View Full Version : Virtumonde? Help me please
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:52:41, on 09/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [{b5b65a5b-df01-6425-c2fe-45cc544b3c4a}] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\vncablxhitrkpu.dll" DllStart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [c03e336a] rundll32.exe "C:\WINDOWS\system32\ngafkupg.dll",b
O4 - HKLM\..\Run: [SMrhcctqj0et41] C:\Program Files\rhcctqj0et41\rhcctqj0et41.exe
O4 - HKLM\..\Run: [BMc30d00f6] Rundll32.exe "C:\WINDOWS\system32\ndjcsibw.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217954152328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217954142593
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?AuthParam=1217934483_ba773d8fc5c80158e51bd1b7fe95386c&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5353/mcfscan.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
--
End of file - 6763 bytes
pskelley
2008-08-13, 18:28
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I apologize for the wait, some volunteers have been away on much needed vacation time.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks
Thanks for getting back to me, I quite understand it is vacation time:
Here's what you asked for:-
ComboFix 08-08-12.01 - David Fookes 2008-08-13 17:45:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2504 [GMT 1:00]
Running from: C:\Documents and Settings\David Fookes\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\David Fookes\Application Data\rhcctqj0et41
C:\WINDOWS\BMc30d00f6.txt
C:\WINDOWS\BMc30d00f6.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aioqpnyi.dll
C:\WINDOWS\system32\bxwrqyvp.ini
C:\WINDOWS\system32\byXOhgGw.dll
C:\WINDOWS\system32\gdomnv.dll
C:\WINDOWS\system32\gpukfagn.ini
C:\WINDOWS\system32\haixetvr.ini
C:\WINDOWS\system32\hifwrhlt.dll
C:\WINDOWS\system32\hmbmfhyt.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ndjcsibw.dll
C:\WINDOWS\system32\nvwicj.dll
C:\WINDOWS\system32\ocaaohoh.ini
C:\WINDOWS\system32\ofguoa.dll
C:\WINDOWS\system32\pgxltlcx.dll
C:\WINDOWS\system32\pmilfrgu.dll
C:\WINDOWS\system32\pvyqrwxb.dll
C:\WINDOWS\system32\qvxdkifk.dll
C:\WINDOWS\system32\rvtexiah.dll
C:\WINDOWS\system32\rvusexsa.dll
C:\WINDOWS\system32\shtuuwnd.dll
C:\WINDOWS\system32\ugrflimp.ini
C:\WINDOWS\system32\uhcklc.dll
C:\WINDOWS\system32\vhtptycl.dll
C:\WINDOWS\system32\wctokpae.ini
C:\WINDOWS\system32\wGghOXyb.ini
C:\WINDOWS\system32\wGghOXyb.ini2
C:\WINDOWS\system32\whhhhwci.dll
C:\WINDOWS\system32\xbdxaxcy.dll
C:\WINDOWS\system32\xcltlxgp.ini
C:\WINDOWS\system32\xpjfac.dll
C:\WINDOWS\system32\xxwxrdqg.dll
C:\WINDOWS\system32\yyktucvx.dll
.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.
