View Full Version : Virtumonde, Smitfraud, Diskcleanup 2006
kr8nblue
2008-12-19, 00:45
Aaahhh...holiday fun.
As a pre-amble, I'm posting & downloading on a computer other than the infected one, which I've taken off the network. No other terminals on the network are showing signs of infection (whew.).
Thanks for your help in advance!
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:39:34 PM, on 12/18/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\LojackThat.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DellEPro
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINNT\system32\mlJCTKDu.dll
O2 - BHO: (no name) - {C28718D0-28F5-4A42-8198-6D2FFF042C4B} - C:\WINNT\system32\ljJYPfgg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {10D06A98-9F0C-453C-A2B2-6DD8FDE143C8} (CMenuWin Object) - http://clientrsim.radiantsystems.com/11.020.0030.00/pe/clientdownloads/Catmenu.cab
O16 - DPF: {BCE152BE-541A-4DC6-B640-9AED4FA245EF} (CAutoLogout Object) - http://clientrsim.radiantsystems.com/11.020.0030.00/PE/ClientDownloads/WaveUIExt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3C594B-7232-45B9-B9D6-2F45B10F855D}: NameServer = 10.1.10.1
O20 - AppInit_DLLs: esiotn.dll
O20 - Winlogon Notify: mlJCTKDu - C:\WINNT\SYSTEM32\mlJCTKDu.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Penthouse\Desktop\n18200352_31022426_1754.jpg
--
End of file - 5341 bytes
Sorry - I realized the above wasn't clear -- i'm using a thumb drive to go back and forth -- with programs and logs.
shelf life
2008-12-25, 01:03
hi,
your in luck. MBAM will run on w2k.
you can download the MBAM exe to the thumbdrive and the latest database here:
http://www.malwarebytes.org/mbam.php
transfer to the computer in question and install the setup.exe first followed by the rules.exe
run MBAM and post the log:
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
please post the MBAM log in reply
after MBAM is finished, rescan and post a new hjt log also.
kr8nblue
2008-12-26, 23:02
Yay...thanks for the assistance!
First, the MBAM log...then the HJT log
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.0.2195 Service Pack 4
12/26/2008 3:01:43 PM
mbam-log-2008-12-26 (15-01-43).txt
Scan type: Full Scan (C:\|)
Objects scanned: 88719
Time elapsed: 18 minute(s), 22 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 16
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 4
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINNT\system32\ljJYPfgg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\mlJCTKDu.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mljctkdu (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e9f3dce0-432e-4cef-b910-9736ebf0c50e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{e9f3dce0-432e-4cef-b910-9736ebf0c50e} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/winnt/downloaded program files/catmenu.dll (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{480cb8dc-2301-4cdc-b534-1f5ba6f6cad3} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1ec7880b-83ae-444d-b48d-f4ae3ecd43f2} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{dea98411-1b48-4913-bccf-8ed738494181} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{10d06a98-9f0c-453c-a2b2-6dd8fde143c8} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{10d06a98-9f0c-453c-a2b2-6dd8fde143c8} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINNT\Downloaded Program Files\CATMenu.dll (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\winnt\system32\ljjypfgg -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\winnt\system32\ljjypfgg -> Delete on reboot.
Folders Infected:
C:\Program Files\WinBudget (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Program Files\WinBudget\bin (Adware.AdMedia) -> Quarantined and deleted successfully.
C:\Documents and Settings\Penthouse\Application Data\DriveCleaner Free (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\Documents and Settings\Penthouse\Application Data\DriveCleaner Free\Logs (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
Files Infected:
C:\WINNT\system32\mlJCTKDu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\ljJYPfgg.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\ggfPYJjl.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\ggfPYJjl.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\cbXQkkkh.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Penthouse\Application Data\DriveCleaner Free\Logs\update.log (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
C:\WINNT\Downloaded Program Files\CATMenu.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\Downloaded Program Files\CatMenu.inf (Trojan.Agent) -> Quarantined and deleted successfully.
***********HJT Log************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:23 PM, on 12/26/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\LojackThat.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DellEPro
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {BCE152BE-541A-4DC6-B640-9AED4FA245EF} (CAutoLogout Object) - http://clientrsim.radiantsystems.com/11.020.0030.00/PE/ClientDownloads/WaveUIExt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3C594B-7232-45B9-B9D6-2F45B10F855D}: NameServer = 10.1.10.1
O20 - AppInit_DLLs: esiotn.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Penthouse\Desktop\n18200352_31022426_1754.jpg
--
End of file - 4931 bytes
I did reboot after copying the MBAM log & then ran HJT.
