PDA

View Full Version : I have Virtumonde.. Please Help! :(



CarolinaKSU
2008-07-17, 03:49
So I dont mean to do a sort of double-post, but mine has been buried with no one helping and i absolutely need my pc back for my work.. It seems like if i dont have virtumonde in the thread title, it doesnt get as many views lol. Also, my other thread title was pretty ambiguous anyway..

Anyway, after running S&D i came up with multiple instances of virtumonde and after cleaning them, they continue to show up. I dont want to copy someone else's instructions from another thread, but i am desperate for help so once again i apologize for the double post.

here is my hijack this log..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:27:41 AM, on 7/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lavalys - Everest Ultimate\everest.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {E25EE903-37EB-467B-B1F0-F71063F6B8C8} - (no file)
O2 - BHO: (no name) - {F6195F3A-61F8-42B8-B1DD-619A7508BB36} - C:\WINDOWS\system32\iifGWmMC.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BMe3ed38df] Rundll32.exe "C:\WINDOWS\system32\ghohcypr.dll",s
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\Lavalys - Everest Ultimate\everest.exe
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - Winlogon Notify: jkkkKaWq - jkkkKaWq.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3926 bytes

pskelley
2008-07-19, 19:20
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. This can be a tough infection to remove so do not expect fast or easy.

I will try to help, but you need to read the directions pinned (sticky) to the top of the forum and quit posting and posting and starting new logs. I am placing the link here in case I need it, then trashing the other post.
http://forums.spybot.info/showthread.php?t=31234

You are running System Configuration Utility (MSConfig) in Selective Startup mode, I need to see the next HJT log in Normal mode. You may produce the log and then go back to SS to save your resources without a reboot. Make sure this log is produced AFTER combofix has been run.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop.

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.
Tutorial

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

CarolinaKSU
2008-07-20, 01:44
I am sorry for making a double post, I was just extremely desperate at the time and didn't realize just how busy you guys are.. anyway here are my combofix and hijackthis logs.

