View Full Version : Infected with Virtumonde - Windows Update disabled
dronykmama
2008-09-13, 20:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:02 AM, on 9/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Diane\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lds.org/ldsorg/v/index.jsp?vgnextoid=e419fb40e21cef00VgnVCM1000001f5e340aRCRD
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [a4769d7d] rundll32.exe "C:\WINDOWS\system32\keftrpej.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {76716694-EADA-4810-8C3B-4826328A317F} (SmartCouponPrinter Control) - http://content.dll1.com/Connectus/SmartCouponPrinter/SmartCouponPrinter20080612.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://games.bigfishgames.com/en_cinematycoon/online/cinematycoon.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll xxcgmf.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8130 bytes
pskelley
2008-09-15, 03:09
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
Are you aware this program is on your computer?
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
http://www.castlecops.com/startuplist-12455.html
http://www.bleepingcomputer.com/startups/HSTrans.exe-14382.html
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Remove any old copies of combofix before you proceed.
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop.
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
dronykmama
2008-09-15, 08:17
I downloaded Malwarebytes while I was waiting and it seems to have taken care of the problem i.e. I can get my Windows update to work. Do you still want me to follow your instructions or send you another log so you can check to make sure all the bad stuff is gone?
Also, I do know that ACNielsen program is there - I put it there :)
Thanks for helping me.
Diane
pskelley
2008-09-15, 14:21
Do NOT run 'FIXES' before helpers have analyzed the HJT log
http://forums.spybot.info/showthread.php?t=16806
Please see the instructions above, you may do as you wish, it is your computer.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
dronykmama
2008-09-15, 18:34
Okay sorry about that I did read that post but must have blocked that part out. My bad. I did the combofix thing. Here's the log. Thanks for you time :)
Diane
ComboFix 08-09-14.06 - Diane 2008-09-15 9:25:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1398 [GMT -6:00]
Running from: C:\Documents and Settings\Diane\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Documents and Settings\Paul\Cookies\paul@live[1].txt
C:\test.txt
C:\WINDOWS\system32\bihyrz.dll
C:\WINDOWS\system32\bmudnp.dll
C:\WINDOWS\system32\bvtlsesj.ini
C:\WINDOWS\system32\evqbnyud.ini
C:\WINDOWS\system32\fgzavp.dll
C:\WINDOWS\system32\gocfygfj.ini
C:\WINDOWS\system32\hmntfdpl.dll
C:\WINDOWS\system32\ibxnjr.dll
C:\WINDOWS\system32\igadonya.ini
C:\WINDOWS\system32\jeprtfek.ini
C:\WINDOWS\system32\mkmvqqxb.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\ngrrnaqy.ini
C:\WINDOWS\system32\npwcxvgr.dll
C:\WINDOWS\system32\oncptekn.ini
C:\WINDOWS\system32\paokhkip.dll
C:\WINDOWS\system32\psDfLRqr.ini
C:\WINDOWS\system32\psDfLRqr.ini2
C:\WINDOWS\system32\ssepldfp.ini
C:\WINDOWS\system32\vyotbhmq.ini
C:\WINDOWS\system32\xavvchvi.dll
C:\WINDOWS\system32\ytmrhvit.ini
C:\WINDOWS\system32\yudrdtmm.dll
C:\WINDOWS\system32\ywxmccbn.ini
C:\WINDOWS\system32\zzhtmd.dll
----- BITS: Possible infected sites -----
http://www.spiralfrog.com
.
((((((((((((((((((((((((( Files Created from 2008-08-15 to 2008-09-15 )))))))))))))))))))))))))))))))
.