Thanks again!
kr8nblue
2008-12-27, 00:39
Ooops...forgot to post the log from the re-scan of MBAM.
Here we go:
Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.0.2195 Service Pack 4
12/26/2008 5:37:10 PM
mbam-log-2008-12-26 (17-37-10).txt
Scan type: Full Scan (C:\|)
Objects scanned: 88759
Time elapsed: 30 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
shelf life
2008-12-27, 00:57
hi,
ok good. can you post a new HJT log. hows it looking on your end now?
kr8nblue
2008-12-27, 01:13
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:10:47 PM, on 12/26/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\LojackThat.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DellEPro
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {BCE152BE-541A-4DC6-B640-9AED4FA245EF} (CAutoLogout Object) - http://clientrsim.radiantsystems.com/11.020.0030.00/PE/ClientDownloads/WaveUIExt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3C594B-7232-45B9-B9D6-2F45B10F855D}: NameServer = 10.1.10.1
O20 - AppInit_DLLs: esiotn.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Penthouse\Desktop\n18200352_31022426_1754.jpg
--
End of file - 4906 bytes
shelf life
2008-12-27, 04:54
hi,
take a look in your add/remove programs panel for:
DriveCleaner Free
click on it and then click the remove button to uninstall it.
next start hjt:
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
last:
look in C:\Program Files\Common Files and delete the drivecleaner free folder.
reboot and post a new hjt log
kr8nblue
2008-12-27, 20:21
ok...
* there wasn't a listing for DriverCleaner Free under Add/Remove Programs
* it was in the HJT scan
* it wasn't in the Common Files folder
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:19:27 PM, on 12/27/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Trend Micro\HijackThis\LojackThat.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DellEPro
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {BCE152BE-541A-4DC6-B640-9AED4FA245EF} (CAutoLogout Object) - http://clientrsim.radiantsystems.com/11.020.0030.00/PE/ClientDownloads/WaveUIExt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3C594B-7232-45B9-B9D6-2F45B10F855D}: NameServer = 10.1.10.1
O20 - AppInit_DLLs: esiotn.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Penthouse\Desktop\n18200352_31022426_1754.jpg
--
End of file - 4782 bytes
kr8nblue
2008-12-28, 03:58
I'm having one more issue - and i'm not sure if its related to the infections or is something completely different. Since the date of the infection, the screen at start-up & shutdown (the one that comes up after the windows loading screen, but before the desktop image and vice versa on shutdown -- it also comes up when I call up the task manager) is this obnoxious "Merry Christmas" image that I can't seem to find its source or where the file for it is.
Any ideas? Is this virus-related? And how do I get rid of it?
Otherwise, I'm showing no signs of continued infection. So yay for that.
Thanks again.
shelf life
2008-12-28, 16:26
ok thanks for the info. I missed this one item in the log;
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O20 - AppInit_DLLs: esiotn.dll
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Penthouse\Desktop\n18200352_31022426_1754.jpg
As for the other problem yes malware (if you didnt install it anyway) related. lets see what fixing the two items above does.
kr8nblue
2008-12-28, 20:10
It looks like that got it taken care of.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:20 PM, on 12/28/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\LojackThat.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DellEPro
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {BCE152BE-541A-4DC6-B640-9AED4FA245EF} (CAutoLogout Object) - http://clientrsim.radiantsystems.com/11.020.0030.00/PE/ClientDownloads/WaveUIExt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3C594B-7232-45B9-B9D6-2F45B10F855D}: NameServer = 10.1.10.1
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 4455 bytes
kr8nblue
2008-12-28, 20:15
Wait...no...I spoke too soon.