ComboFix 08-07-19.1 - John Lichtenhan 2008-07-19 17:32:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1586 [GMT -5:00]
Running from: C:\Documents and Settings\John Lichtenhan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John Lichtenhan\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMe3ed38df.txt
C:\WINDOWS\system32\CMmWGfii.ini
C:\WINDOWS\system32\CMmWGfii.ini2
C:\WINDOWS\system32\vyiagqlu.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-16 05:53 . 2008-07-16 06:12 210 --a------ C:\WINDOWS\wininit.ini
2008-07-16 05:36 . 2008-07-16 05:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-16 05:36 . 2008-07-19 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-16 05:27 . 2008-07-16 05:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-16 05:22 . 2008-07-16 05:24 <DIR> d-------- C:\Program Files\CCleaner
2008-07-16 04:53 . 2008-07-16 04:53 <DIR> d-------- C:\Program Files\Alwil Software
2008-07-16 04:37 . 2008-07-16 04:37 110,419 --a------ C:\WINDOWS\BMe3ed38df.xml
2008-07-16 04:32 . 2008-07-16 04:32 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-07-16 04:31 . 2008-07-16 04:31 <DIR> d-------- C:\Documents and Settings\John Lichtenhan\Application Data\Nero
2008-07-16 04:30 . 2008-07-16 04:30 <DIR> d-------- C:\Program Files\Nero
2008-07-16 04:30 . 2008-07-16 04:30 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-16 04:30 . 2008-07-16 04:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-07-16 04:17 . 2008-07-16 04:17 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-07-16 04:17 . 2008-07-16 04:17 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-16 04:17 . 2008-07-16 04:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2008-07-16 03:15 . 2008-07-16 03:15 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-16 02:22 . 2008-07-16 02:23 <DIR> d-------- C:\Program Files\Winamp
2008-07-16 02:22 . 2008-07-16 02:34 <DIR> d-------- C:\Documents and Settings\John Lichtenhan\Application Data\Winamp
2008-07-16 01:58 . 2008-07-16 01:58 81 --a------ C:\WINDOWS\WB.ini
2008-07-16 01:41 . 2008-07-16 01:41 <DIR> d-------- C:\Program Files\Ares
2008-07-16 01:36 . 2008-07-16 01:36 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-07-16 01:27 . 2008-07-16 01:27 <DIR> d-------- C:\Program Files\Stardock
2008-07-16 01:27 . 2007-05-26 12:34 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2008-07-16 01:12 . 2008-07-19 17:34 1,243,168 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-07-16 01:12 . 2008-07-19 17:33 15,596 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-07-16 01:11 . 2008-07-16 01:11 <DIR> d-------- C:\Program Files\Zone Labs
2008-07-16 01:11 . 2008-07-16 01:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-07-16 01:10 . 2008-07-19 17:27 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-07-16 01:03 . 2008-07-16 01:03 <DIR> d-------- C:\Program Files\utorrent
2008-07-16 01:01 . 2008-07-16 01:08 <DIR> d-------- C:\Documents and Settings\John Lichtenhan\Application Data\uTorrent
2008-07-15 21:01 . 2008-07-15 21:01 <DIR> d-------- C:\Program Files\Misc Utilities
2008-07-15 20:49 . 2008-07-16 04:36 <DIR> d-------- C:\Program Files\Lavalys - Everest Ultimate
2008-07-15 20:43 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-15 20:42 . 2008-07-15 20:43 <DIR> d-------- C:\Program Files\Java
2008-07-15 20:42 . 2008-07-15 20:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-15 20:35 . 2008-07-15 20:35 <DIR> d-------- C:\Program Files\Razer
2008-07-15 20:35 . 2005-11-10 09:15 69,632 --a------ C:\WINDOWS\system32\copperhd.cpl
2008-07-15 20:35 . 2005-12-21 11:23 14,592 --a------ C:\WINDOWS\system32\drivers\USBICP.sys
2008-07-15 20:35 . 2005-11-02 10:54 11,596 --a------ C:\WINDOWS\system32\drivers\copperhd.sys
2008-07-15 20:33 . 2008-07-15 20:33 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-07-15 20:27 . 2008-07-16 05:26 <DIR> d-------- C:\unzipped
2008-07-15 20:25 . 2008-07-16 05:54 <DIR> d-------- C:\Program Files\Trillian
2008-07-15 20:19 . 2008-07-15 20:19 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-15 19:25 . 2008-07-15 19:34 <DIR> d-------- C:\Program Files\Opera
2008-07-15 18:46 . 2008-07-16 02:23 316,640 --a------ C:\WINDOWS\WMSysPr9.prx
2008-07-15 18:43 . 2008-07-15 18:43 <DIR> d-------- C:\WINDOWS\EHome
2008-07-15 18:43 . 2004-08-04 00:56 2,897,920 --a------ C:\WINDOWS\system32\xpsp2res.dll
2008-07-15 18:43 . 2004-07-17 11:40 19,528 --a------ C:\WINDOWS\002265_.tmp
2008-07-15 18:41 . 2008-07-16 05:35 <DIR> d-------- C:\misc files
2008-07-15 18:30 . 2008-07-15 18:30 <DIR> d-------- C:\Program Files\Linksys
2008-07-15 18:30 . 2008-07-15 18:30 <DIR> d-------- C:\Documents and Settings\John Lichtenhan\Application Data\InstallShield
2008-07-15 18:25 . 2007-07-23 15:18 2,682,880 --a------ C:\WINDOWS\system32\vcredist_x86.exe
2008-07-15 18:25 . 2007-10-18 06:17 822,400 --a------ C:\WINDOWS\system32\bcmwl5.sys
2008-07-15 18:25 . 2007-07-23 15:18 712,704 --a------ C:\WINDOWS\system32\BCMLogon.dll
2008-07-15 18:25 . 2007-07-23 15:18 712,704 --a------ C:\WINDOWS\bcm29.tmp
2008-07-15 18:25 . 2003-10-13 00:30 94,208 --a------ C:\WINDOWS\system32\GTW32N50.dll
2008-07-15 18:25 . 2003-09-25 08:28 31,930 --a------ C:\WINDOWS\system32\GTNDIS3.VXD
2008-07-15 18:25 . 2003-09-25 07:15 15,872 --a------ C:\WINDOWS\system32\GTNDIS5.sys
2008-07-15 18:25 . 2007-07-23 15:18 416 --a------ C:\WINDOWS\system32\vcredist_x86.bat
2008-07-15 18:24 . 2008-07-15 18:24 <DIR> d-------- C:\Linksys Driver
2008-07-15 18:08 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 09:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-09 14:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-07-09 14:05 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2008-06-25 07:52 --------- d-----w C:\Program Files\Realtek
2008-06-25 07:49 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-25 07:43 558,142 ----a-w C:\WINDOWS\java\Packages\N9JHBZ9J.ZIP
2008-06-25 07:43 155,995 ----a-w C:\WINDOWS\java\Packages\R1NJ53F3.ZIP
2008-06-25 07:43 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-12 18:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\divx.dll
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EVEREST AutoStart"="C:\Program Files\Lavalys - Everest Ultimate\everest.exe" [2008-03-17 00:00 2083424]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 17:07 1828136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService"="C:\WINDOWS\System32\nvraidservice.exe" [2006-09-21 15:40 137216]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-11-07 07:00 8523776]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-11-07 07:00 81920]
"Copperhead"="C:\Program Files\Razer\Copperhead\razerhid.exe" [2005-11-25 10:53 155648]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 09:05 919016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 09:59 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 16:29 2221352]
"SkyTel"="SkyTel.EXE" [2006-05-16 20:04 2879488 C:\WINDOWS\SkyTel.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 18:58 16264192 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-11-07 07:00 1626112 C:\WINDOWS\system32\nwiz.exe]

