View Full Version : Another Virtumonde infection
benversluis
2008-07-01, 20:37
I ran Spybot S&D and found out that I'm infected with Virtumonde. I read the "Read first" post, and here's my Hijack This log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:28:01 AM, on 7/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\Nexon\Mabinogi\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Octoshape Streaming Services\Ben\OctoshapeClient.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {0167D8B0-D424-4D8A-A401-1AA5225ED265} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {02631804-61b9-4742-8c1b-e96c00d54cc9} - C:\WINDOWS\system32\gzchwc.dll
O2 - BHO: (no name) - {3147D71A-CB8B-44B9-B323-CF3AD0D91555} - C:\WINDOWS\system32\jkkji.dll (file missing)
O2 - BHO: (no name) - {31F48DE0-73FC-4500-83D0-680D017AFE78} - C:\WINDOWS\system32\ddayv.dll (file missing)
O2 - BHO: (no name) - {446624E1-B767-4443-AA6E-0F355CAFD21B} - C:\WINDOWS\system32\ljjifgf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {87CFBFEB-9B6D-412F-8FF5-020F3176F990} - C:\WINDOWS\system32\awtsq.dll (file missing)
O2 - BHO: (no name) - {8BB37A14-68E6-4189-B802-3AD98EBE0C33} - C:\WINDOWS\system32\qoMgfETj.dll (file missing)
O2 - BHO: (no name) - {90B1BAD1-817B-4473-B6E1-26FBE80132A0} - C:\WINDOWS\system32\ddaby.dll (file missing)
O2 - BHO: (no name) - {AAA1AAD9-F7E6-43D0-B983-D8CAB0D34661} - C:\WINDOWS\system32\qoMgeCTJ.dll (file missing)
O2 - BHO: {14c1d292-ca2c-8789-bc04-93f684c5a73c} - {c37a5c48-6f39-40cb-9878-c2ac292d1c41} - C:\WINDOWS\system32\pbhydi.dll
O2 - BHO: (no name) - {CF506EAF-FC9B-454F-AB52-DAE52720C167} - C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\GHIS2UDE\3077ahntdksr[1].dll
O2 - BHO: (no name) - {F6C0C388-7CD9-456E-8181-4929A8B478F0} - C:\WINDOWS\system32\ddcyw.dll (file missing)
O2 - BHO: (no name) - {FE27E908-4C06-4BAE-88A0-655D0CE752CB} - C:\WINDOWS\system32\hgGyyxWo.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [7068c86e] rundll32.exe "C:\WINDOWS\system32\yaxisege.dll",b
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BM735bfbf2] Rundll32.exe "C:\WINDOWS\system32\mjfrntpq.dll",s
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Ben\OctoshapeClient.exe" -inv:bootrun
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O20 - Winlogon Notify: hgGyyxWo - C:\WINDOWS\SYSTEM32\hgGyyxWo.dll
O20 - Winlogon Notify: ljjifgf - ljjifgf.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Drivers\MMERefresh.exe
O23 - Service: digiSPTIService - Digidesign, A Division of Avid Technology, Inc. - C:\Program Files\Digidesign\Pro Tools\digiSPTIService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\Mabinogi\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 6731 bytes
I've downloaded ComboFix but haven't used it.
Thanks for any help!
Welcome to the Safer Networking. My name is muuli. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic. Please stay at one forum for help.
3. Please continue reading posts until I give the All Clear. It is important to note this, as a clean looking HijackThis is not always a sign your system is clean.
Note: I am still in training at Malware Removal, however I will be working under the direct supervision of one of our Malware Experts. Any recommendations will first be approved before being given to you. Because of this, there may be a short delay in getting our responses to you, however be assured that we will be working diligently on your problem.
benversluis
2008-07-02, 06:09
Ran ComboFix and everything works great now.
Edit
FYI for all members:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
Do NOT run 'fixes' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806 )
benversluis
2008-07-02, 08:52
Nevermind; ComboFix seemed to remove everything, but then my Ad-Watch started freaking out. At this moment, its blocked ~47k processes.