The Merry Christmas image is back. Weird. It was gone when I shut down, but back when I restarted.
shelf life
2008-12-29, 01:50
well i guess being a Christmas theme it will grow old fast. lets see if this tool can dig up anything:
Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)in your reply.
kr8nblue
2008-12-31, 18:01
here's the log.txt:
Logfile of random's system information tool 1.05 (written by random/random)
Run by Penthouse at 2008-12-31 10:51:25
Microsoft Windows 2000 Professional Service Pack 4
System drive C: has 125 GB (95%) free of 131 GB
Total RAM: 254 MB (21% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52:39 AM, on 12/31/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Penthouse\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Penthouse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DellEPro
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f} - C:\WINNT\system32\yugovuji.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [rinepejisi] Rundll32.exe "C:\WINNT\system32\papujati.dll",s
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {BCE152BE-541A-4DC6-B640-9AED4FA245EF} (CAutoLogout Object) - http://clientrsim.radiantsystems.com/11.020.0030.00/PE/ClientDownloads/WaveUIExt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3C594B-7232-45B9-B9D6-2F45B10F855D}: NameServer = 10.1.10.1
O20 - AppInit_DLLs: C:\WINNT\system32\mujemele.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 4753 bytes
======Scheduled tasks folder======
C:\WINNT\tasks\dfrg.job
C:\WINNT\tasks\isxnlurb.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-06 439872]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f}]
C:\WINNT\s [2003-06-11 2378]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINNT\S [2003-06-11 2378]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-09-06 439872]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"=mobsync.exe /logon []
"type32"=C:\Program Files\Microsoft IntelliType Pro\type32.exe []
"IntelliPoint"=C:\Program Files\Microsoft IntelliPoint\point32.exe []
"vptray"=C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe [2003-05-21 90112]
"rinepejisi"=C:\WINNT\s [2003-06-11 2378]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\WINNT\system32\mujemele.dll"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINNT\s [2003-06-11 2378]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"notification packages"=scecli
C:\WINNT\system32\mujemele.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=149
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
======List of files/folders created in the last 1 months======
2008-12-31 10:51:25 ----D---- C:\rsit
2008-12-26 14:36:26 ----D---- C:\Documents and Settings\Penthouse\Application Data\Malwarebytes
2008-12-26 14:36:14 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-12-18 17:22:23 ----D---- C:\Program Files\Trend Micro
2008-12-16 20:06:55 ----A---- C:\WINNT\system32\esiotn.dll
2008-12-16 20:06:54 ----A---- C:\WINNT\system32\buxcwudl.dll
2008-12-16 19:58:08 ----A---- C:\WINNT\system32\231faf93-.txt
2008-12-16 19:49:33 ----A---- C:\WINNT\system32\cbXQhEUM.dll
======List of files/folders modified in the last 1 months======
2008-12-31 10:51:27 ----AD---- C:\WINNT\system32
2008-12-31 04:05:29 ----AD---- C:\WINNT\Temp
2008-12-31 01:00:00 ----A---- C:\WINNT\SchedLgU.Txt
2008-12-30 21:57:55 ----AD---- C:\WINNT\security
2008-12-30 19:08:32 ----D---- C:\WINNT\system32\NtmsData
2008-12-30 19:04:33 ----AC---- C:\WINNT\hpbafd.ini
2008-12-29 16:05:21 ----ASH---- C:\WINNT\system32\neletato.dll
2008-12-28 14:00:28 ----AD---- C:\WINNT\Debug
2008-12-27 20:39:02 ----RAD---- C:\Program Files
2008-12-27 20:34:39 ----D---- C:\Program Files\Adobe
2008-12-27 20:33:35 ----AD---- C:\WINNT
2008-12-27 20:32:36 ----AD---- C:\WINNT\system32\drivers
2008-12-27 20:32:36 ----AD---- C:\Program Files\Common Files\Real
2008-12-27 20:32:07 ----SHD---- C:\WINNT\Installer
2008-12-27 20:31:57 ----D---- C:\WINNT\system32\appmgmt
2008-12-27 20:31:56 ----HD---- C:\WINNT\inf
2008-12-17 15:56:33 ----A---- C:\WINNT\wininit.ini
2008-12-16 19:49:36 ----ASD---- C:\WINNT\Tasks
2008-12-12 08:17:27 ----AC---- C:\WINNT\system32\dfrg.msc
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 Cdr4_2K;Cdr4_2K; C:\WINNT\s [2003-06-11 2378]
R1 Cdralw2k;Cdralw2k; C:\WINNT\s [2003-06-11 2378]
R2 NAVAPEL;NAVAPEL; \??\C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\NAVAPEL.SYS []
