Virtumonde emergency! please help asap [Archive]

View Full Version : Virtumonde emergency! please help asap

dragonas98

2008-07-24, 08:36

So, I start noticing random ie popups the other day.I ran spybot and low and behold out of nowhere it finds the virtumonde virus,i tell the program to fix it
but it comes back every restart I`ve also noticed in the task manager that some process called run32dll is eating up system resources.Please help!

ken545

2008-07-24, 10:43

Hello dragonas98

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe

Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Submit Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

dragonas98

2008-07-24, 17:41

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:30:29 AM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {156C6C3D-E120-4EE8-BE0E-19CA3C679E09} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B8AE5C4-D526-4CF5-A008-8446B84AC1BA} - (no file)
O2 - BHO: (no name) - {6C9E3A02-C9D0-4FF5-A4A6-62372BE7B630} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7768234D-E494-424D-96E6-4819A1E16325} - C:\WINDOWS\system32\mlJYsqqn.dll
O2 - BHO: (no name) - {B20898A8-0608-4E6D-A65F-008EF347CBBA} - (no file)
O2 - BHO: (no name) - {D0F869C9-C487-4766-93FC-2218BCF4BF4C} - C:\WINDOWS\system32\efcCvWMg.dll
O2 - BHO: (no name) - {F837616F-A2CE-4E39-8A84-F4A70182B9EB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [BMf3ac7981] Rundll32.exe "C:\WINDOWS\system32\watwjpeu.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1599196801-1449655655-3289834387-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'mat')
O4 - HKUS\S-1-5-21-1599196801-1449655655-3289834387-1006\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'mat')
O4 - HKUS\S-1-5-21-1599196801-1449655655-3289834387-1006\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet (User 'mat')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208463644181
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://213.196.182.244/activex/AMC.cab
O20 - Winlogon Notify: mlJYsqqn - C:\WINDOWS\SYSTEM32\mlJYsqqn.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

--
End of file - 7922 bytes

also please be aware that im using admin as logon,when i logon as my other
account named mat I cant use ie because nothing will load

ken545

2008-07-24, 18:57

Hello,

Yep, Vundo got ya :sad:

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {156C6C3D-E120-4EE8-BE0E-19CA3C679E09} - (no file)
O2 - BHO: (no name) - {5B8AE5C4-D526-4CF5-A008-8446B84AC1BA} - (no file)
O2 - BHO: (no name) - {6C9E3A02-C9D0-4FF5-A4A6-62372BE7B630} - (no file)
O2 - BHO: (no name) - {7768234D-E494-424D-96E6-4819A1E16325} - C:\WINDOWS\system32\mlJYsqqn.dll
O2 - BHO: (no name) - {B20898A8-0608-4E6D-A65F-008EF347CBBA} - (no file)
O2 - BHO: (no name) - {D0F869C9-C487-4766-93FC-2218BCF4BF4C} - C:\WINDOWS\system32\efcCvWMg.dll
O2 - BHO: (no name) - {F837616F-A2CE-4E39-8A84-F4A70182B9EB} - (no file)

O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\watwjpeu.dll",s

O20 - Winlogon Notify: mlJYsqqn - C:\WINDOWS\SYSTEM32\mlJYsqqn.dll

Please download Malwarebytes' Anti-Malware from [b]Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected. <-- Don't forget to do this
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a New Hijackthis log.

dragonas98

2008-07-24, 22:09

i followed your directions but they showed back up in the hjt log!Malwarebytes' Anti-Malware 1.23
Database version: 987
Windows 5.1.2600 Service Pack 2

1:54:28 PM 7/24/2008
mbam-log-7-24-2008 (13-54-28).txt

Scan type: Quick Scan
Objects scanned: 47206
Time elapsed: 28 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 58