2008-08-10 17:23 . 2008-08-10 17:23 2,048 --a------ C:\WINDOWS\system32\rvlavnbl.exe
2008-08-09 17:52 . 2008-08-09 17:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-09 17:28 . 2008-08-09 17:28 2,048 --a------ C:\WINDOWS\system32\abenjjfy.exe
2008-08-09 02:32 . 2008-08-09 02:32 2,048 --a------ C:\WINDOWS\system32\ddgjxjhn.exe
2008-08-08 02:34 . 2008-08-08 02:34 2,048 --a------ C:\WINDOWS\system32\qfuuujlb.exe
2008-08-08 01:57 . 2008-08-08 01:57 <DIR> d-------- C:\Program Files\Kontiki
2008-08-08 01:57 . 2008-08-08 01:57 <DIR> d-------- C:\Program Files\Channel4
2008-08-08 01:57 . 2008-08-13 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-08-08 01:57 . 2008-08-08 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Channel4
2008-08-07 03:21 . 2008-08-11 12:39 275 --a------ C:\WINDOWS\wininit.ini
2008-08-07 03:06 . 2008-08-07 03:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-07 03:06 . 2008-08-07 03:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-07 02:33 . 2008-08-07 02:33 2,048 --a------ C:\WINDOWS\system32\vmlmafyh.exe
2008-08-06 16:37 . 2008-08-06 16:37 <DIR> d-------- C:\WINDOWS\Sun
2008-08-06 12:33 . 2008-08-06 12:41 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-06 00:07 . 2008-08-06 00:07 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-06 00:02 . 2008-08-06 00:02 <DIR> d-------- C:\sdfix
2008-08-05 16:29 . 2008-08-05 16:29 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-08-05 15:26 . 2008-08-05 15:26 2,048 --a------ C:\WINDOWS\system32\grftggso.exe
2008-08-05 14:42 . 2008-08-05 16:47 <DIR> d-------- C:\Program Files\Norton 360
2008-08-05 14:40 . 2008-08-05 15:06 <DIR> d-------- C:\Program Files\Symantec
2008-08-05 14:40 . 2008-08-05 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-05 14:40 . 2008-08-05 15:06 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-05 14:40 . 2008-08-05 15:06 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-05 13:41 . 2008-08-05 13:41 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-08-05 13:36 . 2008-08-05 15:06 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-05 13:36 . 2008-08-05 15:06 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-05 13:26 . 2008-08-05 15:07 <DIR> d-------- C:\Documents and Settings\David Fookes\Application Data\Symantec
2008-08-05 13:08 . 2008-08-13 17:48 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-05 12:37 . 2008-08-05 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-08-05 12:36 . 2008-08-05 12:36 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-08-05 12:36 . 2008-08-05 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-08-05 12:12 . 2008-08-05 12:12 <DIR> d-------- C:\WINDOWS\system32\qe
2008-08-05 12:12 . 2008-08-05 16:45 <DIR> d-------- C:\WINDOWS\system32\lc2
2008-08-05 12:12 . 2008-08-05 16:45 <DIR> d-------- C:\WINDOWS\system32\kBin15
2008-08-05 12:12 . 2008-08-05 12:12 <DIR> d-------- C:\Temp\epr1
2008-08-05 12:12 . 2008-08-06 00:12 <DIR> d-------- C:\Temp
2008-08-05 12:12 . 2008-08-05 12:12 64,847 --a------ C:\WINDOWS\system32\yszihlumor.exe
2008-08-05 12:06 . 2008-08-05 12:14 <DIR> d-------- C:\Documents and Settings\David Fookes\Application Data\LimeWire
2008-08-05 12:04 . 2008-08-05 12:04 <DIR> d-------- C:\Program Files\Java
2008-08-05 12:04 . 2008-08-05 12:04 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-05 12:04 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-25 09:36 . 2008-07-25 09:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-07-23 17:48 . 2008-07-23 17:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-07-23 17:48 . 2008-07-23 17:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-07-23 17:47 . 2008-07-23 17:47 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-07-23 17:47 . 2008-07-23 17:47 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-07-23 17:47 . 2008-07-23 17:47 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-07-23 17:46 . 2008-07-23 17:46 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-20 12:13 . 2008-07-25 15:41 120 --a------ C:\drmHeader.bin
2008-07-16 15:42 . 2008-07-16 15:42 <DIR> d-------- C:\WINDOWS\nview
2008-07-16 15:42 . 2007-11-08 22:52 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-16 15:42 . 2008-07-26 22:58 140,694 --a------ C:\WINDOWS\system32\nvapps.xml
2008-07-16 15:42 . 2007-11-08 22:52 17,525 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-16 15:14 . 2008-08-05 16:05 <DIR> d-------- C:\Documents and Settings\David Fookes\Application Data\IGN_DLM
2008-07-16 14:43 . 2008-07-16 14:45 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-07-16 14:43 . 2008-07-16 14:43 <DIR> d-------- C:\WINDOWS\Logs