R3 E100B;Intel PRO Adapter Driver; C:\WINNT\S [2003-06-11 2378]
R3 es1371;Creative AudioPCI (ES1371,ES1373) (WDM); C:\WINNT\s [2003-06-11 2378]
R3 i81x;i81x; C:\WINNT\S [2003-06-11 2378]
R3 NAVAP;NAVAP; \??\C:\PROGRA~1\SYMANT~1\SYMANT~1\NAVAP.sys []
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081210.009\NAVENG.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20081210.009\NAVEX15.sys []
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINNT\s [2003-06-11 2378]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINNT\S [2003-06-11 2378]
R3 SymEvent;SymEvent; \??\C:\PROGRA~1\Symantec\SYMEVENT.SYS []
R3 uhcd;Microsoft USB Universal Host Controller Driver; C:\WINNT\S [2003-06-11 2378]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINNT\S [2003-06-11 2378]
R3 wanatw;WAN Miniport (ATW); C:\WINNT\S [2003-06-11 2378]
R3 Winacpci;Winacpci; C:\WINNT\S [2003-06-11 2378]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINNT\S [2003-06-11 2378]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINNT\S [2003-06-11 2378]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINNT\S [2003-06-11 2378]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINNT\S [2003-06-11 2378]
S3 usbscan;USB Scanner Driver; C:\WINNT\S [2003-06-11 2378]
S3 USBSTOR;USB Mass Storage Driver; C:\WINNT\S [2003-06-11 2378]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 DefWatch;DefWatch; C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe [2003-05-21 32768]
R2 Norton AntiVirus Server;Symantec AntiVirus Client; C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe [2003-05-21 610304]
R2 StiSvc;Still Image Service; C:\WINNT\s [2003-06-11 2378]
R2 WMDM PMSP Service;WMDM PMSP Service; C:\WINNT\s [2003-06-11 2378]
S2 navapsvc;Norton AntiVirus Auto Protect Service; C:\Program Files\Norton AntiVirus\navapsvc.exe []
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINNT\S [2003-06-11 2378]
S3 WmdmPmSN;Portable Media Serial Number Service; C:\WINNT\S [2003-06-11 2378]
-----------------EOF-----------------
aaaand here's info.txt:
info.txt logfile of random's system information tool 1.05 2008-12-31 10:52:43
======Uninstall list======
-->c:\winnt\$NtServicePackUninstall$\spuninst\spuninst.exe
Adobe Flash Player ActiveX-->C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 7.1.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A71000000002}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP PSC & Officejet 4.2 Corporate Edition-->"C:\Program Files\HP\Digital Imaging\{AC1314E7-D28C-40A1-B322-80D2868D35CE}\setup\hpzscr01.exe" -datfile hposcr04.dat
LiveUpdate 1.80 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
Microsoft Office 2000 SR-1 Disc 2-->MsiExec.exe /I{00040409-78E1-11D2-B60F-006097C998E7}
Microsoft Office 2000 SR-1 Professional-->MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
PrintMaster Gold 4.04-->c:\pmw\msrun.exe
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Symantec AntiVirus Client-->MsiExec.exe /X{0EFC6259-3AD8-4CD2-BC57-D4937AF5CC0E}
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Experience Technology\mtsAxInstaller.exe /u
Windows 2000 Service Pack 4-->C:\WINNT\$NtServicePackUninstall$\spuninst\spuninst.exe
Windows Installer 3.1 (KB893803)-->"C:\WINNT\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Player system update (9 Series)-->C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
WinSCP 3.8.2-->"C:\Program Files\WinSCP3\unins000.exe"
Yahoo! Toolbar for Internet Explorer-->C:\PROGRA~1\Yahoo!\Common\unyt.exe
=====HijackThis Backups=====
O4 - HKLM\..\Run: [PAS_Check] "C:\Program Files\Common Files\DriveCleaner Free\udcpas.exe"
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Penthouse\Desktop\n18200352_31022426_1754.jpg
O20 - AppInit_DLLs: esiotn.dll
System event log
Computer Name: PENTHOUSE
Event Code: 25
Message: File(s) sRGB Color Space Profile.icm, HP Deskjet 9800-Premium High-Gloss Film(tricolor+black).icc, HP Deskjet 9800-Premium High-Gloss Film(tricolor+gray).icc, HP Deskjet 9800-Premium High-Gloss Film(tricolor+photo).icc, HP Deskjet 9800-Premium Paper(tricolor+gray).icc, HP Deskjet 9800-Premium Paper(tricolor+photo).icc, HP Deskjet 9800-Premium Plus Photo(tricolor+black).icc, HP Deskjet 9800-Premium Plus Photo(tricolor+gray).icc, HP Deskjet 9800-Premium Plus Photo(tricolor+photo).icc, HP Deskjet 9800-Premium Paper(tricolor+black).icc associated with printer \\CORNER\HP Deskjet 9800 Series got added or updated.