2008-09-14 22:58 . 2008-09-14 22:58 <DIR> d-------- C:\WINDOWS\LastGood
2008-09-14 18:51 . 2008-09-14 18:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-14 18:51 . 2008-09-14 18:51 <DIR> d-------- C:\Documents and Settings\Diane\Application Data\Malwarebytes
2008-09-14 18:51 . 2008-09-14 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-09-14 18:51 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-14 18:51 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-14 18:50 . 2008-09-14 18:50 2,189,864 --a------ C:\mbam-setup.exe
2008-09-14 14:50 . 2008-09-14 14:50 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\Windows Search
2008-09-14 14:49 . 2008-09-14 14:49 <DIR> d-------- C:\Documents and Settings\Mike\Application Data\AVGTOOLBAR
2008-09-13 14:40 . 2008-09-13 14:40 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\Jane s Hotel
2008-09-13 14:18 . 2008-09-13 14:18 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\AVGTOOLBAR
2008-09-13 10:36 . 2008-09-13 10:36 <DIR> d-------- C:\Documents and Settings\Administrator
2008-09-12 23:32 . 2008-09-14 17:11 211 --a------ C:\WINDOWS\wininit.ini
2008-09-12 22:55 . 2008-09-12 22:57 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-12 22:55 . 2008-09-13 00:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-12 22:35 . 2008-09-12 22:35 <DIR> d-------- C:\VundoFix Backups
2008-09-12 22:32 . 2008-09-12 22:34 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\AVGTOOLBAR
2008-09-12 22:23 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-09-12 22:22 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-09-12 22:21 . 2008-09-12 22:23 <DIR> d-------- C:\I386
2008-09-12 22:20 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-09-12 22:18 . 2008-04-13 13:27 2,188,928 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-09-12 21:30 . 2008-09-12 21:30 <DIR> d-------- C:\Documents and Settings\Emily\Application Data\AVGTOOLBAR
2008-09-12 18:06 . 2008-09-12 20:23 <DIR> d-------- C:\Documents and Settings\Diane\Application Data\AVGTOOLBAR
2008-09-12 13:32 . 2008-09-12 20:23 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-09-11 23:22 . 2008-09-12 08:43 <DIR> d-------- C:\WINDOWS\system32\mC02
2008-09-11 23:22 . 2008-09-11 23:22 <DIR> d-------- C:\Temp\mtc2
2008-09-11 23:22 . 2008-09-13 17:38 <DIR> d-------- C:\Temp
2008-09-11 20:49 . 2008-09-11 20:49 <DIR> d-------- C:\Documents and Settings\Diane\Application Data\Jane s Hotel Family Hero
2008-09-11 12:37 . 2008-09-11 12:37 <DIR> d-------- C:\Program Files\ABF software
2008-09-11 12:37 . 2008-09-11 12:37 97 --a------ C:\WINDOWS\CSS.key
2008-09-10 13:01 . 2008-09-10 13:01 <DIR> d-------- C:\Documents and Settings\Diane\Application Data\Windows Search
2008-09-10 04:04 . 2008-09-10 04:04 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-09-09 13:47 . 2008-09-09 13:47 <DIR> d-------- C:\Documents and Settings\Diane\Application Data\Jane s Hotel
2008-09-08 12:55 . 2008-09-08 12:55 394,240 --a------ C:\WINDOWS\CSS.scr
2008-09-07 18:02 . 2008-09-07 18:02 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\iWin
2008-09-07 17:26 . 2008-09-07 17:26 <DIR> d-------- C:\Documents and Settings\Sarah\Application Data\Gamelab
2008-09-07 17:01 . 2008-09-07 17:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Escape From Paradise
2008-09-07 15:39 . 2008-09-07 15:39 <DIR> d-------- C:\Documents and Settings\Emily\Application Data\PlayFirst
2008-09-07 14:46 . 2008-09-07 14:46 <DIR> d-------- C:\Documents and Settings\Emily\Application Data\Jane s Hotel
2008-09-07 11:21 . 2008-09-07 11:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2008-09-07 09:06 . 2008-09-07 18:02 <DIR> d-------- C:\Documents and Settings\Sarah\Saved Games