C:\Documents and Settings\John Lichtenhan\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 17:34:48 3746856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-07-16 04:17:42 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-03-13 09:57 221184 C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\utorrent\\uTorrent-1.-6-Build-474.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 18:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 18:16]
R2 WMP300NSvc;WMP300NSvc;C:\Program Files\Linksys\WMP300N\WLService.exe WMP300N.exe []
R3 EverestDriver;Lavalys EVEREST Kernel Driver;C:\Program Files\Lavalys - Everest Ultimate\kerneld.wnt [2008-03-17 00:00]
R3 UsbFltr;Razer Copperhead Driver;C:\WINDOWS\system32\drivers\copperhd.sys [2005-11-02 10:54]
R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;C:\WINDOWS\system32\DRIVERS\WMP300Nv1.sys [2007-10-18 06:17]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F6195F3A-61F8-42B8-B1DD-619A7508BB36} - C:\WINDOWS\system32\iifGWmMC.dll
HKLM-Run-SysMetrix - C:\Program Files\SysMetrix\SysMetrix.exe
HKLM-Run-BMe3ed38df - C:\WINDOWS\system32\ghohcypr.dll
Notify-jkkkKaWq - jkkkKaWq.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 17:34:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\C:\Program Files\Lavalys - Everest Ultimate\kerneld.wnt"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Linksys\WMP300N\WLService.exe
C:\Program Files\Linksys\WMP300N\WMP300N.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2008-07-19 17:35:25 - machine was rebooted [John Lichtenhan]
ComboFix-quarantined-files.txt 2008-07-19 22:35:22

Pre-Run: 60,717,752,320 bytes free
Post-Run: 60,630,290,432 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

188


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:40, on 7/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvraidservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lavalys - Everest Ultimate\everest.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Linksys\WMP300N\WLService.exe
C:\Program Files\Linksys\WMP300N\WMP300N.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\wbem\unsecapp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\System32\nvraidservice.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKCU\..\Run: [EVEREST AutoStart] C:\Program Files\Lavalys - Everest Ultimate\everest.exe
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WMP300NSvc - GEMTEKS - C:\Program Files\Linksys\WMP300N\WLService.exe

--
End of file - 5991 bytes

pskelley
2008-07-20, 01:58
Everything is looking good, could you tell me how the computer is running? Are you experiencing any malware symptoms.

Let's have MBAM also take a look.
Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

Thanks

CarolinaKSU
2008-07-20, 02:25
here is my MBAM log.. I still have vundo on my pc it looks like.. :sad:

Malwarebytes' Anti-Malware 1.21
Database version: 966
Windows 5.1.2600 Service Pack 2

6:22:27 PM 7/19/2008
mbam-log-7-19-2008 (18-22-27).txt

Scan type: Full Scan (C:\|)
Objects scanned: 65291
Time elapsed: 6 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\BMe3ed38df.xml (Trojan.Vundo) -> Quarantined and deleted successfully.