Record Number: 4356
Source Name: Print
Time Written: 20080215160224.000000-300
Event Type: warning
User: PENTHOUSE\Penthouse
Computer Name: PENTHOUSE
Event Code: 20
Message: Printer Driver HP Deskjet 9800 Series for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, hpw98003.GPD, UNIDRV.HLP, hpw9800a.ini, hpzst3xt.dll, hpw98003.xml, hpzsc3xt.dtd, hpzui3xt.dll, hpz3r3xt.dll, hpzpr3xt.dll, hpcdmc32.dll, hpbcfgre.dll, hpzsm3xt.gpd, hpz3m3xt.gpd, hpzev3xt.dll, hpzhl3xt.cab, STDNAMES.GPD, hpz3l3xt.dll, hpz3a3xt.dll, hpzss3xt.dll, hpfie3xt.dll, hpfig3xt.dll, hpfrs3xt.dll, hpw98003.cab, hpwh9800.cfg, UNIRES.DLL.
Record Number: 4355
Source Name: Print
Time Written: 20080215160223.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: PENTHOUSE
Event Code: 25
Message: File(s) sRGB Color Space Profile.icm, HP Deskjet 9800-Premium High-Gloss Film(tricolor+black).icc, HP Deskjet 9800-Premium High-Gloss Film(tricolor+gray).icc, HP Deskjet 9800-Premium High-Gloss Film(tricolor+photo).icc, HP Deskjet 9800-Premium Paper(tricolor+gray).icc, HP Deskjet 9800-Premium Paper(tricolor+photo).icc, HP Deskjet 9800-Premium Plus Photo(tricolor+black).icc, HP Deskjet 9800-Premium Plus Photo(tricolor+gray).icc, HP Deskjet 9800-Premium Plus Photo(tricolor+photo).icc, HP Deskjet 9800-Premium Paper(tricolor+black).icc associated with printer \\CORNER\HP Deskjet 9800 Series got added or updated.
Record Number: 4354
Source Name: Print
Time Written: 20080215155156.000000-300
Event Type: warning
User: PENTHOUSE\Penthouse
Computer Name: PENTHOUSE
Event Code: 20
Message: Printer Driver HP Deskjet 9800 Series for Windows NT x86 Version-3 was added or updated. Files:- UNIDRV.DLL, UNIDRVUI.DLL, hpw98003.GPD, UNIDRV.HLP, hpw9800a.ini, hpzst3xt.dll, hpw98003.xml, hpzsc3xt.dtd, hpzui3xt.dll, hpz3r3xt.dll, hpzpr3xt.dll, hpcdmc32.dll, hpbcfgre.dll, hpzsm3xt.gpd, hpz3m3xt.gpd, hpzev3xt.dll, hpzhl3xt.cab, STDNAMES.GPD, hpz3l3xt.dll, hpz3a3xt.dll, hpzss3xt.dll, hpfie3xt.dll, hpfig3xt.dll, hpfrs3xt.dll, hpw98003.cab, hpwh9800.cfg, UNIRES.DLL.
Record Number: 4353
Source Name: Print
Time Written: 20080215155154.000000-300
Event Type: warning
User: NT AUTHORITY\SYSTEM
Computer Name: PENTHOUSE
Event Code: 25
Message: File(s) sRGB Color Space Profile.icm, HP Deskjet 9800-Premium High-Gloss Film(tricolor+black).icc, HP Deskjet 9800-Premium High-Gloss Film(tricolor+gray).icc, HP Deskjet 9800-Premium High-Gloss Film(tricolor+photo).icc, HP Deskjet 9800-Premium Paper(tricolor+gray).icc, HP Deskjet 9800-Premium Paper(tricolor+photo).icc, HP Deskjet 9800-Premium Plus Photo(tricolor+black).icc, HP Deskjet 9800-Premium Plus Photo(tricolor+gray).icc, HP Deskjet 9800-Premium Plus Photo(tricolor+photo).icc, HP Deskjet 9800-Premium Paper(tricolor+black).icc associated with printer \\CORNER\HP Deskjet 9800 Series got added or updated.