2008-09-06 21:45 . 2008-09-06 21:45 <DIR> d-------- C:\Documents and Settings\Diane\Application Data\Motive
2008-09-06 21:39 . 2008-09-06 21:39 <DIR> d-------- C:\WINDOWS\Motive
2008-09-06 21:39 . 2008-09-06 21:43 <DIR> d-------- C:\Program Files\TELUS eCare
2008-09-06 21:39 . 2008-09-06 21:39 <DIR> d-------- C:\Program Files\Motive
2008-09-06 21:39 . 2008-09-06 21:39 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-09-06 21:39 . 2008-09-06 21:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-09-06 21:39 . 2005-07-12 01:28 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2008-09-06 21:39 . 2005-07-12 01:28 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
2008-09-06 21:35 . 2008-09-06 21:35 439,392 --a------ C:\ecare_install.exe
2008-09-06 19:21 . 2008-09-07 17:31 <DIR> d-------- C:\Program Files\Paradise Pet Salon
2008-09-06 19:21 . 2008-09-06 19:21 <DIR> d-------- C:\Paradise Pet Salon
2008-09-06 19:20 . 2008-09-06 19:20 <DIR> d-------- C:\Polly Pride - Pet Detective
2008-09-06 19:19 . 2008-09-07 18:22 <DIR> d-------- C:\Program Files\Polly Pride - Pet Detective
2008-09-06 19:13 . 2008-09-06 19:13 <DIR> d-------- C:\SpongeBob SquarePants Diner Dash
2008-09-06 19:13 . 2008-09-13 18:39 <DIR> d-------- C:\Program Files\SpongeBob SquarePants Diner Dash
2008-09-06 19:12 . 2008-09-06 19:12 <DIR> d-------- C:\The Nightshift Code
2008-09-06 19:12 . 2008-09-06 19:12 <DIR> d-------- C:\Program Files\The Nightshift Code
2008-09-06 19:10 . 2008-09-06 19:10 <DIR> d-------- C:\Virtual Villagers
2008-09-06 19:10 . 2008-09-07 18:22 <DIR> d-------- C:\Program Files\Virtual Villagers
2008-09-06 19:09 . 2008-09-06 19:09 <DIR> d-------- C:\Virtual Villagers - The Lost Children
2008-09-06 19:09 . 2008-09-06 19:09 <DIR> d-------- C:\Program Files\Virtual Villagers - The Lost Children
2008-09-06 19:07 . 2008-09-06 19:07 <DIR> d-------- C:\Wedding Dash
2008-09-06 19:07 . 2008-09-06 19:07 <DIR> d-------- C:\Program Files\Wedding Dash
2008-09-06 19:06 . 2008-09-06 19:06 <DIR> d-------- C:\Program Files\Azada
2008-09-06 19:06 . 2008-09-07 00:56 <DIR> d-------- C:\Azada
2008-09-06 19:03 . 2008-09-07 11:21 <DIR> d-------- C:\Program Files\Babysitting Mania
2008-09-06 19:03 . 2008-09-06 19:03 <DIR> d-------- C:\Babysitting Mania
2008-09-06 19:02 . 2008-09-06 19:03 3,403,704 --a------ C:\vmp_full_installer.exe
2008-09-06 19:01 . 2008-09-06 19:01 <DIR> d-------- C:\Program Files\Candy Land - Dora the Explorer Edition
2008-09-06 19:01 . 2008-09-06 19:01 <DIR> d-------- C:\Candy Land - Dora the Explorer Edition
2008-09-06 18:58 . 2008-09-08 15:46 <DIR> d-------- C:\Program Files\Carrie the Caregiver 2 - Preschool
2008-09-06 18:58 . 2008-09-07 09:20 <DIR> d-------- C:\Program Files\Carrie the Caregiver
2008-09-06 18:58 . 2008-09-06 18:58 <DIR> d-------- C:\Carrie the Caregiver 2 - Preschool
2008-09-06 18:58 . 2008-09-06 18:58 <DIR> d-------- C:\Carrie the Caregiver
2008-09-06 18:57 . 2008-09-14 23:42 <DIR> d-------- C:\Program Files\Diner Dash
2008-09-06 18:57 . 2008-09-06 18:57 <DIR> d-------- C:\Dream Day First Home
2008-09-06 18:57 . 2008-09-06 18:57 <DIR> d-------- C:\Diner Dash
2008-09-06 18:56 . 2008-09-06 18:57 <DIR> d-------- C:\Program Files\Dream Day First Home
2008-09-06 18:52 . 2008-09-06 18:52 <DIR> d-------- C:\Program Files\Dream Day Honeymoon
2008-09-06 18:52 . 2008-09-06 18:52 <DIR> d-------- C:\Dream Day Honeymoon
2008-09-06 18:49 . 2008-09-06 18:50 <DIR> d-------- C:\Dream Day Wedding
2008-09-06 18:47 . 2008-09-06 18:47 <DIR> d-------- C:\Escape From Paradise
2008-09-06 18:46 . 2008-09-14 21:31 <DIR> d-------- C:\Program Files\Escape From Paradise
2008-09-06 18:45 . 2008-09-06 18:45 <DIR> d-------- C:\Escape the Museum
2008-09-06 18:44 . 2008-09-06 18:45 <DIR> d-------- C:\Program Files\Escape the Museum
