moneypenny720
2008-08-15, 05:18
Help .. I can't get rid of Virtumonde. I'm 3 days into this housekeeping nitemare.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:15:46 PM, on 8/14/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [161b1342] rundll32.exe "C:\WINDOWS\system32\whfaoetn.dll",b
O4 - HKLM\..\Run: [BM152820de] Rundll32.exe "C:\WINDOWS\system32\imawadsq.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7330] command /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1214] cmd /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4260] command /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5253] cmd /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3271] command /c del "C:\WINDOWS\SYSTEM32\rqRLffdC.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9873] cmd /c del "C:\WINDOWS\SYSTEM32\rqRLffdC.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3463] command /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2865] cmd /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7015] command /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1574] cmd /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6710] command /c del "C:\WINDOWS\SYSTEM32\rqRLffdC.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2652] cmd /c del "C:\WINDOWS\SYSTEM32\rqRLffdC.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8549] command /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3681] cmd /c del "C:\WINDOWS\SYSTEM32\nnnmmnMe.dll"
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-8.0.5.30/aces/aces-en_US.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-8.0.1.32/slots/alibaba-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-8.0.5.30/blackjack/blackjack-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.9.4.41/cascade/cascade-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-8.0.1.23/bowling/bowling-en_US.cab
O16 - DPF: Dice City Roller by pogo - http://game1.pogo.com/applet-8.0.3.20/ytz/ytz-en_US.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-8.0.2.32/checkeredflag/checkeredflag-en_US.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.com/applet-8.0.5.30/videopoker2/doubledeuce-en_US.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-8.0.4.32/firstclass2/firstclass2-en_US.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game1.pogo.com/applet-8.0.2.40/fancy/fancy-en_US.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-8.0.3.20/jigsaw/jigsaw-en_US.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-8.0.5.30/gin2/gin2-en_US.cab
O16 - DPF: Payday Freecell Solitaire by pogo - http://game1.pogo.com/applet-8.0.4.41/freecell2/freecell2-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-8.0.2.32/waterwheel/waterwheel-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-8.0.0.20/popfu/popfu-en_US.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-8.0.2.32/poppazoppa/poppazoppa-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-8.0.5.30/poppit2/poppit2-en_US.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-8.0.2.32/slots/scifi-en_US.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-8.0.4.32/slots/showbiz2-en_US.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-8.0.4.32/slots/showbiz-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-8.0.2.32/spider/spider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-8.0.1.32/squelchies/squelchies-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-8.0.5.30/sweettooth/sweettooth-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-8.0.1.32/whackdown/whackdown-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-8.0.4.32/worldclass/worldclass-en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 6973 bytes
moneypenny720
2008-08-15, 17:44
Following the instructions posted on bleeping computer, I ran comboFix and it has helped clean up some of the issues. I'm still getting a spybot Registry Denied popup when I login.
I can't tell u how appreciatiative I am for all of the folks here. I'm a computer professional and am visiting my Mom. It's her computer that was infected ... She had over 5000 virae and I've installed several things so that it doesn't happen again; and I'm so disgusted that there are such malicious people out there in the world that would want to inflict this kind of malicious software on innocents. It's just a shame!
Here's my ComboFix log.
