 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-03-21 20:30 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-09 22:12 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-09 22:12 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06E12C36-760F-4D92-8509-5E5DBF12C423}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10CD45C2-7090-4586-88C4-DE615FAE7BC1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F91377D-DE05-428A-853E-A3ECF0FD15EE}]
C:\WINDOWS\system32\geBqoPGY.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6243E883-8D7C-405D-8983-5E6256FC33C0}]
C:\WINDOWS\system32\wvUlkljH.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a730fced-9b44-4f3a-9e69-8e98d9a82b53}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B23BC973-34E2-4BD4-AF5A-6BCF63097BA9}]
C:\WINDOWS\system32\jkkJyYon.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC4FA941-295C-49EB-9AA3-183C87545B07}]
C:\WINDOWS\system32\opnmKbXN.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF4EED68-450F-48C1-8D8E-0EB8238B2C4E}]
C:\WINDOWS\system32\ssqNFyww.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7c8c9f4-f11d-4a25-b3c1-f92e7e385daa}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7B46F3C-CCD0-4C1E-ACE7-FED53A54253E}]
C:\WINDOWS\system32\geBqqppO.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fa54ca66-d2ea-4d98-b8ca-c4bd9e7fef7b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFCF8CF2-B392-4421-8C70-BC49EDCE93D8}]
C:\WINDOWS\system32\khfDvwXq.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"Microsoft Windows Installer"="C:\Documents and Settings\Marc\Application Data\Microsoft\dtsc\10390.exe" [ ]
"SpybotSD TeaTimer"="G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"ShStatEXE"="G:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 09:50 112216]
"McAfeeUpdaterUI"="G:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"ISTray"="G:\Program Files\Spyware Doctor\pctsTray.exe" [2008-04-10 15:14 1107848]
"780d8c0b"="C:\WINDOWS\system32\kbbiknxd.dll" [ ]
"BM7b3ebf97"="C:\WINDOWS\system32\drnkbpjc.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{8A3A2363-2129-43FB-8DFC-F237DA58038C}\Icon3E5562ED7.ico [2008-03-09 20:44:48 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUopPJd]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 G:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 G:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Bonjour Service"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"G:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"G:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"G:\\Program Files\\iTunes\\iTunes.exe"=
"G:\\Program Files\\MATLAB\\R2007a\\bin\\win32\\MATLAB.exe"=
"G:\\Program Files\\ClemsonHub\\DC++\\DCPlusPlus.exe"=
"G:\\Program Files\\mIRC\\mirc.exe"=
"G:\\Program Files\\uTorrent\\uTorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 12:49:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
G:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\McAfee\Common Framework\FrameworkService.exe
G:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
G:\Program Files\McAfee\Common Framework\Mctray.exe
G:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
G:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-05-31 12:55:46 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-31 16:55:27
Pre-Run: 17,471,844,352 bytes free
Post-Run: 17,407,315,968 bytes free
244 --- E O F --- 2008-05-28 21:13:22
Logfile of HijackThis v1.99.1
Scan saved at 12:58:30 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\McAfee\Common Framework\FrameworkService.exe
G:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\BCMSMMSG.exe
G:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
G:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\CTHELPER.EXE
G:\Program Files\Spyware Doctor\pctsTray.exe
G:\Program Files\McAfee\Common Framework\McTray.exe
G:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {2F91377D-DE05-428A-853E-A3ECF0FD15EE} - C:\WINDOWS\system32\geBqoPGY.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6243E883-8D7C-405D-8983-5E6256FC33C0} - C:\WINDOWS\system32\wvUlkljH.dll (file missing)
O2 - BHO: (no name) - {B23BC973-34E2-4BD4-AF5A-6BCF63097BA9} - C:\WINDOWS\system32\jkkJyYon.dll (file missing)
O2 - BHO: (no name) - {CC4FA941-295C-49EB-9AA3-183C87545B07} - C:\WINDOWS\system32\opnmKbXN.dll (file missing)
O2 - BHO: (no name) - {DF4EED68-450F-48C1-8D8E-0EB8238B2C4E} - C:\WINDOWS\system32\ssqNFyww.dll (file missing)
O2 - BHO: (no name) - {F7B46F3C-CCD0-4C1E-ACE7-FED53A54253E} - C:\WINDOWS\system32\geBqqppO.dll (file missing)
O2 - BHO: (no name) - {FFCF8CF2-B392-4421-8C70-BC49EDCE93D8} - C:\WINDOWS\system32\khfDvwXq.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "G:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "G:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ISTray] "G:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [780d8c0b] rundll32.exe "C:\WINDOWS\system32\kbbiknxd.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Windows Installer] C:\Documents and Settings\Marc\Application Data\Microsoft\dtsc\10390.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: g:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - G:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - G:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - G:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - G:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - G:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - G:\Program Files\Spyware Doctor\pctsSvc.exe
shelf life
2008-06-01, 00:55
hi,
thanks for the info. we will use combofix;
Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:
File::
C:\WINDOWS\system32\geBqoPGY.dll
C:\WINDOWS\system32\wvUlkljH.dll
C:\WINDOWS\system32\jkkJyYon.dll
C:\WINDOWS\system32\opnmKbXN.dll
C:\WINDOWS\system32\ssqNFyww.dll
C:\WINDOWS\system32\khfDvwXq.dll
Registry::
-[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06E12C36-760F-4D92-8509-5E5DBF12C423}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{10CD45C2-7090-4586-88C4-DE615FAE7BC1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F91377D-DE05-428A-853E-A3ECF0FD15EE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6243E883-8D7C-405D-8983-5E6256FC33C0}
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a730fced-9b44-4f3a-9e69-8e98d9a82b53}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B23BC973-34E2-4BD4-AF5A-6BCF63097BA9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC4FA941-295C-49EB-9AA3-183C87545B07}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF4EED68-450F-48C1-8D8E-0EB8238B2C4E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7c8c9f4-f11d-4a25-b3c1-f92e7e385daa}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7B46F3C-CCD0-4C1E-ACE7-FED53A54253E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fa54ca66-d2ea-4d98-b8ca-c4bd9e7fef7b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FFCF8CF2-B392-4421-8C70-BC49EDCE93D8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"780d8c0b"="-
"BM7b3ebf97"="-
Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop.
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log
--------------------------------------------------
one more download to get and run:
Please download Malwarebytes' Anti-Malware to your desktop:
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
run malwarebytes and post a new hjt log also.
Ok... Lots of information... thanks again for all the help
Combofix
ComboFix 08-05-29.1 - Marc 2008-06-01 0:06:09.2 - NTFSx86
Running from: C:\Documents and Settings\Marc\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Marc\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\geBqoPGY.dll
C:\WINDOWS\system32\jkkJyYon.dll
C:\WINDOWS\system32\khfDvwXq.dll
C:\WINDOWS\system32\opnmKbXN.dll
C:\WINDOWS\system32\ssqNFyww.dll
C:\WINDOWS\system32\wvUlkljH.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Marc\Application Data\inst.exe
.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.