2008-07-16 14:40 . 2008-07-16 15:37 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-16 14:40 . 2008-07-16 14:40 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-16 14:39 . 2008-07-16 14:39 248 --a------ C:\WINDOWS\RomeTW.ini
2008-07-16 14:30 . 2008-07-16 14:30 <DIR> d-------- C:\Program Files\Activision
2008-07-16 14:05 . 2008-07-19 14:13 38 --a------ C:\WINDOWS\AviSplitter.INI
2008-07-15 10:51 . 2008-08-07 16:54 <DIR> d-------- C:\Program Files\DivX
2008-07-15 10:51 . 2008-07-15 10:51 <DIR> d-------- C:\Documents and Settings\David Fookes\Application Data\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 16:45 6,736 ----a-w C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-08-09 16:29 --------- d-----w C:\Program Files\eMule
2008-07-30 16:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 16:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 16:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-16 14:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-16 13:29 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-11 18:01 --------- d-----w C:\Documents and Settings\David Fookes\Application Data\Media Player Classic
2008-07-11 17:59 --------- d-----w C:\Program Files\XP Codec Pack
2008-06-28 01:00 --------- d-----w C:\Documents and Settings\David Fookes\Application Data\InstallShield
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 13:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 13:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 13:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 13:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 13:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 13:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 13:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 13:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 13:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 15:11 315,392 ----a-w C:\WINDOWS\HideWin.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-08 22:52 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-08 22:52 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 20:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 15:50 988512]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-22 16:40 16858112 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-11-08 22:52 1626112 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-07-27 13:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 20:37]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 13:11]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
*Newly Created Service* - COMHOST
.
- - - - ORPHANS REMOVED - - - -
Toolbar-SITEguard - (no file)
HKLM-Run-{b5b65a5b-df01-6425-c2fe-45cc544b3c4a} - C:\WINDOWS\system32\vncablxhitrkpu.dll
HKLM-Run-c03e336a - C:\WINDOWS\system32\pmilfrgu.dll
HKLM-Run-SMrhcctqj0et41 - C:\Program Files\rhcctqj0et41\rhcctqj0et41.exe
HKLM-Run-BMc30d00f6 - C:\WINDOWS\system32\sfojfsvb.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\David Fookes\Application Data\Mozilla\Firefox\Profiles\oqw1vk02.default\
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 17:48:53
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-08-13 17:50:26 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-13 16:50:21
Pre-Run: 403,594,031,104 bytes free
Post-Run: 403,792,130,048 bytes free
227 --- E O F --- 2008-08-07 01:23:22
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:51:21, on 13/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217954152328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217954142593
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?AuthParam=1217934483_ba773d8fc5c80158e51bd1b7fe95386c&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5353/mcfscan.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
--
End of file - 6724 bytes
pskelley
2008-08-13, 19:32
Thanks for returning your information, let's proceed carefully like this:
1) Open notepad and copy/paste the text in the codebox below into it:
File::
C:\WINDOWS\system32\rvlavnbl.exe
C:\WINDOWS\system32\abenjjfy.exe
C:\WINDOWS\system32\ddgjxjhn.exe
C:\WINDOWS\system32\qfuuujlb.exe
C:\WINDOWS\system32\vmlmafyh.exe
C:\WINDOWS\system32\grftggso.exe
C:\WINDOWS\system32\yszihlumor.exe
Folder::
C:\sdfix
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
2) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the combofix log from CFScript, the log from MBAM and a new HJT log in your next reply.
Include any information you think will help and tell me how the computer is running now.