ComboFix 08-08-14.03 - Administrator 2008-08-15 11:19:49.1 - FAT32x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.228 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\aepenny\Application Data\rhctv0j0en2b
C:\WINDOWS\BM152820de.txt
C:\WINDOWS\BM152820de.xml
C:\WINDOWS\hosts
C:\WINDOWS\pskt.ini
C:\WINDOWS\start.exe
C:\WINDOWS\system\oeminfo.ini
C:\WINDOWS\SYSTEM32\aphefpke.ini
C:\WINDOWS\system32\araejc.dll
C:\WINDOWS\system32\awpbavkd.dll
C:\WINDOWS\system32\bgepmsop.dll
C:\WINDOWS\system32\bhgyaa.dll
C:\WINDOWS\system32\bhpymt.dll
C:\WINDOWS\system32\bikihbhr.dll
C:\WINDOWS\system32\bojwqr.dll
C:\WINDOWS\system32\bykqwxsx.exe
C:\WINDOWS\system32\CdffLRqr.ini
C:\WINDOWS\SYSTEM32\CdffLRqr.ini2
C:\WINDOWS\system32\dirwcqot.dll
C:\WINDOWS\system32\dvnped.dll
C:\WINDOWS\system32\ecxmwryl.ini
C:\WINDOWS\system32\efcDSMFy.dll
C:\WINDOWS\system32\ffasmbtt.dll
C:\WINDOWS\system32\fugttmqt.ini
C:\WINDOWS\system32\gknrptxr.ini
C:\WINDOWS\SYSTEM32\glgokllu.ini
C:\WINDOWS\system32\habhhc.dll
C:\WINDOWS\system32\hjbpdwkp.ini
C:\WINDOWS\system32\hwovpj.dll
C:\WINDOWS\system32\imawadsq.dll
C:\WINDOWS\system32\iryihprg.dll
C:\WINDOWS\system32\iywwcfcx.ini
C:\WINDOWS\system32\kqoztw.dll
C:\WINDOWS\system32\kstveg.dll
C:\WINDOWS\system32\kxbcyglc.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\meakuiht.dll
C:\WINDOWS\system32\mlejhkbt.dll
C:\WINDOWS\system32\ngdpwoyb.dll
C:\WINDOWS\system32\nnnmmnMe.dll
C:\WINDOWS\SYSTEM32\nteoafhw.ini
C:\WINDOWS\system32\omkdik.dll
C:\WINDOWS\system32\oupvaiak.ini
C:\WINDOWS\system32\ovrtfu.dll
C:\WINDOWS\system32\prBLkUvw.ini
C:\WINDOWS\SYSTEM32\prBLkUvw.ini2
C:\WINDOWS\system32\qarqujka.exe
C:\WINDOWS\system32\qniims.dll
C:\WINDOWS\system32\qtmimuus.dll
C:\WINDOWS\system32\REGOBJ.DLL
C:\WINDOWS\system32\rtiwol.dll
C:\WINDOWS\system32\seuiji.dll
C:\WINDOWS\system32\shlqdxck.exe
C:\WINDOWS\system32\sogoiawv.dll
C:\WINDOWS\SYSTEM32\suumimtq.ini
C:\WINDOWS\system32\sysrest.sys
C:\WINDOWS\system32\sysrest32.exe
C:\WINDOWS\system32\tndkhnth.ini
C:\WINDOWS\SYSTEM32\ttbmsaff.ini
C:\WINDOWS\system32\twgvakpi.dll
C:\WINDOWS\system32\uaqapesd.dll
C:\WINDOWS\system32\ufsnktpg.ini
C:\WINDOWS\system32\ullkoglg.dll
C:\WINDOWS\system32\uxnrdvij.dll
C:\WINDOWS\system32\vlbucgyu.dll
C:\WINDOWS\system32\vlniwiyf.dll
C:\WINDOWS\system32\whfaoetn.dll
C:\WINDOWS\system32\windows.scr
C:\WINDOWS\system32\wplldwrm.dll
C:\WINDOWS\system32\xatbmnge.ini
C:\WINDOWS\system32\xgmryudp.dll
C:\WINDOWS\SYSTEM32\xttoexxa.ini
C:\WINDOWS\SYSTEM32\xxbKQXyb.ini
C:\WINDOWS\SYSTEM32\xxbKQXyb.ini2
C:\WINDOWS\SYSTEM32\yFMSDcfe.ini
C:\WINDOWS\SYSTEM32\yFMSDcfe.ini2
C:\WINDOWS\system32\yiaehpgm.dll
C:\WINDOWS\system32\ytogtkxd.dll
C:\WINDOWS\Web\default.htt
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SYSREST.SYS
-------\Service_sysrest.sys
((((((((((((((((((((((((( Files Created from 2008-07-15 to 2008-08-15 )))))))))))))))))))))))))))))))
.