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\efcCvWMg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ljhpveti.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\wvUmnKab.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mlJYsqqn.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d9210882-669e-4162-b854-45e6d5da3230} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{d9210882-669e-4162-b854-45e6d5da3230} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7768234d-e494-424d-96e6-4819a1e16325} (Trojan.BHO) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{7768234d-e494-424d-96e6-4819a1e16325} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljysqqn (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\f09f4a1d (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{7768234d-e494-424d-96e6-4819a1e16325} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmf3ac7981 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\efccvwmg -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\efccvwmg -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\efcCvWMg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gMWvCcfe.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gMWvCcfe.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\akujsomv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vmosjuka.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\awturPGY.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YGPrutwa.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\YGPrutwa.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gbxmnfdn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ndfnmxbg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ihbjjoeg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geojjbhi.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljhpveti.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\itevphjl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oiaaautr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rtuaaaio.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rqRJYoNe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eNoYJRqr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eNoYJRqr.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rwwbkvcd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dcvkbwwr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\typtcqdy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ydqctpyt.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uiyatcwr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rwctayiu.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUmnKab.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\baKnmUvw.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\baKnmUvw.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mlJYsqqn.dll (Trojan.BHO) -> Delete on reboot.
C:\WINDOWS\444.470 (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1188.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\mrofinu1188.exe.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\josxwnyb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nfhrdbmf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\2BYFSBMH\kb456456[1] (Trojan.Vundo) -> Delete on reboot.
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\2ZS5SH01\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mat\lsass.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Documents and Settings\mat\Local Settings\Temporary Internet Files\Content.IE5\4CYTJJ3G\kb671231[4] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mat\Local Settings\Temporary Internet Files\Content.IE5\LINDN0MF\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mat\Local Settings\Temporary Internet Files\Content.IE5\LINDN0MF\kb456456[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mat\Local Settings\Temporary Internet Files\Content.IE5\LINDN0MF\kb456456[3] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mat\Local Settings\Temporary Internet Files\Content.IE5\LINDN0MF\kb456456[4] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mat\Local Settings\Temporary Internet Files\Content.IE5\U34YG5E0\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mat\Local Settings\Temporary Internet Files\Content.IE5\U34YG5E0\kb456456[3] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kyiuyffs.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\rundll32.vbe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cbXPjJby.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\urqPhiGv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\efcDVlji.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGabCVp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGaxuVL.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iifdbXPj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMf3ac7981.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMf3ac7981.txt (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\khfFXrSl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mat\services.exe (Trojan.Agent) -> Quarantined and deleted successfully.

hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:02:51 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Microsoft Works\WkDetect.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=searchfavweb&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/yessentials_cq/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {156C6C3D-E120-4EE8-BE0E-19CA3C679E09} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B8AE5C4-D526-4CF5-A008-8446B84AC1BA} - (no file)
O2 - BHO: (no name) - {6C9E3A02-C9D0-4FF5-A4A6-62372BE7B630} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7768234D-E494-424D-96E6-4819A1E16325} - (no file)
O2 - BHO: (no name) - {B20898A8-0608-4E6D-A65F-008EF347CBBA} - (no file)
O2 - BHO: (no name) - {D0F869C9-C487-4766-93FC-2218BCF4BF4C} - (no file)
O2 - BHO: (no name) - {D9210882-669E-4162-B854-45E6D5DA3230} - (no file)
O2 - BHO: (no name) - {F837616F-A2CE-4E39-8A84-F4A70182B9EB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [BMf3ac7981] Rundll32.exe "C:\WINDOWS\system32\vkkqgegw.dll",s
O4 - HKLM\..\Run: [f09f4a1d] rundll32.exe "C:\WINDOWS\system32\ljhpveti.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208463644181
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://213.196.182.244/activex/AMC.cab
O20 - Winlogon Notify: mlJYsqqn - C:\WINDOWS\
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

--
End of file - 7552 bytes

ken545

2008-07-25, 00:12

Hi,

The TeaTimer in Spybot Search and Destroy prevented the removal of those entries. Keep it disabled until we're done

Do this first...Important

Disable the TeaTimer, you can re enable it when were done if you wish

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

Remove these with HJT.