Thanks...Phil
For your information:
http://forums.spybot.info/showthread.php?t=282
http://www.nutnworks.com/SafeHex/file_sharing.htm
http://arstechnica.com/news.ars/post...riaa-suit.html
ComboFix 08-08-12.01 - David Fookes 2008-08-13 19:05:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2543 [GMT 1:00]
Running from: C:\Documents and Settings\David Fookes\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\David Fookes\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\abenjjfy.exe
C:\WINDOWS\system32\ddgjxjhn.exe
C:\WINDOWS\system32\grftggso.exe
C:\WINDOWS\system32\qfuuujlb.exe
C:\WINDOWS\system32\rvlavnbl.exe
C:\WINDOWS\system32\vmlmafyh.exe
C:\WINDOWS\system32\yszihlumor.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\sdfix
C:\sdfix\SDFix\apps\assosfix.reg
C:\sdfix\SDFix\apps\cliptext.exe
C:\sdfix\SDFix\apps\download.exe
C:\sdfix\SDFix\apps\dummy.sys
C:\sdfix\SDFix\apps\Enable_Command_Prompt.reg
C:\sdfix\SDFix\apps\ERDNT.E_E
C:\sdfix\SDFix\apps\ERDNTDOS.LOC
C:\sdfix\SDFix\apps\ERDNTWIN.LOC
C:\sdfix\SDFix\apps\ERUNT.EXE
C:\sdfix\SDFix\apps\ERUNT.LOC
C:\sdfix\SDFix\apps\fix.reg
C:\sdfix\SDFix\apps\FixBH.reg
C:\sdfix\SDFix\apps\FixComponents.reg
C:\sdfix\SDFix\apps\FIXCU.reg
C:\sdfix\SDFix\apps\FIXLM.reg
C:\sdfix\SDFix\apps\FixPath.exe
C:\sdfix\SDFix\apps\FixRedir.reg
C:\sdfix\SDFix\apps\FixSchedule.reg
C:\sdfix\SDFix\apps\FixWebCheck.reg
C:\sdfix\SDFix\apps\fixXP.reg
C:\sdfix\SDFix\apps\FixXPsp2.reg
C:\sdfix\SDFix\apps\grep.exe
C:\sdfix\SDFix\apps\HaxdFix.reg
C:\sdfix\SDFix\apps\HPFix.reg
C:\sdfix\SDFix\apps\HPFix2.reg
C:\sdfix\SDFix\apps\HPFix3.reg
C:\sdfix\SDFix\apps\HPFix4.reg
C:\sdfix\SDFix\apps\HPFix5.reg
C:\sdfix\SDFix\apps\HPFix6.reg
C:\sdfix\SDFix\apps\HPFix7.reg
C:\sdfix\SDFix\apps\HPFix8.reg
C:\sdfix\SDFix\apps\HPFix9.reg
C:\sdfix\SDFix\apps\isadmin.exe
C:\sdfix\SDFix\apps\leg2.txt
C:\sdfix\SDFix\apps\legacy.txt
C:\sdfix\SDFix\apps\legacybk.txt
C:\sdfix\SDFix\apps\locate.com
C:\sdfix\SDFix\apps\LS.exe
C:\sdfix\SDFix\apps\MD5File.exe
C:\sdfix\SDFix\apps\moveex.exe
C:\sdfix\SDFix\apps\MyGcpvFix.reg
C:\sdfix\SDFix\apps\MyGkFix2.reg
C:\sdfix\SDFix\apps\Process.exe
C:\sdfix\SDFix\apps\procs.exe
C:\sdfix\SDFix\apps\psservice.exe
C:\sdfix\SDFix\apps\Rem.txt
C:\sdfix\SDFix\apps\Rem2.txt
C:\sdfix\SDFix\apps\Replace\regedit.exe
C:\sdfix\SDFix\apps\Replace\W2K.exe
C:\sdfix\SDFix\apps\Replace\w2k\beep.sys
C:\sdfix\SDFix\apps\Replace\w2k\null.sys
C:\sdfix\SDFix\apps\Replace\XP.exe
C:\sdfix\SDFix\apps\Replace\xp\beep.sys
C:\sdfix\SDFix\apps\Replace\xp\null.sys
C:\sdfix\SDFix\apps\Reset_AppInit_DLLs.reg
C:\sdfix\SDFix\apps\RestartIt!.exe
C:\sdfix\SDFix\apps\Restore_SecurityCenter.reg
C:\sdfix\SDFix\apps\Restore_SharedAccess.reg
C:\sdfix\SDFix\apps\sc.exe
C:\sdfix\SDFix\apps\sed.exe
C:\sdfix\SDFix\apps\SF.exe
C:\sdfix\SDFix\apps\shutdown.exe
C:\sdfix\SDFix\apps\srv2.txt
C:\sdfix\SDFix\apps\srv2bk.txt
C:\sdfix\SDFix\apps\svc.txt
C:\sdfix\SDFix\apps\svcbk.txt
C:\sdfix\SDFix\apps\swreg.exe
C:\sdfix\SDFix\apps\swsc.exe
C:\sdfix\SDFix\apps\unzip.exe
C:\sdfix\SDFix\apps\vfind.exe
C:\sdfix\SDFix\apps\WINMSG.EXE
C:\sdfix\SDFix\apps\winsec.reg
C:\sdfix\SDFix\apps\zip.exe
C:\sdfix\SDFix\backups\backupreg.zip
C:\sdfix\SDFix\backups\backups.zip
C:\sdfix\SDFix\backups\catchme.log
C:\sdfix\SDFix\backups\HOSTS
C:\sdfix\SDFix\backups_old\backupreg.zip
C:\sdfix\SDFix\backups_old\backups.zip
C:\sdfix\SDFix\backups_old\catchme.log
C:\sdfix\SDFix\backups_old\HOSTS
C:\sdfix\SDFix\catchme.exe
C:\sdfix\SDFix\dummy.sys
C:\sdfix\SDFix\Report.txt
C:\sdfix\SDFix\Report_old_1.txt
C:\sdfix\SDFix\RunThis.bat
C:\sdfix\SDFix\SDFIX_ReadMe_Online.url
C:\sdfix\SDFix\W2K_VirusAlert_Repair.inf
C:\sdfix\SDFix\XP_VirusAlert_Repair.inf
C:\WINDOWS\system32\abenjjfy.exe
C:\WINDOWS\system32\ddgjxjhn.exe
C:\WINDOWS\system32\grftggso.exe
C:\WINDOWS\system32\qfuuujlb.exe
C:\WINDOWS\system32\rvlavnbl.exe
C:\WINDOWS\system32\vmlmafyh.exe
C:\WINDOWS\system32\yszihlumor.exe
.
((((((((((((((((((((((((( Files Created from 2008-07-13 to 2008-08-13 )))))))))))))))))))))))))))))))
.
2008-08-09 17:52 . 2008-08-09 17:52 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-08 01:57 . 2008-08-08 01:57 <DIR> d-------- C:\Program Files\Kontiki
2008-08-08 01:57 . 2008-08-08 01:57 <DIR> d-------- C:\Program Files\Channel4
2008-08-08 01:57 . 2008-08-13 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-08-08 01:57 . 2008-08-08 01:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Channel4