However, I see no rundll32.exe or any of the suspicious processes I saw earlier today. Could those 47k processes by the Virtumonde trying to restart itself? Judging from the ComboFix log, it got rid of a good deal of garbage.
If you're interested, here's my ComboFix log:
ComboFix 08-06-30.2 - Ben 2008-07-01 20:39:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.554 [GMT -7:00]
Running from: C:\Documents and Settings\Ben\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aoedjp.dll
C:\WINDOWS\system32\bbcpjbcq.dll
C:\WINDOWS\system32\cgecxxsy.dll
C:\WINDOWS\system32\cgxukv.dll
C:\WINDOWS\system32\chwiwrih.ini
C:\WINDOWS\system32\difooteg.ini
C:\WINDOWS\system32\duanoi.dll
C:\WINDOWS\system32\egesixay.ini
C:\WINDOWS\system32\getoofid.dll
C:\WINDOWS\system32\ggvxpxwe.dll
C:\WINDOWS\system32\gzchwc.dll
C:\WINDOWS\system32\hgGyyxWo.dll
C:\WINDOWS\system32\hrhcmffv.ini
C:\WINDOWS\system32\hskrihyq.dll
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini2
C:\WINDOWS\system32\ilnrqayb.dll
C:\WINDOWS\system32\jhgqydeo.dll
C:\WINDOWS\system32\jqghytyp.dll
C:\WINDOWS\system32\JTCegMoq.ini
C:\WINDOWS\system32\JTCegMoq.ini2
C:\WINDOWS\system32\jTEfgMoq.ini
C:\WINDOWS\system32\jTEfgMoq.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mjfrntpq.dll
C:\WINDOWS\system32\mkfwwmrv.ini
C:\WINDOWS\system32\mlibejud.dll
C:\WINDOWS\system32\mlljj.dll
C:\WINDOWS\system32\nrnytupb.dll
C:\WINDOWS\system32\ogsfwsdx.ini
C:\WINDOWS\system32\pbhydi.dll
C:\WINDOWS\system32\qdjhighr.ini
C:\WINDOWS\system32\qstwa.ini
C:\WINDOWS\system32\qstwa.ini2
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\stutv.ini2
C:\WINDOWS\system32\ucueteiv.dll
C:\WINDOWS\system32\VCeLVvut.ini
C:\WINDOWS\system32\VCeLVvut.ini2
C:\WINDOWS\system32\vkoddpnx.ini
C:\WINDOWS\system32\vtnysgfq.ini
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\vyadd.ini2
C:\WINDOWS\system32\wycdd.ini
C:\WINDOWS\system32\wycdd.ini2
C:\WINDOWS\system32\yaxisege.dll
C:\WINDOWS\system32\ybadd.ini2
G:\Autorun.inf
.
((((((((((((((((((((((((( Files Created from 2008-06-02 to 2008-07-02 )))))))))))))))))))))))))))))))
.
2008-07-01 10:48 . 2008-07-01 10:48 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 22:52 . 2008-06-30 22:52 <DIR> d-------- C:\Documents and Settings\Administrator
2008-06-30 09:52 . 2008-06-30 09:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-30 09:31 . 2008-06-30 09:31 <DIR> d-------- C:\Program Files\Yahoo!