O2 - BHO: (no name) - {156C6C3D-E120-4EE8-BE0E-19CA3C679E09} - (no file)
O2 - BHO: (no name) - {5B8AE5C4-D526-4CF5-A008-8446B84AC1BA} - (no file)
O2 - BHO: (no name) - {6C9E3A02-C9D0-4FF5-A4A6-62372BE7B630} - (no file)
02 - BHO: (no name) - {7768234D-E494-424D-96E6-4819A1E16325} - (no file)
O2 - BHO: (no name) - {B20898A8-0608-4E6D-A65F-008EF347CBBA} - (no file)
O2 - BHO: (no name) - {D0F869C9-C487-4766-93FC-2218BCF4BF4C} - (no file)
O2 - BHO: (no name) - {D9210882-669E-4162-B854-45E6D5DA3230} - (no file)
O2 - BHO: (no name) - {F837616F-A2CE-4E39-8A84-F4A70182B9EB} - (no file)

O4 - HKLM\..\Run: Rundll32.exe "C:\WINDOWS\system32\vkkqgegw.dll",s
O4 - HKLM\..\Run: [f09f4a1d] rundll32.exe "C:\WINDOWS\system32\ljhpveti.dll",b

O20 - Winlogon Notify: mlJYsqqn - C:\WINDOWS\

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Temporarily [b]disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net

2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

dragonas98

2008-07-25, 07:49

OOOOkay,I did as instructed here are the new logs.
ComboFix 08-07-24.1 - admin 2008-07-24 23:33:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.257 [GMT -6:00]
Running from: C:\Documents and Settings\admin\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\BMf3ac7981.txt
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\mainms.vpi
C:\WINDOWS\megavid.cdt
C:\WINDOWS\muotr.so
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\betjjluq.dll
C:\WINDOWS\system32\bfgjqx.dll
C:\WINDOWS\system32\bhjeyn.dll
C:\WINDOWS\system32\btjkkw.dll
C:\WINDOWS\system32\cqscfruf.dll
C:\WINDOWS\system32\dhnaqred.dll
C:\WINDOWS\system32\djogaxcf.dll
C:\WINDOWS\system32\dmwfvtje.dll
C:\WINDOWS\system32\eneicuwl.ini
C:\WINDOWS\system32\eoejobrl.dll
C:\WINDOWS\system32\fbjktuww.dll
C:\WINDOWS\system32\feohujad.dll
C:\WINDOWS\system32\fuohgk.dll
C:\WINDOWS\system32\fzctkf.dll
C:\WINDOWS\system32\gfrtevnk.ini
C:\WINDOWS\system32\gofelfpn.dll
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\hmgjchcf.ini
C:\WINDOWS\system32\jnnnqrar.ini
C:\WINDOWS\system32\jvtitj.dll
C:\WINDOWS\system32\kbmfidue.dll
C:\WINDOWS\system32\kxkkphqy.dll
C:\WINDOWS\system32\lkgiysjs.dll
C:\WINDOWS\system32\lorljbho.dll
C:\WINDOWS\system32\luhsuvwe.dll
C:\WINDOWS\system32\luzacz.dll
C:\WINDOWS\system32\mbbmetfl.dll
C:\WINDOWS\system32\mbxncr.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mhlriftl.dll
C:\WINDOWS\system32\mpuwsm.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nhjxckus.ini
C:\WINDOWS\system32\nujmbwwj.dll
C:\WINDOWS\system32\oknqva.dll
C:\WINDOWS\system32\oskmtvhj.dll
C:\WINDOWS\system32\ouaggdhr.dll
C:\WINDOWS\system32\powixtvj.dll
C:\WINDOWS\system32\qltcajtl.dll
C:\WINDOWS\system32\qwtwjz.dll
C:\WINDOWS\system32\rthkvd.dll
C:\WINDOWS\system32\rxjsigvy.ini
C:\WINDOWS\system32\secntlvg.dll
C:\WINDOWS\system32\svimrh.dll
C:\WINDOWS\system32\tqwnctsn.dll
C:\WINDOWS\system32\tsjkclvi.dll
C:\WINDOWS\system32\uxnfpgwx.dll
C:\WINDOWS\system32\veoqoffr.dll
C:\WINDOWS\system32\vkkqgegw.dll
C:\WINDOWS\system32\vpwrbx.dll
C:\WINDOWS\system32\wfolrpjw.dll
C:\WINDOWS\system32\whktmumc.dll
C:\WINDOWS\system32\wjfvcwqw.ini
C:\WINDOWS\system32\wvbpwo.dll
C:\WINDOWS\system32\xnmubw.dll
C:\WINDOWS\system32\xudusctm.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-25 to 2008-07-25 )))))))))))))))))))))))))))))))
.