CarolinaKSU
2008-07-20, 02:40
i cant figure out to edit but i was going to add that the PC seems to be running better now. Its still slow starting up, but that may be because im still in startup mode in msconfig. When the diagnosis is complete i will go back, but for now its no biggy. Also, google is working again as well as windows update!

I am very concerned about MBAM finding another vundo trojan though. Will it be gone this time or will it keep embedding itself and causing trouble everytime i delete it?

pskelley
2008-07-20, 02:41
here is my MBAM log.. I still have vundo on my pc it looks likeWhy do you say that? The one item MBAM found was visible in the combofix log
2008-07-16 04:37 . 2008-07-16 04:37 110,419 --a------ C:\WINDOWS\BMe3ed38df.xml
and I could have used CFScript to remove it but figured I would let MBAM do it and check for anything else which it did not find.

Are you having any symptoms of malware at all? We can run other scanners but since Avast4 is your resident, update and run a system scan. If you are having no symptoms, we will remove combofix and get you on your way.

Thanks...Phil

CarolinaKSU
2008-07-20, 02:52
oh ok i didnt look closely enough to see that it was in the combofix log lol. I just saw that it had one infection and it was Vundo. Anyway, I will run the full swathe of antivirus and antispyware apps and post the results!

pskelley
2008-07-20, 03:01
No need to post the results, just tell me of any issues you can not deal with.

Thanks...Phil

CarolinaKSU
2008-07-20, 03:05
Well, I just got running avast and it found these 2 buggers.

Win32:Farfli
Win32:trogan-gen

are these particularly bad or just some leftovers from when i was inundated by malware?

pskelley
2008-07-20, 03:09
I don't know from the limited information. What are the full name of these items, where are they located. Give me all of the information Avast gave you. I can't even make a guess from that information.

Thanks

CarolinaKSU
2008-07-20, 04:55
From Avast's chest-

Win32:Trojan-gen
Original File name: A0006421.dll
Original Folder: C:\System Volume Information\_restore{F44E47E1-E0F8-4D9A-A5DC-CADDAA60E973}\RP21
Size of file: 77824
Last modification time: 7/16/2008 9:37:14 AM
Time of transfer to Chest: 7/19/2008 6:56:39 PM
Category: Infected Files
Virus description: Win32:Trojan-gen {other}
File ID: 8

Win32:Farfli
Original File Name: A0005278.exe
Original Folder: C:\System Volume Information\_restore{F44E47E1-E0F8-ED9A-A5DC-CADDAA60E973}\RP21
Size of file: 65557
Last modification time: 12/13/2004 4:52:52 PM
Time of transfer to Chest: 7/19/2008 6:56:20 PM
Category: Infected Files
Virus Description: Win32:Farfli[Rtk]
File ID: 7

Win32:Trojan-gen
Original File Name: ulqgaiyv.dll
Original Folder: C:\WINDOWS\system32
Size of file: 77824
Last Modification time: 7/16/2008 9:37:14 AM
Time of transfer to Chest: 7/19/2008 5:18:04 PM
Category: Infected Files
Virus Description Win32:Trojan-gen{Other}
File ID: 6

Sorry to be so dumb when it comes to this stuff, I have never experienced such a crippling malware before..

pskelley
2008-07-20, 14:51
Hi Carolina? The third item appears to be in
Time of transfer to Chest: 7/19/2008 5:18:04 PMOpen that "Chest" which is probably Avast's version of a quarantine folder and delete the contents.

The other two are infected System Restore files. Understand, if an infection in on the computer , when SR makes a backup, it does not know bad from good and backs up everything. It could not harm you where it is except for if you use that Restore Point. Here is information about using System Restore:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

and detailed instructions for cleaning those files, do so asap.
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Programs like MBAM and combofix don't see those because of their quarantine (Chest) status. Once you complete those instructions, run Avast again and it should be clean, let me know how it goes, and don't fear asking questions, that is how we learn.

Thanks...Phil

pskelley
2008-07-28, 15:16
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.