2008-06-29 21:26 . 2008-06-29 21:26 103,424 --a------ C:\WINDOWS\system32\cifytt.dll
2008-06-29 21:18 . 2008-06-29 21:18 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-29 21:18 . 2008-06-29 21:18 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-29 18:18 . 2008-06-29 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-26 22:10 . 2008-06-26 22:10 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-06-26 22:01 . 2008-06-26 22:01 <DIR> d-------- C:\Program Files\Xvid
2008-06-26 22:01 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-26 22:01 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-26 22:01 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-06-26 20:16 . 2008-06-26 20:16 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-06-26 09:50 . 2008-06-26 09:50 <DIR> d-------- C:\Program Files\StaxRip
2008-06-25 11:41 . 2008-06-25 11:41 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Secret of the Solstice
2008-06-25 08:14 . 2008-06-25 08:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Outspark
2008-06-24 15:26 . 2008-06-24 15:26 <DIR> d-------- C:\Program Files\Common Files\DirectX
2008-06-24 09:37 . 2008-06-25 08:14 <DIR> d-------- C:\Program Files\Outspark
2008-06-24 09:32 . 2008-06-24 09:32 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-06-24 09:32 . 2008-06-24 09:32 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-06-24 09:32 . 2008-06-24 09:32 <DIR> d-------- C:\Program Files\MSBuild
2008-06-24 09:31 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-06-24 09:25 . 2008-06-24 09:25 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-06-22 11:31 . 2003-07-19 08:17 5,174 --a------ C:\WINDOWS\system32\nppt9x.vxd
2008-06-22 11:31 . 2005-01-02 23:43 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2008-06-22 11:30 . 2008-06-22 11:30 <DIR> d-------- C:\Program Files\Common Files\INCA Shared
2008-06-22 09:28 . 2008-06-22 09:28 <DIR> d-------- C:\Nexon
2008-06-19 16:25 . 2008-07-01 19:42 110,387 --a------ C:\WINDOWS\BM735bfbf2.xml
2008-06-19 15:21 . 2008-06-19 15:21 <DIR> d-------- C:\Program Files\Common Files\PACE Anti-Piracy
2008-06-19 15:21 . 2008-06-19 15:21 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\PACE Anti-Piracy
2008-06-19 15:21 . 2008-06-19 15:35 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Digidesign
2008-06-19 15:21 . 2008-06-19 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PACE Anti-Piracy
2008-06-19 15:21 . 2008-06-19 15:21 <DIR> d-------- C:\Digidesign Databases
2008-06-19 15:16 . 2008-06-19 15:16 <DIR> d-------- C:\Program Files\Common Files\Trillium Lane
2008-06-19 15:09 . 2008-06-19 15:09 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-06-19 15:09 . 2008-06-19 15:09 <DIR> d-------- C:\Program Files\InterLok
2008-06-19 15:09 . 2006-12-08 22:50 16,384 --a------ C:\WINDOWS\system32\drivers\DigiFilt.sys
2008-06-19 15:08 . 2008-06-19 15:16 <DIR> d-------- C:\Program Files\Digidesign
2008-06-19 15:07 . 2008-06-19 15:07 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\InstallShield
2008-06-19 02:01 . 2008-06-19 02:01 <DIR> d-------- C:\WINDOWS\Sun
2008-06-19 01:59 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-19 01:58 . 2008-06-19 01:59 <DIR> d-------- C:\Program Files\Java
2008-06-19 01:57 . 2008-06-19 01:57 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-19 01:30 . 2008-06-19 01:30 <DIR> d-------- C:\Program Files\iZotope
2008-06-19 01:30 . 2008-06-19 15:08 <DIR> d-------- C:\Program Files\Common Files\Digidesign
2008-06-18 10:21 . 2008-06-18 10:21 <DIR> d-------- C:\Program Files\Trymedia
2008-06-18 10:21 . 2008-06-18 10:21 <DIR> d-------- C:\Program Files\Ludia
2008-06-18 10:21 . 2008-06-18 10:21 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Ludia
2008-06-18 10:21 . 2008-06-18 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-06-18 10:21 . 2008-06-18 10:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ludia
2008-06-18 00:21 . 2008-06-18 00:21 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Viewpoint
2008-06-14 15:02 . 2008-06-14 15:02 <DIR> d-------- C:\Program Files\foobar2000
2008-06-14 15:02 . 2008-06-28 15:49 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\foobar2000