2008-08-07 03:21 . 2008-08-11 12:39 275 --a------ C:\WINDOWS\wininit.ini
2008-08-07 03:06 . 2008-08-07 03:06 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-07 03:06 . 2008-08-07 03:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-06 16:37 . 2008-08-06 16:37 <DIR> d-------- C:\WINDOWS\Sun
2008-08-06 12:33 . 2008-08-13 17:55 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-06 00:07 . 2008-08-06 00:07 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-05 16:29 . 2008-08-05 16:29 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-08-05 14:42 . 2008-08-05 16:47 <DIR> d-------- C:\Program Files\Norton 360
2008-08-05 14:40 . 2008-08-05 15:06 <DIR> d-------- C:\Program Files\Symantec
2008-08-05 14:40 . 2008-08-05 18:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-05 14:40 . 2008-08-05 15:06 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-08-05 14:40 . 2008-08-05 15:06 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-08-05 13:41 . 2008-08-05 13:41 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-08-05 13:36 . 2008-08-05 15:06 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-08-05 13:36 . 2008-08-05 15:06 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-08-05 13:26 . 2008-08-05 15:07 <DIR> d-------- C:\Documents and Settings\David Fookes\Application Data\Symantec
2008-08-05 13:08 . 2008-08-13 17:48 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-08-05 12:37 . 2008-08-05 12:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
2008-08-05 12:36 . 2008-08-05 12:36 <DIR> d-------- C:\Program Files\Common Files\iS3
2008-08-05 12:36 . 2008-08-05 14:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-08-05 12:12 . 2008-08-05 12:12 <DIR> d-------- C:\WINDOWS\system32\qe
2008-08-05 12:12 . 2008-08-05 16:45 <DIR> d-------- C:\WINDOWS\system32\lc2
2008-08-05 12:12 . 2008-08-05 16:45 <DIR> d-------- C:\WINDOWS\system32\kBin15
2008-08-05 12:12 . 2008-08-05 12:12 <DIR> d-------- C:\Temp\epr1
2008-08-05 12:12 . 2008-08-06 00:12 <DIR> d-------- C:\Temp
2008-08-05 12:06 . 2008-08-05 12:14 <DIR> d-------- C:\Documents and Settings\David Fookes\Application Data\LimeWire
2008-08-05 12:04 . 2008-08-05 12:04 <DIR> d-------- C:\Program Files\Java
2008-08-05 12:04 . 2008-08-05 12:04 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-05 12:04 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-25 09:36 . 2008-07-25 09:36 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-07-23 17:48 . 2008-07-23 17:48 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-07-23 17:48 . 2008-07-23 17:48 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-07-23 17:47 . 2008-07-23 17:47 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-07-23 17:47 . 2008-07-23 17:47 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-07-23 17:47 . 2008-07-23 17:47 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest
2008-07-23 17:46 . 2008-07-23 17:46 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-07-20 12:13 . 2008-07-25 15:41 120 --a------ C:\drmHeader.bin
2008-07-16 15:42 . 2008-07-16 15:42 <DIR> d-------- C:\WINDOWS\nview
2008-07-16 15:42 . 2007-11-08 22:52 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-16 15:42 . 2008-07-26 22:58 140,694 --a------ C:\WINDOWS\system32\nvapps.xml
2008-07-16 15:42 . 2007-11-08 22:52 17,525 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-16 15:14 . 2008-08-05 16:05 <DIR> d-------- C:\Documents and Settings\David Fookes\Application Data\IGN_DLM
2008-07-16 14:43 . 2008-07-16 14:45 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-07-16 14:43 . 2008-07-16 14:43 <DIR> d-------- C:\WINDOWS\Logs
2008-07-16 14:40 . 2008-07-16 15:37 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-16 14:40 . 2008-07-16 14:40 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-16 14:39 . 2008-07-16 14:39 248 --a------ C:\WINDOWS\RomeTW.ini
2008-07-16 14:30 . 2008-07-16 14:30 <DIR> d-------- C:\Program Files\Activision
2008-07-16 14:05 . 2008-07-19 14:13 38 --a------ C:\WINDOWS\AviSplitter.INI
2008-07-15 10:51 . 2008-08-07 16:54 <DIR> d-------- C:\Program Files\DivX
2008-07-15 10:51 . 2008-07-15 10:51 <DIR> d-------- C:\Documents and Settings\David Fookes\Application Data\DivX
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 16:50 6,736 ----a-w C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-08-09 16:29 --------- d-----w C:\Program Files\eMule