2008-08-13 20:28 . 2008-08-14 22:46 538 --a------ C:\WINDOWS\wininit.ini
2008-08-13 19:36 . 2008-08-13 19:36 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-13 19:36 . 2008-08-13 19:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-13 17:43 . 2008-08-13 17:43 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-13 15:39 . 2008-08-13 15:39 958 --a------ C:\WINDOWS\Active Setup Log.BAK
2008-08-13 11:45 . 2008-08-13 11:45 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-08-13 11:43 . 2008-04-14 05:42 236,544 --a------ C:\WINDOWS\SYSTEM32\dllcache\smi2smir.exe
2008-08-13 11:43 . 2008-04-14 05:42 92,160 --a------ C:\WINDOWS\SYSTEM32\evntwin.exe
2008-08-13 11:43 . 2008-04-14 05:42 92,160 --a------ C:\WINDOWS\SYSTEM32\dllcache\evntwin.exe
2008-08-13 11:43 . 2008-04-14 05:42 24,064 --a------ C:\WINDOWS\SYSTEM32\evntcmd.exe
2008-08-13 11:43 . 2008-04-14 05:42 24,064 --a------ C:\WINDOWS\SYSTEM32\dllcache\evntcmd.exe
2008-08-13 11:43 . 2008-04-14 05:42 6,144 --a------ C:\WINDOWS\SYSTEM32\snmpmib.dll
2008-08-13 11:43 . 2008-04-14 05:42 6,144 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmpmib.dll
2008-08-13 11:42 . 2008-04-14 05:42 188,416 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmpsmir.dll
2008-08-13 11:42 . 2008-04-14 05:41 39,936 --a------ C:\WINDOWS\SYSTEM32\hostmib.dll
2008-08-13 11:42 . 2008-04-14 05:41 39,936 --a------ C:\WINDOWS\SYSTEM32\dllcache\hostmib.dll
2008-08-13 11:41 . 2008-04-14 05:42 358,400 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmpincl.dll
2008-08-13 11:41 . 2008-04-14 05:42 259,072 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmpcl.dll
2008-08-13 11:41 . 2008-04-14 05:42 33,280 --a------ C:\WINDOWS\SYSTEM32\snmp.exe
2008-08-13 11:41 . 2008-04-14 05:42 33,280 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmp.exe
2008-08-13 11:41 . 2008-04-14 05:42 8,704 --a------ C:\WINDOWS\SYSTEM32\snmptrap.exe
2008-08-13 11:41 . 2008-04-14 05:42 8,704 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmptrap.exe
2008-08-13 11:39 . 2008-08-13 11:39 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-13 11:39 . 2008-04-14 05:42 294,912 --------- C:\WINDOWS\SYSTEM32\dllcache\dlimport.exe
2008-08-13 11:39 . 2008-04-14 05:41 101,888 --a------ C:\WINDOWS\SYSTEM32\evntagnt.dll
2008-08-13 11:39 . 2008-04-14 05:41 101,888 --a------ C:\WINDOWS\SYSTEM32\dllcache\evntagnt.dll
2008-08-13 11:39 . 2008-04-14 05:42 39,936 --a------ C:\WINDOWS\SYSTEM32\dllcache\snmpthrd.dll
2008-08-13 11:39 . 2008-04-14 05:41 33,792 --a------ C:\WINDOWS\SYSTEM32\lmmib2.dll
2008-08-13 11:39 . 2008-04-14 05:41 33,792 --a------ C:\WINDOWS\SYSTEM32\dllcache\lmmib2.dll
2008-08-13 11:26 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\002814_.tmp
2008-08-13 11:17 . 2008-08-13 11:17 <DIR> d-------- C:\WINDOWS\EHome
2008-08-13 09:00 . 2006-02-28 08:00 28,288 --a------ C:\WINDOWS\SYSTEM32\dllcache\xjis.nls
2008-08-13 08:58 . 2006-02-28 08:00 1,875,968 --a------ C:\WINDOWS\SYSTEM32\dllcache\msir3jp.lex
2008-08-13 08:57 . 2008-04-14 05:39 13,463,552 --a------ C:\WINDOWS\SYSTEM32\dllcache\hwxjpn.dll
2008-08-13 08:56 . 2006-02-28 08:00 1,677,824 --a------ C:\WINDOWS\SYSTEM32\dllcache\chsbrkr.dll
2008-08-13 08:50 . 2008-08-13 08:50 488 -rah----- C:\WINDOWS\SYSTEM32\logonui.exe.manifest
2008-08-13 08:49 . 2008-08-13 08:49 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-13 08:49 . 2008-08-13 08:49 749 -rah----- C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
2008-08-13 08:49 . 2008-08-13 08:49 749 -rah----- C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