2008-06-14 12:44 . 2008-06-14 12:44 <DIR> d-------- C:\Program Files\Octoshape Streaming Services
2008-06-12 20:13 . 2008-06-28 20:59 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\FileZilla
2008-06-12 20:12 . 2008-06-20 13:30 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-06-12 15:20 . 2008-06-12 15:20 <DIR> d-------- C:\Program Files\uTorrent
2008-06-12 15:20 . 2008-06-29 21:09 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\uTorrent
2008-06-11 18:24 . 2008-07-01 17:09 3,728 --a------ C:\WINDOWS\wininit.ini
2008-06-11 18:00 . 2008-06-11 18:00 <DIR> d-------- C:\Program Files\PowerISO
2008-06-11 15:19 . 2008-06-11 15:26 <DIR> d-------- C:\Documents and Settings\Ben\FutureDecks Data
2008-06-11 15:19 . 2007-11-07 01:19 655,872 --a------ C:\WINDOWS\system32\msvcr90.dll
2008-06-11 15:19 . 2007-11-07 01:19 568,832 --a------ C:\WINDOWS\system32\msvcp90.dll
2008-06-11 15:19 . 2007-11-06 20:23 224,768 --a------ C:\WINDOWS\system32\msvcm90.dll
2008-06-11 15:19 . 2007-03-20 18:25 118,784 --a------ C:\WINDOWS\system32\HDJAPI.dll
2008-06-11 15:19 . 2007-02-19 12:35 86,016 --a------ C:\WINDOWS\system32\HRFDongle.dll
2008-06-11 15:19 . 2007-11-06 20:24 524 --a------ C:\WINDOWS\system32\Microsoft.VC90.CRT.manifest
2008-06-11 08:33 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-06-11 08:33 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-06-11 08:33 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-06-11 00:04 . 2008-06-13 06:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 00:04 . 2008-06-13 06:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-10 23:03 . 2008-06-10 23:03 <DIR> d-------- C:\Program Files\Maketorrent 2
2008-06-10 22:42 . 2008-06-10 22:42 <DIR> d-------- C:\Program Files\Audacity
2008-06-10 21:27 . 2008-06-10 21:27 <DIR> d-------- C:\Program Files\Microsoft Works
2008-06-10 21:27 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-06-10 21:25 . 2008-06-10 21:25 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-06-10 21:24 . 2008-06-10 21:24 <DIR> dr-h----- C:\MSOCache
2008-06-10 21:24 . 2008-06-12 03:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-06-10 17:30 . 2008-06-10 17:30 <DIR> d-------- C:\Program Files\NewsBinGN
2008-06-10 17:30 . 2008-06-10 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NewsBin
2008-06-10 03:00 . 2008-06-10 03:00 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-09 23:39 . 2008-06-18 23:53 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\U3
2008-06-09 23:37 . 2008-06-19 15:35 <DIR> d-------- C:\ProTools
2008-06-09 09:22 . 2008-06-09 09:22 <DIR> d-------- C:\Program Files\CCleaner
2008-06-08 23:34 . 2008-06-15 13:47 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Azureus
2008-06-08 23:34 . 2008-06-08 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-06-08 23:33 . 2008-06-08 23:33 <DIR> d-------- C:\Program Files\Azureus
2008-06-08 21:33 . 2008-06-29 21:11 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-08 21:33 . 2008-06-08 21:33 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-08 21:32 . 2008-06-08 21:32 <DIR> d-------- C:\Program Files\iTunes
2008-06-08 21:32 . 2008-06-08 21:32 <DIR> d-------- C:\Program Files\iPod
2008-06-08 21:32 . 2008-06-08 21:32 <DIR> d-------- C:\Program Files\Bonjour
2008-06-08 21:32 . 2008-06-08 21:32 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Apple Computer
2008-06-08 21:31 . 2008-06-19 15:10 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-06-08 21:31 . 2008-06-08 21:32 <DIR> d-------- C:\Program Files\QuickTime
2008-06-08 21:31 . 2008-06-08 21:31 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-08 21:31 . 2008-06-08 21:31 <DIR> d-------- C:\Program Files\Apple Software Update
2008-06-08 21:31 . 2008-06-08 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-08 21:31 . 2008-06-08 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-08 21:31 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-06-08 20:10 . 2004-05-11 10:53 626,960 -ra------ C:\WINDOWS\system32\hpvaut32.dll
2008-06-08 20:10 . 2004-05-11 10:53 487,424 -ra------ C:\WINDOWS\system32\hpvcp70.dll
2008-06-08 20:10 . 2004-05-11 10:53 344,064 -ra------ C:\WINDOWS\system32\hpvcr70.dll