Record Number: 4352
Source Name: Print
Time Written: 20080214120659.000000-300
Event Type: warning
User: PENTHOUSE\Penthouse
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Os2LibPath"=%SystemRoot%\system32\os2\dll;
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 8 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0806
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
-----------------EOF-----------------
shelf life
2008-12-31, 23:50
hi kr8nblue,
You still have malware on the machine. Heres what we will try. First update MBAM but dont scan yet. Next we will use HJT, then boot computer into safe mode.
to help show all files you can do this;
To enable the viewing of Hidden files follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.
Next;
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O2 - BHO: (no name) - {93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f} - C:\WINNT\system32\yugovuji.dll
O4 - HKLM\..\Run: [rinepejisi] Rundll32.exe "C:\WINNT\system32\papujati.dll",s
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - AppInit_DLLs: C:\WINNT\system32\mujemele.dll,
You might copy/paste the safe mode part into note pad and save it so you can find and read it in safe mode.
To reach safe mode you would tap the f8 key during a computer restart. chose the first option from the list; safe mode
Once at the safe mode desktop:
navigate to:C:\WINNT\system32
look for and delete if found these three .dll:
mujemele.dll, yugovuji.dll, papujati.dll
Click Start>Run then type %temp%
Hit OK. Delete all the files you can.
click Start>Run then type %windir%\temp
hit ok. delete all the files you can
Empty your Temp folders. Go to Start > Run and type:cleanmgr. Windows will scan. When done check these 3 and press *ok* to remove:
Temporary Files
Temporary Internet Files
Recycle Bin
check your scheduled tasks: start>programs>Accessories>System tools>scheduled tasks, may be a little different in W2K
delete these two unless you scheduled them yourself:
tasks\dfrg.job
tasks\isxnlurb.job
Last: still in safe mode you can scan with MBAM and Spybot.
reboot normally and post the MBAM log and a new hjt log.
kr8nblue
2009-01-03, 02:04
Ok,
mujemele.dll won't delete. I get an error message saying that Windows is using it.
The Spybot scan brought up a Virtumonde.prx infection
MBAM brought up 3 Vundo infections
Here's the MBAM log & then the HJT log
Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.0.2195 Service Pack 4
1/2/2009 6:50:15 PM
mbam-log-2009-01-02 (18-50-15).txt
Scan type: Full Scan (C:\|)
Objects scanned: 82729
Time elapsed: 29 minute(s), 34 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rinepejisi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
*************HJT**********
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:59:03 PM, on 1/2/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\LojackThat.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DellEPro
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f} - C:\WINNT\system32\yugovuji.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [rinepejisi] Rundll32.exe "C:\WINNT\system32\papujati.dll",s
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O16 - DPF: {BCE152BE-541A-4DC6-B640-9AED4FA245EF} (CAutoLogout Object) - http://clientrsim.radiantsystems.com/11.020.0030.00/PE/ClientDownloads/WaveUIExt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3C594B-7232-45B9-B9D6-2F45B10F855D}: NameServer = 10.1.10.1
O20 - AppInit_DLLs: C:\WINNT\system32\mujemele.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 4272 bytes
shelf life
2009-01-03, 04:16
hi,
ok thanks for the info we will try this:
mujemele.dll won't delete.
start hjt:
click on "open misc tools section"
"delete a file on reboot"
copy/paste in the File Name window:
C:\WINNT\system32\mujemele.dll
click the "open button'
then chose to delete on reboot.
next:
do a online scan here:
ESET online scanner:
http://www.eset.com/onlinescan/
uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.
post a new hjt log also.