2008-07-24 23:24 . 2008-07-24 23:24 0 --a------ C:\WINDOWS\BMf3ac7981.xml
2008-07-24 13:57 . 2008-07-24 13:57 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Template
2008-07-24 13:14 . 2008-07-24 13:14 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-24 13:14 . 2008-07-24 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-24 13:14 . 2008-07-24 13:14 <DIR> d-------- C:\Documents and Settings\admin\Application Data\Malwarebytes
2008-07-24 13:14 . 2008-07-23 20:21 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-24 13:14 . 2008-07-23 20:21 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-24 09:28 . 2008-07-24 09:28 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-15 23:56 . 2008-07-15 23:56 <DIR> d-------- C:\Program Files\Safer Networking
2008-07-15 22:59 . 2002-06-05 19:38 <DIR> d-------- C:\Documents and Settings\admin\Application Data\InterTrust
2008-07-15 22:59 . 2008-07-24 12:06 <DIR> d-------- C:\Documents and Settings\admin
2008-07-14 16:36 . 2008-07-14 16:36 77 --a------ C:\Documents and Settings\mat\1063.bat
2008-07-14 01:09 . 2002-06-05 19:38 <DIR> d-------- C:\Documents and Settings\Administrator.MAT1\Application Data\InterTrust
2008-07-14 01:09 . 2008-07-14 01:09 <DIR> d-------- C:\Documents and Settings\Administrator.MAT1
2008-07-12 18:54 . 2008-07-24 12:52 269 --a------ C:\WINDOWS\wininit.ini
2008-07-12 17:31 . 2008-07-12 17:43 <DIR> d---s---- C:\Documents and Settings\Administrator
2008-07-11 15:09 . 2008-07-11 15:09 <DIR> d-------- C:\WINDOWS\system32\olixds18
2008-07-11 15:09 . 2008-07-12 17:13 <DIR> d-------- C:\Temp\stmpv4
2008-07-04 23:15 . 2008-07-04 23:15 32,768 --a------ C:\WINDOWS\system32\olixds18\olixds182328.exe
2008-07-01 12:53 . 2008-07-01 12:53 268 --ah----- C:\sqmdata04.sqm
2008-07-01 12:53 . 2008-07-01 12:53 244 --ah----- C:\sqmnoopt04.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-18 18:17 --------- d-----w C:\Program Files\Java
2008-07-16 05:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-16 05:20 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-18 05:54 --------- d-----w C:\Program Files\Disney
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 19:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-11 18:35 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-11 18:35 --------- d-----w C:\Program Files\Bonjour
2008-06-11 18:22 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-06-09 13:30 --------- d-----w C:\Program Files\MSN Messenger
2008-05-30 06:10 --------- d-----w C:\Program Files\FxClub
2008-05-29 09:08 --------- d-----w C:\Program Files\MSXML 6.0
2008-05-12 18:33 278,448 ----a-w C:\WINDOWS\ilib31ht.dll
2008-05-12 09:34 51,712 ----a-w C:\WINDOWS\wc98pp.dll
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\dllcache\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-05-16 16:56 126976]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-05-16 16:54 540672]
"eabconfg.cpl"="C:\Program Files\Compaq\EAB\EabServr.exe" [2002-04-09 10:49 69632]
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 11:00 311350]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 11:00 28739]
"Cpqset"="c:\compaq\cpqsetup\cpqset.exe" [2002-05-09 13:13 172101]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 09:42 4891472]
"ATIModeChange"="Ati2mdxx.exe" [2002-04-07 22:23 28672 C:\WINDOWS\system32\Ati2mdxx.exe]
"AtiPTA"="atiptaxx.exe" [2002-04-07 22:23 286720 C:\WINDOWS\system32\atiptaxx.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-04-17 17:27 9117696]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-13 11:00:00 24633]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
--a------ 2001-07-24 13:34 36864 C:\cpqs\scom\srmclean.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R2 PackethSvc;Virtual NIC Service;C:\WINDOWS\System32\PackethSvc.exe [2001-08-09 15:46]
S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\alifir.sys [2001-08-17 12:49]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-04-23 05:50:00 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-04-28 05:50:01 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-05-03 05:50:00 C:\WINDOWS\Tasks\Registration reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2008-07-14 07:15:51 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BMf3ac7981 - C:\WINDOWS\system32\vkkqgegw.dll
MSConfigStartUp-f09f4a1d - C:\WINDOWS\system32\uiyatcwr.dll
MSConfigStartUp-LSA Shellu - C:\Documents and Settings\mat\lsass.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
R0 -: HKLM-Main,Search Bar = hxxp://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
O18 -: Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - C:\WINDOWS\wc98pp.dll