2008-05-30 18:49 . 2008-05-31 12:47 4,958,588 --------- C:\WINDOWS\{00000002-00000000-00000002-00001102-00000004-10031102}.BAK
2008-05-30 17:48 . 2008-05-30 17:48 <DIR> d-------- C:\Program Files
2008-05-30 15:43 . 2008-05-30 15:43 <DIR> d-------- G:\Program Files\CCleaner
2008-05-30 15:28 . 2008-05-30 15:53 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-30 09:17 . 2008-05-30 09:20 <DIR> d-------- G:\Program Files\Spyware Doctor
2008-05-30 09:17 . 2008-05-30 09:17 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\PC Tools
2008-05-30 09:17 . 2008-05-31 23:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 09:17 . 2007-12-10 13:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-05-30 09:17 . 2007-12-10 13:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-05-30 09:17 . 2008-02-01 11:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-05-30 09:17 . 2007-12-10 13:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-05-29 22:44 . 2008-05-29 23:29 <DIR> d-------- C:\VundoFix Backups
2008-05-29 19:23 . 2004-04-08 17:51 939,368 --a------ C:\WINDOWS\system32\Flash.ocx
2008-05-29 19:23 . 2003-11-19 14:59 512,688 --a------ C:\WINDOWS\system32\XceedCry.dll
2008-05-29 19:23 . 2004-05-11 10:56 423,784 --a------ C:\WINDOWS\system32\XceedBkp.dll
2008-05-29 19:23 . 2004-02-05 21:53 389,120 --a------ C:\WINDOWS\system32\ACTSKN43.OCX
2008-05-29 19:23 . 2004-01-09 11:54 188,416 --a------ C:\WINDOWS\system32\actsplash.ocx
2008-05-29 19:23 . 2004-03-09 00:00 131,856 --a------ C:\WINDOWS\system32\MSADODC.ocx
2008-05-29 19:23 . 2000-07-15 06:00 101,888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL
2008-05-29 19:23 . 2001-03-28 23:02 89,088 --a------ C:\WINDOWS\system32\ProgressBar4.ocx
2008-05-29 19:23 . 1999-01-26 20:36 11,012 --a------ C:\WINDOWS\system32\threadapi.tlb
2008-05-29 18:10 . 2008-05-30 18:20 1,152 --a------ C:\WINDOWS\wininit.ini
2008-05-29 17:43 . 2008-05-30 09:21 <DIR> d-------- G:\Program Files\Spybot - Search & Destroy
2008-05-29 17:43 . 2008-05-30 09:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-29 17:10 . 2008-05-29 17:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-29 17:10 . 2008-05-29 17:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-28 20:02 . 2008-05-29 22:49 <DIR> d-------- G:\Program Files\PowerISO
2008-05-28 19:39 . 2008-05-28 21:48 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\Vso
2008-05-28 19:39 . 2008-05-28 19:39 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-28 19:39 . 2008-05-28 19:39 47,360 --a------ C:\Documents and Settings\Marc\Application Data\pcouffin.sys
2008-05-28 19:38 . 2008-05-28 21:46 <DIR> d-------- G:\Program Files\DVDFab 5
2008-05-28 17:30 . 2008-05-28 17:30 <DIR> d-------- G:\Program Files\Common Files\Canon
2008-05-28 17:24 . 2004-08-04 00:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2008-05-28 17:24 . 2004-08-03 22:58 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-28 17:24 . 2004-08-03 22:58 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-28 17:24 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2008-05-28 17:23 . 2008-05-28 17:23 <DIR> d-------- G:\Program Files\Canon
2008-05-28 17:23 . 2003-02-12 18:09 380,928 --a------ C:\WINDOWS\system32\psCamDat.dll
2008-05-28 17:23 . 2002-12-10 21:10 356,352 --a------ C:\WINDOWS\system32\pscDcd.dll
2008-05-28 17:23 . 2003-02-21 15:23 212,992 --a------ C:\WINDOWS\system32\pscParse.dll
2008-05-28 17:23 . 2003-03-13 11:46 139,264 --a------ C:\WINDOWS\system32\pscDvlp.dll
2008-05-28 17:23 . 2003-08-01 10:37 117,760 --a------ C:\WINDOWS\system32\CNDPTPU.dll
2008-05-28 17:23 . 2003-08-01 10:37 57,344 --a------ C:\WINDOWS\system32\CNDPTPC.dll
2008-05-20 23:26 . 2008-05-20 23:39 3,072,054 --a------ C:\WINDOWS\ACD Wallpaper.bmp
2008-05-20 22:27 . 2008-05-20 22:27 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\Pegasys Inc
2008-05-20 21:02 . 2008-05-20 21:02 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\ACD Systems
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- G:\Program Files\Common Files\ACD Systems
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- G:\Program Files\ACD Systems
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-05-20 20:58 . 2008-05-20 20:58 10,368 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2008-05-20 20:54 . 2008-05-20 20:54 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-20 20:43 . 2008-05-20 20:43 <DIR> d-------- G:\Program Files\Common Files\Macrovision Shared
2008-05-20 20:43 . 2008-05-20 20:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-20 18:57 . 2008-05-20 18:57 <DIR> d-------- G:\Program Files\uTorrent
2008-05-20 18:57 . 2008-05-30 18:34 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\uTorrent