2008-08-13 08:49 . 2008-08-13 08:49 749 -rah----- C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
2008-08-13 08:37 . 2006-02-28 08:00 1,086,058 -ra------ C:\WINDOWS\SET3F.tmp
2008-08-13 08:37 . 2006-02-28 08:00 1,042,903 -ra------ C:\WINDOWS\SET3C.tmp
2008-08-07 09:56 . 2006-02-28 08:00 16,384 --a------ C:\WINDOWS\SYSTEM32\dllcache\isignup.exe
2008-08-07 09:45 . 2006-02-28 08:00 1,086,058 -ra------ C:\WINDOWS\SETDD.tmp
2008-08-07 09:45 . 2006-02-28 08:00 1,042,903 -ra------ C:\WINDOWS\SETDA.tmp
2008-08-07 09:45 . 2006-02-28 08:00 14,573 -ra------ C:\WINDOWS\SET11C.tmp
2008-08-07 09:45 . 2006-02-28 08:00 13,753 -ra------ C:\WINDOWS\SETE9.tmp
2008-08-07 08:54 . 2008-08-13 07:31 218,886 --a------ C:\WINDOWS\setupapi.old
2008-08-07 04:07 . 2008-08-07 04:07 <DIR> d--hs---- C:\FOUND.001
2008-08-04 12:30 . 2008-08-04 12:30 <DIR> d--hs---- C:\FOUND.000
2008-08-03 18:07 . 2008-02-16 00:07 52,496 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmactmon.sys
2008-08-03 18:07 . 2008-02-16 00:07 52,240 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmevtmgr.sys
2008-08-03 18:02 . 2008-08-03 18:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-08-03 16:48 . 2008-08-03 16:48 <DIR> d-------- C:\Documents and Settings\aepenny\Application Data\ParetoLogic
2008-08-03 16:46 . 2008-08-03 16:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic
2008-08-03 16:44 . 2008-08-03 16:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Downloaded Installations
2008-08-03 16:18 . 2008-02-16 00:07 138,384 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-08-03 15:52 . 2008-08-03 15:52 <DIR> d-------- C:\Program Files\RegCure
2008-08-02 21:03 . 2008-08-02 21:03 <DIR> d-------- C:\Documents and Settings\aepenny\Application Data\System Doctor Free
2008-08-02 20:53 . 2008-08-02 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\System Doctor Free
2008-08-02 20:53 . 2008-08-02 20:53 <DIR> dra------ C:\Documents and Settings\All Users\Application Data\SalesMon
2008-08-02 16:37 . 2008-08-02 16:37 0 --a------ C:\END
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-13 18:18 62,912 ----a-w C:\Documents and Settings\aepenny\Application Data\GDIPFONTCACHEV1.DAT
2002-11-08 19:13 0 ----a-w C:\Program Files\Common Files\as.ini
2001-11-05 22:39 197,120 ----a-w C:\Documents and Settings\All Users\GKids1.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"OEMRUNONCE"=c:\windows\options\cabs\oemrun.exe
"EnsoniqMixer"=starter.exe
"Hot Key Kbd 9910 Daemon"=SK9910DM.EXE
"Norton Auto-Protect"=C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
"NAV DefAlert"=C:\PROGRA~1\NORTON~1\DEFALERT.EXE
"CreateCD50"="C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqnrs08.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contents of the 'Scheduled Tasks' folder
2008-08-15 C:\WINDOWS\Tasks\PCHealth Scheduler for Data Collection.job
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE []
2002-10-22 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\NDETECT.EXE [2002-08-07 09:04]
2002-10-22 C:\WINDOWS\Tasks\Video Reminder.job
- C:\WINDOWS\TUNEUP.EXE []
2008-08-14 C:\WINDOWS\Tasks\Nightly Full System Scan.job
- C:\Program Files\Norton AntiVirus\SCNHNDLR.EXE []
2008-08-14 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
2008-08-15 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 17:21]
2008-08-14 C:\WINDOWS\Tasks\ParetoLogic Registration.job
- C:\WINDOWS\system32\rundll32.exe [2008-04-14 05:42]
.