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://213.196.182.244/activex/AMC.cab
C:\WINDOWS\Downloaded Program Files\setup.inf

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-24 23:36:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-24 23:39:35
ComboFix-quarantined-files.txt 2008-07-25 05:39:13

Pre-Run: 27,203,678,208 bytes free
Post-Run: 28,355,145,728 bytes free

208 --- E O F --- 2008-07-10 02:40:40

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:41 PM, on 7/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Advisor - {76026873-0935-499C-B66A-9FF5EEF45BEA} - C:\Program Files\COMPAQ\Compaq Advisor\bin\rbaLauncher.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=1c02&lc=0409
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - http://disney.go.com/pirates/online/testActiveX/built/signed/DisneyOnlineGames.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208463644181
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://213.196.182.244/activex/AMC.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe

--
End of file - 5737 bytes

ken545

2008-07-25, 14:27

Hello,

You need to enable windows to show all files and folders, instructions Here (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

C:\WINDOWS\system32\olixds18 <---Delete this folder

Go to VirusTotal (http://www.virustotal.com/) and submit this file for analysis, just use the browse feature and then Send File, you will get a report back, post the report into this thread for me to see.

C:\WINDOWS\wc98pp.dll <---This file

dragonas98

2008-07-25, 23:07

I got rid of that file and virustotal said that file had already been checked,but
heres the log anyway