2008-08-07 22:11 6,656 ----a-w C:\WINDOWS\system32\wuauserv.dll
2008-07-30 16:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 16:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 16:28 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-07-25 08:36 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-07-23 16:50 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-07-16 14:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-16 13:29 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-07-11 18:01 --------- d-----w C:\Documents and Settings\David Fookes\Application Data\Media Player Classic
2008-07-11 17:59 --------- d-----w C:\Program Files\XP Codec Pack
2008-07-05 10:14 456,192 ----a-w C:\WINDOWS\system32\libmplayer.dll
2008-07-05 10:14 3,591,168 ----a-w C:\WINDOWS\system32\libavcodec.dll
2008-07-05 10:13 708,096 ----a-w C:\WINDOWS\system32\ff_x264.dll
2008-06-28 01:00 --------- d-----w C:\Documents and Settings\David Fookes\Application Data\InstallShield
2008-06-22 16:34 177,664 ----a-w C:\WINDOWS\system32\ff_theora.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:45 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-06-13 13:45 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2008-06-13 13:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 13:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 13:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 13:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 13:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 13:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 13:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 13:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 13:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 13:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 10:39 23,552 ----a-w C:\WINDOWS\system32\ff_wmv9.dll
2008-06-12 17:36 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2008-06-12 16:25 962,560 ----a-w C:\WINDOWS\system32\VSFilter.dll
2008-06-11 00:07 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-06-11 00:07 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-06-11 00:07 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-06-10 15:11 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-05-30 13:19 507,400 ----a-w C:\WINDOWS\system32\XAudio2_1.dll
2008-05-30 13:18 238,088 ----a-w C:\WINDOWS\system32\xactengine3_1.dll
2008-05-30 13:17 65,032 ----a-w C:\WINDOWS\system32\XAPOFX1_0.dll
2008-05-30 13:17 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_4.dll
2008-05-30 13:11 467,984 ----a-w C:\WINDOWS\system32\d3dx10_38.dll
2008-05-30 13:11 3,850,760 ----a-w C:\WINDOWS\system32\D3DX9_38.dll
2008-05-30 13:11 1,491,992 ----a-w C:\WINDOWS\system32\D3DCompiler_38.dll
.
((((((((((((((((((((((((((((( snapshot@2008-08-13_17.50.03.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-08-11 12:04:54 58,596 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-08-13 16:52:42 58,596 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-08-11 12:04:54 392,296 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-08-13 16:52:42 392,296 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-02-26 09:34 576352 --a------ C:\Program Files\Common Files\Symantec Shared\Backup\buShell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 13:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24 1694208]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-08 22:52 8491008]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-11-08 22:52 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-18 20:37 51048]
"osCheck"="C:\Program Files\Norton 360\osCheck.exe" [2008-02-26 15:50 988512]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-22 16:40 16858112 C:\WINDOWS\RTHDCPL.exe]
"nwiz"="nwiz.exe" [2007-11-08 22:52 1626112 C:\WINDOWS\system32\nwiz.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2007-07-27 13:00 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
"msacm.ac3filter"= ac3filter.acm
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-02-18 20:37]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;C:\WINDOWS\system32\DRIVERS\ADM8511.SYS [2001-08-17 13:11]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-07-30 17:42]
*Newly Created Service* - COMHOST
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-13 19:06:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-08-13 19:06:57