- - - - ORPHANS REMOVED - - - -
BHO-{40A05491-07D4-434B-95BB-7E78F979001E} - C:\WINDOWS\system32\rqRLffdC.dll
BHO-{6C5027E7-711D-4500-80BC-721D6F00F7A3} - (no file)
BHO-{938838B5-F66D-427D-8996-4DAF70D23C43} - (no file)
BHO-{9B8CD9CF-DA45-4268-A894-C03395AF3ACB} - C:\WINDOWS\system32\byXQKbxx.dll
BHO-{DCA04B7A-330A-4005-B6C6-70729F5286C0} - (no file)
HKLM-Run-161b1342 - C:\WINDOWS\system32\tqmttguf.dll
HKLM-Run-BM152820de - C:\WINDOWS\system32\imawadsq.dll
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\aepenny\Application Data\Mozilla\Firefox\Profiles\u8nxuj96.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-15 11:29:57
Windows 5.1.2600 Service Pack 3 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\LOCATOR.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY\SFCTLCOM.EXE
C:\WINDOWS\SYSTEM32\SNMP.EXE
C:\PROGRAM FILES\TREND MICRO\BM\TMBMSRV.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
.
**************************************************************************
.
Completion time: 2008-08-15 11:33:56 - machine was rebooted [aepenny]
ComboFix-quarantined-files.txt 2008-08-15 15:33:40
Pre-Run: 10,132,439,040 bytes free
Post-Run: 9,703,325,696 bytes free
271 --- E O F --- 2008-07-11 12:49:22
moneypenny720
2008-08-15, 17:55
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47, on 2008-08-15
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-8.0.5.30/aces/aces-en_US.cab
O16 - DPF: Ali Baba Slots TM by pogo - http://game1.pogo.com/applet-8.0.1.32/slots/alibaba-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-8.0.5.30/blackjack/blackjack-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.9.4.41/cascade/cascade-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-8.0.1.23/bowling/bowling-en_US.cab
O16 - DPF: Dice City Roller by pogo - http://game1.pogo.com/applet-8.0.3.20/ytz/ytz-en_US.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-8.0.2.32/checkeredflag/checkeredflag-en_US.cab
O16 - DPF: Double Deuce Poker by pogo - http://game1.pogo.com/applet-8.0.5.30/videopoker2/doubledeuce-en_US.cab
O16 - DPF: First Class Solitaire by pogo - http://game1.pogo.com/applet-8.0.4.32/firstclass2/firstclass2-en_US.cab
O16 - DPF: Hog Heaven Slots by pogo - http://game1.pogo.com/applet-8.0.2.40/fancy/fancy-en_US.cab
O16 - DPF: Jigsaw Detective by pogo - http://game1.pogo.com/applet-8.0.3.20/jigsaw/jigsaw-en_US.cab
O16 - DPF: Jungle Gin by pogo - http://game1.pogo.com/applet-8.0.5.30/gin2/gin2-en_US.cab
O16 - DPF: Payday Freecell Solitaire by pogo - http://game1.pogo.com/applet-8.0.4.41/freecell2/freecell2-en_US.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-8.0.2.32/waterwheel/waterwheel-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-8.0.0.20/popfu/popfu-en_US.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-8.0.2.32/poppazoppa/poppazoppa-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-8.0.5.30/poppit2/poppit2-en_US.cab
O16 - DPF: SciFi Slots by pogo - http://game1.pogo.com/applet-8.0.2.32/slots/scifi-en_US.cab
O16 - DPF: Showbiz Slots 2 by pogo - http://game1.pogo.com/applet-8.0.4.32/slots/showbiz2-en_US.cab
O16 - DPF: Showbiz Slots by pogo - http://game1.pogo.com/applet-8.0.4.32/slots/showbiz-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-8.0.2.32/spider/spider-en_US.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-8.0.1.32/squelchies/squelchies-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-8.0.5.30/sweettooth/sweettooth-en_US.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://game1.pogo.com/applet-8.0.1.32/whackdown/whackdown-en_US.cab
O16 - DPF: World Class Solitaire by pogo - http://game1.pogo.com/applet-8.0.4.32/worldclass/worldclass-en_US.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
--
End of file - 5331 bytes
Hello,
Please read the forum stickies :)
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
We do request members don't add to their topic before a helper has responded and also:
Do NOT run 'fixes' before helpers have analyzed the HJT log (http://forums.spybot.info/showthread.php?t=16806)
Which is the most important part. ;)
Post here if still waiting for help in the Malware Forum, (AFTER) FOUR days (http://forums.spybot.info/forumdisplay.php?f=37)
Cheers.