File wc98pp.dll received on 07.15.2008 05:06:13 (CET)
Current status: finished

Result: 0/33 (0.00%)
Compact Print results
Antivirus Version Last Update Result
AhnLab-V3 2008.7.11.0 2008.07.14 -
AntiVir 7.8.0.64 2008.07.14 -
Authentium 5.1.0.4 2008.07.15 -
Avast 4.8.1195.0 2008.07.14 -
AVG 7.5.0.516 2008.07.14 -
BitDefender 7.2 2008.07.15 -
CAT-QuickHeal 9.50 2008.07.14 -
ClamAV 0.93.1 2008.07.15 -
DrWeb 4.44.0.09170 2008.07.14 -
eSafe 7.0.17.0 2008.07.14 -
eTrust-Vet 31.6.5954 2008.07.14 -
Ewido 4.0 2008.07.14 -
F-Prot 4.4.4.56 2008.07.14 -
F-Secure 7.60.13501.0 2008.07.15 -
Fortinet 3.14.0.0 2008.07.14 -
GData 2.0.7306.1023 2008.07.15 -
Ikarus T3.1.1.26.0 2008.07.15 -
Kaspersky 7.0.0.125 2008.07.15 -
McAfee 5338 2008.07.14 -
Microsoft 1.3704 2008.07.15 -
NOD32v2 3267 2008.07.15 -
Norman 5.80.02 2008.07.14 -
Panda 9.0.0.4 2008.07.14 -
Prevx1 V2 2008.07.15 -
Rising 20.53.02.00 2008.07.14 -
Sophos 4.31.0 2008.07.15 -
Sunbelt 3.1.1536.1 2008.07.12 -
Symantec 10 2008.07.15 -
TheHacker 6.2.96.379 2008.07.14 -
TrendMicro 8.700.0.1004 2008.07.14 -
VBA32 3.12.8.0 2008.07.15 -
VirusBuster 4.5.11.0 2008.07.14 -
Webwasher-Gateway 6.6.2 2008.07.14 -
Additional information
File size: 51712 bytes
MD5...: 01ce67a8b8f546986309c28d4594d29c
SHA1..: c375555e487481ba317af381d8f8524ab20defb0
SHA256: 74bd7a4d90534a25f73b253c4cd21d8886b4c9d83c05a609f2bce91dfc3caf5c
SHA512: 62654f5834909a8c20e29344ff2083fcdcdc9f2a29dc68cfe0f2374cd29fb8c5
be2a50ea73632e66a408dea1f34e0f76f47c32400edbaa2fd066b2eded36f94a
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x40a874
timedatestamp.....: 0x2a425e19 (Fri Jun 19 22:22:17 1992)
machinetype.......: 0x14c (I386)

( 7 sections )
name viradd virsiz rawdsiz ntrpy md5
CODE 0x1000 0x98a0 0x9a00 6.43 1bf0329ed761c1055043968293828bdf
DATA 0xb000 0x2fc 0x400 2.88 bf9ea9b2d7426fd90a2d2be3187e1a75
BSS 0xc000 0x601 0x0 0.00 d41d8cd98f00b204e9800998ecf8427e
.idata 0xd000 0x73a 0x800 4.26 d72389ce58a2b24f0426683ae6e933f1
.edata 0xe000 0xb5 0x200 1.96 f235d704ce9c686fd69023d4d0cceade
.reloc 0xf000 0xc88 0xe00 6.27 52cdb2a06136a086038bf2dcff590205
.rsrc 0x10000 0x1000 0x1000 3.37 ac75f753b345a3adb7204c3d914ca304

( 7 imports )
> kernel32.dll: DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpyA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, ExitProcess, WriteFile, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
> user32.dll: GetKeyboardType, LoadStringA, MessageBoxA
> advapi32.dll: RegQueryValueExA, RegOpenKeyExA, RegCloseKey
> oleaut32.dll: VariantChangeTypeEx, VariantCopyInd, VariantClear, SysStringLen, SysFreeString, SysAllocStringLen
> kernel32.dll: TlsSetValue, TlsGetValue, TlsFree, TlsAlloc, LocalFree, LocalAlloc, GetModuleFileNameA
> kernel32.dll: WriteFile, VirtualQuery, UnmapViewOfFile, SetFilePointer, SetEndOfFile, ReadFile, OpenFileMappingA, MapViewOfFile, GetVersionExA, GetThreadLocale, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FormatMessageA, EnumCalendarInfoA, CreateFileA, CompareStringA, CloseHandle
> user32.dll: MessageBoxA, LoadStringA, GetSystemMetrics

( 5 exports )
DllCanUnloadNow, DllGetClassObject, DllMain, DllRegisterServer, DllUnregisterServer

ken545

2008-07-25, 23:59

That file appears ok but not much info on it so really not sure what its for.

Your HJT log looks fine, how is your system behaving now?

dragonas98

2008-07-26, 01:30

but i need to do a restart to make sure nothing pops back up wll let you know! thanks

ken545

2008-07-27, 12:46

How it look, everything OK ?

dragonas98

2008-07-30, 10:01

just fine.:bigthumb:

ken545

2008-07-30, 11:09

That's great :bigthumb:

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

ATF Cleaner <-- Yours to keep, run it now and then to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix Is not a general cleaning tool, just run it with supervision or you can bork your system

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)

Safe Surfn
Ken