ComboFix-quarantined-files.txt 2008-08-13 18:06:56
ComboFix2.txt 2008-08-13 16:50:27
Pre-Run: 403,793,477,632 bytes free
Post-Run: 403,791,884,288 bytes free
301 --- E O F --- 2008-08-13 17:00:45
Malwarebytes' Anti-Malware 1.24
Database version: 1049
Windows 5.1.2600 Service Pack 2
00:44:33 14/08/2008
mbam-log-8-14-2008 (00-44-33).txt
Scan type: Full Scan (C:\|)
Objects scanned: 68084
Time elapsed: 9 minute(s), 14 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 41
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\Control Panel\Desktop\originalwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\Desktop\convertedwallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\WINDOWS\system32\kBin15 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\abenjjfy.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\byXOhgGw.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ddgjxjhn.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\gdomnv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\grftggso.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\hifwrhlt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\ofguoa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pgxltlcx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pmilfrgu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\pvyqrwxb.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qfuuujlb.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\qvxdkifk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\rvlavnbl.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\uhcklc.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vhtptycl.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\vmlmafyh.exe.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xpjfac.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\xxwxrdqg.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP10\A0000703.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP10\A0000689.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP10\A0000690.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP10\A0000691.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP10\A0000695.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP10\A0000696.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP10\A0000697.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP10\A0000698.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP10\A0000699.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP10\A0000704.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP10\A0000707.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP10\A0000708.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP13\A0000934.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP13\A0000935.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP13\A0000936.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP13\A0000938.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP13\A0000939.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP13\A0000937.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP6\A0000342.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP7\A0000570.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP7\A0000571.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP7\A0000572.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{19091171-B970-47BE-A94B-7C54E839AB4C}\RP7\A0000573.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:46:43, on 14/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1217954152328
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217954142593
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab?AuthParam=1217934483_ba773d8fc5c80158e51bd1b7fe95386c&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD44/JSCDL/jdk/6u7/jinstall-6u7-windows-i586-jc.cab&File=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5353/mcfscan.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
--
End of file - 6825 bytes
OK there's the log files. What has changed is that windows update now appears to be downloading which it had refused to do properly for some time (automated updates service would not start) however it still fails to install (xp service pack 3). Norton 360 still found a tracking file and Spybot S&D found a doubleclick cookie (both of which I asked the respective progs to fix). Haven't seen a pop-up recently though which is promising.