2008-05-12 21:53 . 2008-05-12 21:53 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-05-12 21:53 . 2008-05-12 21:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-12 21:53 . 2008-05-12 21:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-12 21:51 . 2008-05-12 21:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-12 21:51 . 2008-05-12 21:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-12 21:49 . 2008-05-12 21:49 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-05-12 21:49 . 2008-05-12 21:49 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-05-12 21:49 . 2008-05-12 21:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-12 21:49 . 2008-05-12 21:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-10 16:55 . 2008-05-10 16:56 <DIR> d-------- C:\Documents and Settings\Marc\Application Data\DivX
2008-05-10 16:54 . 2008-05-20 22:13 <DIR> d-------- G:\Program Files\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-31 21:59 --------- d-----w G:\Program Files\Mozilla Thunderbird
2008-05-21 00:43 --------- d-----w G:\Program Files\Common Files\Adobe
2008-04-28 01:04 --------- d-----w C:\Documents and Settings\Marc\Application Data\mIRC
2008-04-28 00:59 --------- d-----w G:\Program Files\mIRC
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-21 20:30 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2008-03-21 20:30 120,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2008-03-21 20:30 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-09 22:12 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-09 22:12 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-05-31_12.54.57.57 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-31 16:36:34 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-05-31 23:57:29 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-05-31 16:36:34 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-05-31 23:57:29 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6243E883-8D7C-405D-8983-5E6256FC33C0}]
C:\WINDOWS\system32\wvUlkljH.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00 15360]
"Microsoft Windows Installer"="C:\Documents and Settings\Marc\Application Data\Microsoft\dtsc\10390.exe" [ ]
"SpybotSD TeaTimer"="G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 02:41 81920]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 05:59 122880 C:\WINDOWS\BCMSMMSG.exe]
"ShStatEXE"="G:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2006-11-30 09:50 112216]
"McAfeeUpdaterUI"="G:\Program Files\McAfee\Common Framework\UdaterUI.exe" [2006-11-17 13:39 136768]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"780d8c0b"="C:\WINDOWS\system32\kbbiknxd.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
VPN Client.lnk - C:\WINDOWS\Installer\{8A3A2363-2129-43FB-8DFC-F237DA58038C}\Icon3E5562ED7.ico [2008-03-09 20:44:48 6144]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 G:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 13:10 267048 G:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 G:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"Bonjour Service"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"G:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=
"G:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"G:\\Program Files\\iTunes\\iTunes.exe"=
"G:\\Program Files\\MATLAB\\R2007a\\bin\\win32\\MATLAB.exe"=
"G:\\Program Files\\ClemsonHub\\DC++\\DCPlusPlus.exe"=
"G:\\Program Files\\mIRC\\mirc.exe"=
"G:\\Program Files\\uTorrent\\uTorrent.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 00:09:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-06-01 0:11:25
ComboFix-quarantined-files.txt 2008-06-01 04:10:54
ComboFix2.txt 2008-05-31 16:55:58
Pre-Run: 17,398,820,864 bytes free
Post-Run: 17,388,326,912 bytes free
175 --- E O F --- 2008-05-28 21:13:22
Malwarebytes
Malwarebytes' Anti-Malware 1.14
Database version: 811
1:03:22 AM 6/1/2008
mbam-log-6-1-2008 (01-03-22).txt
Scan type: Full Scan (C:\|D:\|G:\|)
Objects scanned: 211194
Time elapsed: 37 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06e12c36-760f-4d92-8509-5e5dbf12c423} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Installer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\780d8c0b (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM7b3ebf97 (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\efcApNgF.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\sclgcndv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\swsyldho.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xykugdjr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{336DC28F-D7C5-49C0-B33E-B57842AB9772}\RP2\A0000013.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{336DC28F-D7C5-49C0-B33E-B57842AB9772}\RP2\A0000023.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{336DC28F-D7C5-49C0-B33E-B57842AB9772}\RP2\A0000024.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{336DC28F-D7C5-49C0-B33E-B57842AB9772}\RP2\A0000030.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\My Documents\Clemson\IPod.Access.for.Windows.v2.9.3.Incl.Keymaker-CORE\cr-ia293\CORE10k.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