2008-09-06 18:39 . 2008-09-06 18:39 <DIR> d-------- C:\Program Files\Hidden Secrets - The Nightmare
2008-09-06 18:39 . 2008-09-06 18:39 <DIR> d-------- C:\Hidden Secrets - The Nightmare
2008-09-06 18:35 . 2008-09-06 18:35 <DIR> d-------- C:\Janes Hotel
2008-09-06 18:34 . 2008-09-06 18:35 <DIR> d-------- C:\Program Files\Janes Hotel
2008-09-06 18:33 . 2008-09-06 18:33 <DIR> d-------- C:\Program Files\Jane`s Hotel - Family Hero
2008-09-06 18:33 . 2008-09-06 18:33 <DIR> d-------- C:\Jane`s Hotel - Family Hero
2008-09-06 18:32 . 2008-09-06 18:32 <DIR> d-------- C:\Mystic Inn
2008-09-06 18:31 . 2008-09-06 18:32 <DIR> d-------- C:\Program Files\Mystic Inn
2008-09-06 18:30 . 2008-09-06 18:30 <DIR> d-------- C:\Program Files\Miss Management
2008-09-06 18:30 . 2008-09-06 18:30 <DIR> d-------- C:\Miss Management
2008-09-06 18:29 . 2008-09-06 18:29 <DIR> d-------- C:\Program Files\Mystery Case Files - Prime Suspects
2008-09-06 18:29 . 2008-09-06 18:29 <DIR> d-------- C:\Mystery Case Files - Prime Suspects
2008-09-06 16:00 . 2008-09-06 16:00 1,495,112 --a------ C:\install_flash_player.exe
2008-09-06 15:08 . 2008-09-06 15:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\3 Blokes Studios
2008-09-06 14:07 . 2008-09-06 14:07 0 --a------ C:\WINDOWS\nsreg.dat
2008-09-06 11:45 . 2008-09-06 11:45 <DIR> d-------- C:\Documents and Settings\Diane\Application Data\Home Sweet Home
2008-09-06 11:38 . 2008-09-06 11:38 <DIR> d-------- C:\Program Files\Dr. Daisy Pet Vet
2008-09-06 11:38 . 2008-09-06 11:38 <DIR> d-------- C:\Dr Daisy Pet Vet
2008-09-06 11:35 . 2008-09-06 11:35 <DIR> d-------- C:\Home Sweet Home
2008-09-06 11:34 . 2008-09-06 11:35 <DIR> d-------- C:\Program Files\Home Sweet Home
2008-09-06 08:41 . 2008-09-06 08:42 125 --a------ C:\ioSpecial.ini
2008-09-05 18:57 . 2008-09-05 19:00 <DIR> d-------- C:\Documents and Settings\Diane\Application Data\Super-Cow
2008-09-05 14:39 . 2008-09-05 18:07 <DIR> d-------- C:\Program Files\Build In Time
2008-09-05 14:38 . 2008-09-05 14:38 <DIR> d-------- C:\Documents and Settings\Diane\Application Data\BeachPartyCraze
2008-09-04 23:31 . 2008-09-13 02:25 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\LimeWire
2008-09-04 22:52 . 2008-09-04 22:52 <DIR> d-------- C:\Documents and Settings\Paul\Application Data\Ahead
2008-09-04 12:50 . 2008-09-04 12:51 <DIR> d-------- C:\WINDOWS\NV39363368.TMP
2008-09-04 12:49 . 2008-09-04 12:49 <DIR> d-------- C:\NVIDIA
2008-09-04 12:39 . 2008-04-13 18:11 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-09-04 12:39 . 2008-04-13 18:11 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-09-04 12:25 . 2008-04-13 12:45 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-09-04 12:25 . 2008-04-13 12:45 32,128 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-09-04 12:25 . 2008-04-13 12:39 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-09-04 12:25 . 2008-04-13 12:39 14,592 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-09-04 11:31 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-09-04 11:31 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-09-04 11:31 . 2008-04-13 12:45 10,368 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-09-04 11:31 . 2008-04-13 12:45 10,368 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-10 19:04 1,575 ----a-w C:\WINDOWS\Fonts\eminenz.txt
2008-09-10 19:03 129 ----a-w C:\WINDOWS\Fonts\1001freefonts.txt
2008-09-10 19:03 1,106 ----a-w C:\WINDOWS\Fonts\readthis.txt
2008-09-10 19:02 478 ----a-w C:\WINDOWS\Fonts\WELLSLEY.TXT
2008-08-29 03:46 0 ----a-w C:\Program Files\temp01
2008-08-19 18:33 81,920 ------r C:\WINDOWS\bwUnin-6.1.4.61-8876480L.exe
2008-08-15 02:40 --------- d-----w C:\Program Files\microsoft frontpage