2008-06-08 20:10 . 2004-05-11 10:53 82,432 -ra------ C:\WINDOWS\system32\MSXML4r.dll
2008-06-08 20:10 . 2004-05-11 10:53 44,544 -ra------ C:\WINDOWS\system32\MSXML4a.dll
2008-06-08 20:08 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-06-08 20:08 . 2004-03-18 16:53 278,584 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-06-08 20:08 . 2004-03-18 16:56 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-06-08 20:08 . 2004-03-18 16:39 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-06-08 20:08 . 2004-03-18 16:55 65,536 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-06-08 20:08 . 2004-03-18 16:38 61,440 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-06-08 20:08 . 2004-03-18 16:39 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-06-08 20:07 . 2008-06-08 20:10 <DIR> d-------- C:\Program Files\HP
2008-06-08 20:07 . 2006-01-06 22:09 659,456 --a------ C:\WINDOWS\system32\hphmon06.exe
2008-06-08 20:07 . 2008-06-08 20:10 93,417 --a------ C:\WINDOWS\HPHins03.dat
2008-06-08 20:07 . 2006-01-06 22:09 51,088 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-06-08 20:07 . 2006-01-06 22:09 21,744 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-06-08 20:07 . 2006-01-06 22:09 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-06-08 20:07 . 2006-01-06 22:09 2,655 --------- C:\WINDOWS\hphmdl03.dat
2008-06-08 20:06 . 2006-01-06 22:09 393,216 --a------ C:\WINDOWS\system32\hpzcon11.dll
2008-06-08 20:06 . 2006-01-06 22:09 270,336 --a------ C:\WINDOWS\system32\HPZc3212.dll
2008-06-08 20:06 . 2006-01-06 22:09 196,608 --a------ C:\WINDOWS\system32\hpzcoi11.dll
2008-06-08 20:06 . 2006-01-06 22:09 139,345 --a------ C:\WINDOWS\system32\hpzlnt11.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 03:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-19 22:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-08 23:59 --------- d-----w C:\Documents and Settings\Ben\Application Data\acccore
2008-06-08 23:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-06-08 23:58 --------- d-----w C:\Program Files\Viewpoint
2008-06-08 23:58 --------- d-----w C:\Program Files\AIM6
2008-06-08 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-06-08 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-08 23:57 --------- d-----w C:\Program Files\Common Files\AOL
2008-06-08 23:40 --------- d-----w C:\Program Files\Safer Networking
2008-06-08 23:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-08 23:27 --------- d-----w C:\Program Files\M-Audio
2008-06-08 23:25 --------- d-----w C:\Program Files\Intel
2008-06-08 23:24 --------- d-----w C:\Program Files\SigmaTel
2008-06-08 23:22 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-08 23:06 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 13:21 50528]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Octoshape Streaming Services"="C:\Program Files\Octoshape Streaming Services\Ben\OctoshapeClient.exe" [2008-05-22 06:59 156944]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\digital imaging\bin\hpqtra08.exe [2004-05-28 22:31:38 241664]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 C:\WINDOWS\system32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 C:\WINDOWS\system32\nvmctray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Octoshape Streaming Services\\Ben\\OctoshapeClient.exe"=
"C:\\Program Files\\Outspark\\Project Powder\\Run.exe"=
R0 DigiFilter;DigiFilter;C:\WINDOWS\system32\drivers\DigiFilt.sys [2006-12-08 22:50]
R2 npkcmsvc;npkcmsvc;C:\Nexon\Mabinogi\npkcmsvc.exe [2007-08-02 12:33]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 14:38]
.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 03:10:02 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe
"2008-07-01 06:22:18 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
- - - - ORPHANS REMOVED - - - -
BHO-{0167D8B0-D424-4D8A-A401-1AA5225ED265} - C:\WINDOWS\system32\vtuts.dll
BHO-{3147D71A-CB8B-44B9-B323-CF3AD0D91555} - C:\WINDOWS\system32\jkkji.dll
BHO-{31F48DE0-73FC-4500-83D0-680D017AFE78} - C:\WINDOWS\system32\ddayv.dll
BHO-{87CFBFEB-9B6D-412F-8FF5-020F3176F990} - C:\WINDOWS\system32\awtsq.dll
BHO-{8BB37A14-68E6-4189-B802-3AD98EBE0C33} - C:\WINDOWS\system32\qoMgfETj.dll