HJT
Logfile of HijackThis v1.99.1
Scan saved at 1:05:19 AM, on 6/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
G:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\BCMSMMSG.exe
G:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
G:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\WINDOWS\CTHELPER.EXE
G:\Program Files\McAfee\Common Framework\McTray.exe
G:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
G:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {10CD45C2-7090-4586-88C4-DE615FAE7BC1} - (no file)
O2 - BHO: (no name) - {2F91377D-DE05-428A-853E-A3ECF0FD15EE} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6243E883-8D7C-405D-8983-5E6256FC33C0} - C:\WINDOWS\system32\wvUlkljH.dll (file missing)
O2 - BHO: (no name) - {a730fced-9b44-4f3a-9e69-8e98d9a82b53} - (no file)
O2 - BHO: (no name) - {B23BC973-34E2-4BD4-AF5A-6BCF63097BA9} - (no file)
O2 - BHO: (no name) - {CC4FA941-295C-49EB-9AA3-183C87545B07} - (no file)
O2 - BHO: (no name) - {DF4EED68-450F-48C1-8D8E-0EB8238B2C4E} - (no file)
O2 - BHO: (no name) - {e7c8c9f4-f11d-4a25-b3c1-f92e7e385daa} - (no file)
O2 - BHO: (no name) - {F7B46F3C-CCD0-4C1E-ACE7-FED53A54253E} - (no file)
O2 - BHO: (no name) - {fa54ca66-d2ea-4d98-b8ca-c4bd9e7fef7b} - (no file)
O2 - BHO: (no name) - {FFCF8CF2-B392-4421-8C70-BC49EDCE93D8} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "G:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "G:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ISTray] "G:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: Append to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://G:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://G:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - G:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: g:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: vtUopPJd - C:\WINDOWS\
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - G:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - G:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - G:\Program Files\McAfee\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - G:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - G:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - G:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - G:\Program Files\Spyware Doctor\pctsSvc.exe
shelf life
2008-06-01, 17:33
hi,
thanks for the info. we will use hjt now;
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O2 - BHO: (no name) - {6243E883-8D7C-405D-8983-5E6256FC33C0} - C:\WINDOWS\system32\wvUlkljH.dll (file missing)
you can check all those that end in (no file) like this one:
O2 - BHO: (no name) - {10CD45C2-7090-4586-88C4-DE615FAE7BC1} - (no file)
two prime ways to get malware are p2p and applying cracks/keygens.
DCPlusPlus.exe
uTorrent.exe
Incl.Keymaker-CORE
repeat the malwarebytes scan once more. hows it looking on your end now?
Thanks for all your help on this... My computer is once again malware free!!
I'm pretty sure i know exactly how i ended up in this situation, and its my own damn fault for not opening a self extracting packager and examining the contents before running it... Thanks again for all your help, it saved me a ton of time by not having to wipe the drive and re-install. Do you take donations or anything of that sort? I'd really like to repay you for all of your help
Thanks again,
Marc
shelf life
2008-06-01, 23:09
hi Marc,
good glad to help. donations are always welcome:
http://www.safer-networking.org/en/donate/index.html
----------------------------------------
you can delete the combofix icon from your desktop
you can make a new restore point. the why and how;
One of the features of Windows ME,XP and Vista is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is a good idea after malware is removed.
To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.
(winXP)
1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot
-------------------------------
My Top Ten:
The Short Version:
1) Keep your OS, browser and software updated.
2) Know what you are installing to your computer. Do you trust the source?
3) Install, keep updated: antivirus and one or two anti-malware applications.
4) Dont click on adds/pop ups or offers from websites to install software.
5) Dont click on offers to "scan" your computer.
6) Dont click on links or install files you receive via E-Mail, IM, Chat Rooms or Social Sites no matter how tempting the message. Do you trust the source?
7) Set up and use limited accounts rather than administrator accounts.
8) Consider using an alternate browser and E-mail client.
9) Install and understand the limitations of a third party software firewall.
10) If your habits include visiting or installing files from: warez,cracks/keygens,P2P or adult sites you are much more likely to encounter malicious code. Do you trust the source?
long version in link below.
happy safe surfing out there.