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-25 00:12 295,936 ----a-w C:\WINDOWS\system32\wmpeffects.dll
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 15360]
"LDM"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2008-09-04 16384]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-16 13529088]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"LGODDFU"="C:\Program Files\lg_fwupdate\fwupdate.exe" [2007-02-26 249856]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-19 1235736]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 892928]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"MegaPanel"="C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe" [2006-05-11 2064384]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-16 86016]
"Motive SmartBridge"="C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe" [2008-09-06 393216]
"nwiz"="nwiz.exe" [2008-05-16 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2008-01-29 C:\WINDOWS\RTHDCPL.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 C:\WINDOWS\LOGI_MWX.EXE]
C:\Documents and Settings\Emily\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
C:\Documents and Settings\Mike\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll kblzns.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15719:TCP"= 15719:TCP:BitComet 15719 TCP
"15719:UDP"= 15719:UDP:BitComet 15719 UDP
R0 AvgRkx86;avgrkx86.sys;C:\WINDOWS\system32\Drivers\avgrkx86.sys [2008-08-19 12936]
R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2008-01-25 132096]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-19 97928]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-19 875288]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-19 231704]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-19 76040]
R2 Viewpoint Service;Viewpoint Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [2008-04-04 30152]
R3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 14095]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [ ]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Diane\Application Data\Mozilla\Firefox\Profiles\jf798rm8.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.lds.org/ldsorg/v/index.jsp?vgnextoid=e419fb40e21cef00VgnVCM1000001f5e340aRCRD
FF -: plugin - C:\Program Files\DNA\plugins\npbtdna.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\Program Files\Microsoft Silverlight\2.0.30523.8\npctrl.dll
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint_.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint__.dll
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Media Player\npViewpoint___.dll
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-15 09:26:53
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-15 9:27:23
ComboFix-quarantined-files.txt 2008-09-15 15:27:20
Pre-Run: 222,292,295,680 bytes free
Post-Run: 222,581,764,096 bytes free
281 --- E O F --- 2008-09-10 17:48:47
pskelley
2008-09-15, 20:29
Did you see this?
----- BITS: Possible infected sites -----
http://www.spiralfrog.com
may mean it was infected at that time, hackers are infecting may valid sites.
Infected websites are the next internet security threats
http://www.google.com/search?hl=en&q=infected+websites&btnG=Google+Search
combofix also found quite a few infected files which is one reason I usually run it first and then finish with MBAM for a double check and I suppost it could be done in this order except combofix targets stuff MBAM does not. Please see the instructions:
Post the combofix log and a new HJT log.
dronykmama
2008-09-15, 22:44
I'm sorry about missing the steps. I have to blame a new baby and lack of sleep. :) I did see that spiralfrog thing. I'll have to watch out for that.