kr8nblue
2009-01-03, 06:53
Here we go:
Eset log first, then HJT
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3733 (20090102)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=2201d6e3ebe4d747a2207a5ec29d1a33
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-03 04:26:21
# local_time=2009-01-02 11:26:21 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.0.2195 NT Service Pack 4
# scanned=167430
# found=1
# scan_time=4557
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\4PER4PYV\pldr8[1].htm Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
********HJT********
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:49:18 PM, on 1/2/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\LojackThat.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DellEPro
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f} - C:\WINNT\system32\yugovuji.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [rinepejisi] Rundll32.exe "C:\WINNT\system32\papujati.dll",s
O4 - HKLM\..\Run: [283c6bed] rundll32.exe "C:\WINNT\system32\toyutabo.dll",b
O4 - HKLM\..\Run: [CPM2b0f5871] Rundll32.exe "c:\winnt\system32\wayerode.dll",a
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINNT\System32\shdocvw.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BCE152BE-541A-4DC6-B640-9AED4FA245EF} (CAutoLogout Object) - http://clientrsim.radiantsystems.com/11.020.0030.00/PE/ClientDownloads/WaveUIExt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3C594B-7232-45B9-B9D6-2F45B10F855D}: NameServer = 10.1.10.1
O20 - AppInit_DLLs: C:\WINNT\system32\mujemele.dll c:\winnt\system32\wayerode.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\wayerode.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\wayerode.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 4763 bytes
shelf life
2009-01-03, 17:09
hi,
you still have malware. we will use htj again
after you use hjt update and scan with MBAM again followed by spybot
did you find and delete these:
check your scheduled tasks: start>programs>Accessories>System tools>scheduled tasks, may be a little different in W2K
delete these two unless you scheduled them yourself:
tasks\dfrg.job
tasks\isxnlurb.job
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O2 - BHO: (no name) - {93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f} - C:\WINNT\system32\yugovuji.dll (file missing)
O4 - HKLM\..\Run: [rinepejisi] Rundll32.exe "C:\WINNT\system32\papujati.dll",s
O4 - HKLM\..\Run: [283c6bed] rundll32.exe "C:\WINNT\system32\toyutabo.dll",b
O4 - HKLM\..\Run: [CPM2b0f5871] Rundll32.exe "c:\winnt\system32\wayerode.dll",a
O20 - AppInit_DLLs: C:\WINNT\system32\mujemele.dll c:\winnt\system32\wayerode.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\wayerode.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\winnt\system32\wayerode.dll
you can also write or copy into notepad these .dll's look for them in the c:\winnt\system32 dir and try to delete what you can in safe mode
papujati.dll
toyutabo.dll
wayerode.dll
mujemele.dll
reboot and post a new hjt log and the MBAM log.
kr8nblue
2009-01-03, 23:10
Hi,
Thanks again.
The scheduled tasks were already deleted and the folder appears empty.
Ok, I scanned with HJT & fixed the lines you indicated. Then I ran MBAM (19 objects infected -- all vundo -- that's gone up from 3 since my last scan). MBAM asked to reboot to finish deleting 2 files. After reboot, I ran Spybot (HitBox, Right Media, Virtumonde, Virtumonde.prx) & fixed selected problems.
I followed that by attempting to delete the specified files in the system32 folder:
mujemele.dll won't let me delete it -- i get the following message "Cannot delete mujemele: The specified file is being used by Windows."
wayrode.dll was successfully deleted.
toyutabo and papujati were not there.
As a side note -- whenever the computer reboots, I get a warning message that papujati.dll can not be found.
I rebooted, then ran MBAM & HJT. Here are the logs:
Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.0.2195 Service Pack 4
1/3/2009 3:59:51 PM
mbam-log-2009-01-03 (15-59-51).txt
Scan type: Full Scan (C:\|)
Objects scanned: 82942
Time elapsed: 28 minute(s), 56 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rinepejisi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
****HJT****
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:57 PM, on 1/3/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\LojackThat.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DellEPro
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f} - C:\WINNT\system32\yugovuji.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [rinepejisi] Rundll32.exe "C:\WINNT\system32\papujati.dll",s
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BCE152BE-541A-4DC6-B640-9AED4FA245EF} (CAutoLogout Object) - http://clientrsim.radiantsystems.com/11.020.0030.00/PE/ClientDownloads/WaveUIExt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3C594B-7232-45B9-B9D6-2F45B10F855D}: NameServer = 10.1.10.1
O20 - AppInit_DLLs: C:\WINNT\system32\mujemele.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 3753 bytes
shelf life
2009-01-04, 03:43
hi,
ok looks like we are making progress.
first we will back up the registry:
start>run and type in regedit, click ok or enter.
at the top on the left hand side click the my computer icon
then File>export
Name it backup or something and
leave the "Save As Type" as Registration Files (*.reg)
then click save. You can save it to your desktop
copy whats in the code box below into notepad;
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"="mujemele.dll"
Save As: fixit.reg to your desktop and Save As Type: (change to) All Files
it and the entire back up you did in the first step (other than the name)--- both should look like this screenshot once on your desktop:
http://img374.imageshack.us/my.php?image=fixitgl1.png
double click the fixit.reg on your desktop and if asked select yes to merge it into the registry.
reboot computer, rerun MBAM and post a new hjt log.
kr8nblue
2009-01-04, 21:11
ok,
* i backed up the registry
* i ran fixit.reg
* i rebooted, then ran MBAM
Here's that log, then the HJT log.
Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.0.2195 Service Pack 4
1/4/2009 2:04:32 PM
mbam-log-2009-01-04 (14-04-32).txt
Scan type: Full Scan (C:\|)
Objects scanned: 83991
Time elapsed: 26 minute(s), 40 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 4
Registry Values Infected: 4
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINNT\system32\piwagali.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINNT\system32\sugefeso.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\dunuhobu.dll (Trojan.Vundo.H) -> Delete on reboot.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{93b2efb1-c462-4cd9-bf1d-d32f8aa5c13f} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rinepejisi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm2b0f5871 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\winnt\system32\piwagali.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\winnt\system32\piwagali.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\piwagali.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\winnt\system32\sugefeso.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sugefeso.dll -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINNT\system32\dunuhobu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINNT\system32\sugefeso.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\mujemele.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINNT\system32\piwagali.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20090104-132809-891.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINNT\system32\limereju.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
******HJT******
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:07:57 PM, on 1/4/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\LojackThat.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DellEPro
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BCE152BE-541A-4DC6-B640-9AED4FA245EF} (CAutoLogout Object) - http://clientrsim.radiantsystems.com/11.020.0030.00/PE/ClientDownloads/WaveUIExt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3C594B-7232-45B9-B9D6-2F45B10F855D}: NameServer = 10.1.10.1
O20 - AppInit_DLLs: mujemele.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 3945 bytes
Thanks again!
shelf life
2009-01-05, 00:26
hi,
ok thanks for the info. we will use hjt now;
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"
O20 - AppInit_DLLs: mujemele.dll
reboot post a new hjt log.
do you have active updated antivirus on your computer/
Check MBAM for updates and do another full scan and post the log.
kr8nblue
2009-01-05, 04:31
Hey,
I ran hjt and removed the specified line, rebooted and the log is below. I updated MBAM & ran it also. The log is below.
In terms of antivirus, I run Symantec daily -- it is updated regularly. I also run Spybot weekly -- it is also regularly updated.
HJT:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:03 PM, on 1/4/2009
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\LojackThat.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by DellEPro
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - .DEFAULT User Startup: discfix.lnk = C:\DELL\discfix.cmd (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {BCE152BE-541A-4DC6-B640-9AED4FA245EF} (CAutoLogout Object) - http://clientrsim.radiantsystems.com/11.020.0030.00/PE/ClientDownloads/WaveUIExt.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{8D3C594B-7232-45B9-B9D6-2F45B10F855D}: NameServer = 10.1.10.1
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
--
End of file - 3909 bytes
******MBAM*******
Malwarebytes' Anti-Malware 1.32
Database version: 1616
Windows 5.0.2195 Service Pack 4
1/4/2009 9:29:49 PM
mbam-log-2009-01-04 (21-29-49).txt
Scan type: Full Scan (C:\|E:\|)
Objects scanned: 83936
Time elapsed: 27 minute(s), 25 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
shelf life
2009-01-05, 04:53
hi,
ok good. that all looks ok to me. keep MBAM and always check for updates before scanning with it. The paid version offers auto updating and real time protection. if all is good on your end, some tips for you:
Reducing Your Risk To Malware:
The Short Version:
1) Keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other Software (http://secunia.com/vulnerability_scanning/online/) up to date to "patch" vulnerabilities. Always install Service Packs.
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons.You may be installing more than you think.
3) Install and keep them all updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless.
4) Refrain from clicking on links or attachments you receive via E-Mail, IM, Chat Rooms or Social Sites, no matter how tempting or legitimate the message.
5) Don't click on ads/pop ups or offers from websites requesting that you need to install software to your computer.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website?
7) Set up and use limited accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing.*
8) Install a third party software firewall.
9) Consider using an alternate browser and E-mail client. Internet Explorer and OutLook Express are popular targets for malicious code because they are widely used. See also: Hardening or Securing Internet Explorer. (http://www.microsoft.com/downloads/details.aspx?FamilyID=6AA4C1DA-6021-468E-A8CF-AF4AFE4C84B2&displaylang=en)
10) If your habits include: warez, cracks etc or you install files via p2p networks then you are much more likely to encounter malicious code. Do you trust the source? Do you really need another malware source?
A longer version in link below.
Happy Safe Surfing.
kr8nblue
2009-01-05, 07:45
Thanks for everything!