View Full Version : virtumundo issues
Hello, began having virtumundo issues last night. Spybot identified it. I followed the instructions provided, this is the hijack log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:08 PM, on 2/16/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192143161053
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
O20 - AppInit_DLLs: cscuku.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Rad Dad\Desktop\say_uncle3.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Rad Dad\My Documents\My Webs\Tunes.htm
--
End of file - 4333 bytes
Would appreciate some help to get rid of this (already filed a complaint with the FTC...grrrr)
thanks
Ran Kaspersky scan and this is result:
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, February 18, 2009
Operating System: Microsoft Windows XP Professional (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, February 18, 2009 13:06:19
Records in database: 1811777
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Rad Dad\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics:
Files scanned: 43384
Threat name: 10
Infected objects: 30
Suspicious objects: 0
Duration of the scan: 01:54:53
File name / Threat name / Threats count
C:\WINDOWS\system32\cscuku.dll/C:\WINDOWS\system32\cscuku.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jos 6
C:\WINDOWS\msagent\chars\unt32.dll/C:\WINDOWS\msagent\chars\unt32.dll Infected: not-a-virus:FraudTool.Win32.XPShield.o 2
C:\WINDOWS\system32\khfGxULd.dll/C:\WINDOWS\system32\khfGxULd.dll Infected: Trojan.Win32.Monderb.ajop 2
C:\WINDOWS\System32\cscuku.dll/C:\WINDOWS\System32\cscuku.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jos 8
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s 1
C:\Program Files\NetworkActiv PIAFCTM 1.5\NetworkActivPIAFCTMv1.5.exe Infected: not-a-virus:NetTool.Win32.Piafctm.152 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.631 1
C:\WINDOWS\system32\uraxjamm.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jos 1
C:\WINDOWS\system32\cscuku.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jos 1
C:\WINDOWS\system32\jutkjsym.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jmn 1
C:\WINDOWS\system32\xkmvqx.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.jmn 1
C:\WINDOWS\system32\djtxdgyi.dll Infected: Trojan.Win32.Monder.bbwg 1
C:\WINDOWS\system32\mqkbkpwq.dll Infected: Trojan.Win32.Monder.bbwh 1
C:\WINDOWS\system32\khfGxULd.dll Infected: Trojan.Win32.Monderb.ajop 1
C:\WINDOWS\msagent\chars\unt32.dll Infected: not-a-virus:FraudTool.Win32.XPShield.o 1
C:\WINDOWS\SysNotifier.exe Infected: not-a-virus:FraudTool.Win32.XPShield.d 1
The selected area was scanned.
I hope the additional information helps.
Hi there,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
DDS (Ver_09-02-01.01) - FAT32x86
Run by Rad Dad at 17:07:40.90 on Fri 02/20/2009
Internet Explorer: 6.0.2600.0000 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.511.195 [GMT -6:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Documents and Settings\Rad Dad\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1cad29df-1d6d-41a2-8c55-eaa2c7edcdeb} - c:\windows\msagent\chars\unt32.dll
BHO: {2e60380c-f3ee-48e7-bde2-8540f8a89915} - c:\windows\system32\byXPIxxV.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\khfGxULd.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {0117c8ec-a2cb-9d49-c6b4-fb91ed3e20ef}: {fe02e3de-19bf-4b6c-94d9-bc2ace8c7110} - c:\windows\system32\oajwhg.dll
EB: Media Band: {32683183-48a0-441b-a342-7c2a440a9478} - %SystemRoot%\System32\browseui.dll
uRun: [AlcoholAutomount] "c:\program files\alcohol soft\alcohol 52\axcmd.exe" /automount
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [3ded22a2] rundll32.exe "c:\windows\system32\oeisaojx.dll",b