BHO-{90B1BAD1-817B-4473-B6E1-26FBE80132A0} - C:\WINDOWS\system32\ddaby.dll
BHO-{AAA1AAD9-F7E6-43D0-B983-D8CAB0D34661} - C:\WINDOWS\system32\qoMgeCTJ.dll
BHO-{CF506EAF-FC9B-454F-AB52-DAE52720C167} - C:\Documents and Settings\Ben\Local Settings\Temporary Internet Files\Content.IE5\GHIS2UDE\3077ahntdksr[1].dll
BHO-{F6C0C388-7CD9-456E-8181-4929A8B478F0} - C:\WINDOWS\system32\ddcyw.dll
BHO-{FF347B1C-C89E-4C27-83B9-B56F1D9F8A7D} - C:\WINDOWS\system32\tuvVLeCV.dll
HKLM-Run-BM735bfbf2 - C:\WINDOWS\system32\bbcpjbcq.dll
HKLM-Run-7068c86e - C:\WINDOWS\system32\getoofid.dll
Notify-ljjifgf - ljjifgf.dll
MSConfigStartUp-7068c86e - C:\WINDOWS\system32\xnpddokv.dll
MSConfigStartUp-BM735bfbf2 - C:\WINDOWS\system32\vhxhpyvj.dll
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-01 20:43:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Digidesign\Drivers\MMERefresh.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-01 20:44:46 - machine was rebooted [Ben]
ComboFix-quarantined-files.txt 2008-07-02 03:44:43
Pre-Run: 135,372,632,064 bytes free
Post-Run: 135,340,617,728 bytes free
288 --- E O F --- 2008-06-25 10:01:02
I haven't been using IE, but I have been using Firefox. And when I scan my system with Spybot S&D, it says no threats found (I'm running the the most up-to-date version of the program).
Any help>
Hi,
Don't run Combofix if somebody doesn't ask to run it, because it's not a toy!
Looking over your log, it seems you don't have any evidence of an anti-virus software.
Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:
1) Antivir PersonalEdition Classic (http://www.free-av.com/)- Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition (http://www.avast.com/eng/avast_4_home.html) - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition (http://free.grisoft.com/doc/1) - Free edition of the AVG anti-virus program for Windows.
It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.
P2P Warning!
From your logs I can see that one or multiple P2P programs are installed on your computer. While most P2P programs are not malicious themselves, there's no guarantee that the files downloaded are. Please refrain from using it/them while cleaning your computer to prevent getting more infections.
A list of clean and infected P2P programs can be found at Malware Removal (http://p2p.malwareremoval.com/) and Spyware Info (http://www.spywareinfo.com/articles/p2p/).
The risks of using a P2P program are stated in this Sourceforge website (http://aresgalaxy.sourceforge.net/p2prisks.htm) and Information Week article (http://www.informationweek.com/security/showArticle.jhtml?articleID=53200209&pgno=2&queryText=).
Please also read Malware Removal's Guide on P2P Programs (http://forum.malwareremoval.com/viewtopic.php?t=23812).
Please click this link-->Jotti (http://virusscan.jotti.org/)
Copy/paste the file into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).
C:\WINDOWS\BM735bfbf2.xml
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
Please produce uninstall list:
Open HijackThis.
Click on the Open the Misc Tools section button.
Look under System tools.
Click on the Open Uninstall Manager... button.
Click on the Save list... button.
It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
Notepad will open. Please post this log in your next reply.
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Click Yes to allow Combofix to continue scanning for malware.
When done, a log will be produced. Please post that log and a new HijackThis log in your next reply.
Do not mouse click on Combofix while it is running. That may cause it to stall.
Please post a fresh HijackThis log, Combofix log, Uninstall list and Virustotal or Jotti's results.
Hello!
Do you still need help?
It has been three days since my last post.
Do you still need help with this?
Do you need more time?
Are you having problems following my instructions?
Note: If after 48hrs you have not replied to this thread then it will have to be CLOSED!
This topic has been archived due to inactivity.
As it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, this topic will not be reopened. If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread.
Thank you muuli. :)