Diane
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:07 PM, on 9/15/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Diane\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lds.org/ldsorg/v/index.jsp?vgnextoid=e419fb40e21cef00VgnVCM1000001f5e340aRCRD
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKUS\S-1-5-21-1614895754-1580818891-725345543-1004\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe (User 'Paul')
O4 - HKUS\S-1-5-21-1614895754-1580818891-725345543-1004\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Paul')
O4 - HKUS\S-1-5-21-1614895754-1580818891-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Paul')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {76716694-EADA-4810-8C3B-4826328A317F} (SmartCouponPrinter Control) - http://content.dll1.com/Connectus/SmartCouponPrinter/SmartCouponPrinter20080612.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://games.bigfishgames.com/en_cinematycoon/online/cinematycoon.cab
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - http://rms2.invokesolutions.com/events/bin/6.2.0.1450/MILive.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll kblzns.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Viewpoint Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8409 bytes
pskelley
2008-09-15, 22:53
Thanks for the HJT log...
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
Since Recovery Console is installed, are you having any other malware issues?
Thanks
dronykmama
2008-09-16, 00:15
Not that I can tell. Everything seems to be working properly now. I will uninstall that viewpoint file. Thanks very much :)
pskelley
2008-09-16, 02:10
Thanks for the feedback, remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
To be sure, clean System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
I suggest you update AVG 8 and scan your system to make sure you are scanning clean.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
dronykmama
2008-09-16, 20:23
Surprise surprise... after rebooting my computer virtumonde showed up again. Spybot found it but not malwarebytes. Am I still eligible for help?
pskelley
2008-09-16, 20:31
Spybot found it but not malwarebytes
1) Make sure your version of Spybot S&D is up to date and fully immunized.
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
2) Follow the directions for running Spybot S&D here:
http://forums.spybot.info/showthread.php?t=288
Post #2...Before you post a log
3) Be sure you run Spybot S&D in Safe Mode when any Vundo files will not be active.
4) If that takes care of your issue great, if not post a new HJT log after Spybot S&D has been run.
Thanks
dronykmama
2008-09-18, 08:35
Still infected with virtumonde. I'm not sure what I'm missing but I'm missing something. I ran Spybot (fully updated and immunized) in safe mode and there were no problems. When I run it in normal windows, it always finds virtumonde. Also, Malwarebytes doesn't appear to detect it. Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:24 PM, on 9/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Diane\Desktop\Anti virus stuff\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lds.org/ldsorg/v/index.jsp?vgnextoid=e419fb40e21cef00VgnVCM1000001f5e340aRCRD
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [MegaPanel] C:\Program Files\ACNielsen\Homescan Internet Transporter\HSTrans.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {76716694-EADA-4810-8C3B-4826328A317F} (SmartCouponPrinter Control) - http://content.dll1.com/Connectus/SmartCouponPrinter/SmartCouponPrinter20080612.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://games.bigfishgames.com/en_cinematycoon/online/cinematycoon.cab
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} (Invoke Solutions Participant Control(MR)) - http://rms2.invokesolutions.com/events/bin/6.2.0.1450/MILive.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll kblzns.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
--
End of file - 7769 bytes
pskelley
2008-09-18, 13:26
Please tell me where Spybot S&D says this Vundo is located.
Thanks
dronykmama
2008-09-19, 04:47
You're going to think I'm on crack but now it doesn't show up on the scan. I did it again to find where it was, and it wasn't there! I'm going crazy I swear. I didn't fix the problem last time when I found it so maybe it would show up in the log or something so I don't know why it won't show up now. I'll keep doing regular scans I guess and see if it shows up again.
dronykmama
2008-09-22, 23:49
Okay here it is:
(SBI $42352499) User Settings
HKEY_USERS\S-1-5-21-1614895754-1580818891-725345543-1008\Software\Microsoft\rdfa
There are 2 problems that Spybot catches - the only difference is one says 1008 and the other is 1009.
Any ideas?
pskelley
2008-09-23, 00:18
Thanks, if I repeat myself, I apologize. If you are running the newest version of Spybot S$D and you are fully immunized:
Spybot-S&D 1.6 has arrived! 8. July 2008
http://www.safer-networking.org/en/
http://www.safer-networking.org/en/news/2008-07-08.html
Post your questions about Spybot S&D here:
http://forums.spybot.info/forumdisplay.php?f=4
The folks in that forum are experts with that tool and they will be able to advise you
Here is a little more information you may find helpful:
http://www.safer-networking.org/en/faq/index.html
http://forums.spybot.info/forumdisplay.php?f=16
Hope that helps