In addition the following high priority updates aren't downloading (possibly it is waiting for the service pack to go first?)
Microsoft .NET Framework 2.0 Service Pack 1 (KB110806)
Cumulative Security Update for ActiveX Killbits for Windows XP (KB953839)
Windows Malicious Software Removal Tool - August 2008 (KB890830)
Security Update for Outlook Express for Windows XP (KB951066)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB952954)
Cumulative Security Update for Internet Explorer 7 for Windows XP (KB953838)
Security Update for Windows XP (KB950974)
Update for Windows XP (KB951072)
Update for Windows XP (KB952287)
pskelley
2008-08-14, 02:22
Thanks for the feedback, I suggest you wait until your computer is clean before trying to install SP3, I have a clean computer and had problems with it. I personally purchased a CD and it just came in so I have not installed the SP yet, but I did install the recent updates. You can pass on the SP by choosing to custom install and checking the criticals. Once you are clean, if you still have issues with the SP, contact Microsoft for help.
Microsoft Windows XP Service Pack 3 (All Languages)
http://support.microsoft.com/oas/default.aspx?ln=en-us&prid=11273&gprid=522131
Let's proceed with the cleanup like this:
I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not have access to Recovery Console via a Windows CD, I strongly advise you to install this tool.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.
Since we do not need to scan with combofix, click NO
http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif
http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif
Thanks
OK Phil - I have the XP disk so I installed from there - I assume that is why I don't have the file you wanted me to post - my bad - is that ok or should I redo using combofix?
pskelley
2008-08-14, 13:42
Thanks for the feedback, remove combofix from your computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Run MBAM again to be sure we got it all, no need to post a clean scan result, only if you have questions.
Malware can mess up your security programs, update Symantec and run a system scan, if you have any issues with the program contact Symantec tech support for instructions:
http://www.symantec.com/enterprise/support/index.jsp
Let me know about any malware issues at this point, I will post this information for you now so you can benefit from it.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Combofix uninstalled ok, Mbam found nothing, Norton 360 finds only a tracking cookie and Spybot finds nothing. I'm clean?
Still having issues with MS update - going to custom and downloading the other updates (ie not sp3) works as far as download goes but they won't install but I guess that is a matter to take up with MS.
Thanks for the links to what looks like good reading matter.
David
pskelley
2008-08-14, 15:41
Thanks for the feedback, I can suggest the CD for SP3, takes about a week or so to get it and costs $4. with $6. for shipping (USA)
http://support.microsoft.com/kb/322389
For your issues with Windows Updates, look here:
http://v4.windowsupdate.microsoft.com/troubleshoot/
Hope that helps...Phil
Thanks for everything Phil
I managed to get my updates working by taking advice from the Windows Update Newsgroup
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx?dg=microsoft.public.windowsupdate&lang=en&cr=US
which led me to download and use dial-a-fix
<http://wiki.djlizard.net/Dial-a-fix>
Having run this and rebooted my updates (including SP3) installed automatically.
NOTE FOR PEOPLE BROWSING: This post is not advice, I'm just saying what worked for me. Dial-a-fix may not be appropriate to your situation.
David:2thumb:
pskelley
2008-08-15, 17:32
You go David:bigthumb: here are more links for you that may come in handy one day:
http://www.kellys-korner-xp.com/xp.htm
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://kadaitcha.cx/index.html
Safe surfing...Phil