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpaiod~1.lnk - c:\program files\hewlett-packard\aio\hp psc 700 series\bin\hpobrt07.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office10\EXCEL.EXE/3000
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - hxxp://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192143161053
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} - hxxp://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} - hxxp://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/games/popcaploader_v6.cab
DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} - hxxp://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: khfGxULd - khfGxULd.dll
Notify: unt32 - c:\windows\msagent\chars\unt32.dll
AppInit_DLLs: cscuku.dll oajwhg.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\khfGxULd.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\byXPIxxV
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\raddad~1\applic~1\mozilla\firefox\profiles\0yk62d9i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\rad dad\application data\mozilla\firefox\profiles\0yk62d9i.default\extensions\{0b457caa-602d-484a-8fe7-c1d894a011ba}\platform\winnt_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\rad dad\application data\mozilla\firefox\profiles\0yk62d9i.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\rad dad\application data\mozilla\firefox\profiles\0yk62d9i.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
============= SERVICES / DRIVERS ===============
R3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [2007-10-11 54271]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\system32\drivers\ucdnt.sys [2004-1-26 728083]
=============== Created Last 30 ================
2009-02-20 08:39 120 ---sh--- c:\windows\system32\xjoasieo.ini
2009-02-20 08:39 72,704 a------- c:\windows\system32\oeisaojx.dll
2009-02-20 08:36 129,024 a------- c:\windows\system32\oajwhg.dll
2009-02-20 08:36 129,024 a------- c:\windows\system32\xfdttmpg.dll
2009-02-19 08:38 120 ---sh--- c:\windows\system32\btyfyjbd.ini
2009-02-19 08:38 72,704 -------- c:\windows\system32\dbjyfytb.dll
2009-02-19 08:35 129,024 a------- c:\windows\system32\cbfrot.dll
2009-02-19 08:35 129,024 a------- c:\windows\system32\qamfmrhb.dll
2009-02-19 00:53 0 a------- c:\windows\system32\mcrh.tmp
2009-02-18 18:53 129,024 a------- c:\windows\system32\cowddd.dll
2009-02-18 18:53 129,024 a------- c:\windows\system32\tjcyjogm.dll
2009-02-18 18:50 120 ---sh--- c:\windows\system32\wbilxcun.ini
2009-02-18 06:52 129,024 a------- c:\windows\system32\duevjm.dll
2009-02-18 06:52 129,024 a------- c:\windows\system32\aicojyef.dll
2009-02-18 06:49 120 ---sh--- c:\windows\system32\qvnjlwyn.ini
2009-02-18 00:58 409,991 a------- c:\documents and settings\rad dad\XPShieldSetup.exe
2009-02-17 18:55 120 ---sh--- c:\windows\system32\qwpkbkqm.ini
2009-02-17 18:53 200,704 a------- c:\windows\SysNotifier.exe
2009-02-17 18:52 56,832 a------- c:\windows\system32\drivers\UACd.sys
2009-02-17 18:52 438,298 a------- c:\windows\system32\apbniwdf.exe
2009-02-17 18:49 129,024 a------- c:\windows\system32\tziidi.dll
2009-02-17 18:49 129,024 a------- c:\windows\system32\mywafoju.dll
2009-02-16 21:37 <DIR> --d----- c:\program files\Trend Micro
2009-02-16 20:52 120 ---sh--- c:\windows\system32\iygdxtjd.ini
2009-02-16 20:52 72,704 a------- c:\windows\system32\djtxdgyi.dll
2009-02-16 20:49 129,024 a------- c:\windows\system32\cscuku.dll
2009-02-16 20:49 129,024 a------- c:\windows\system32\uraxjamm.dll
2009-02-16 20:34 <DIR> --d----- c:\docume~1\raddad~1\applic~1\Safer Networking
2009-02-16 20:34 <DIR> --d----- c:\program files\Safer Networking
2009-02-16 10:39 58,688 a--sh--- c:\windows\system32\VxxIPXyb.ini2
2009-02-15 20:50 129,024 a------- c:\windows\system32\xkmvqx.dll
2009-02-15 20:50 129,024 a------- c:\windows\system32\jutkjsym.dll
2009-02-15 20:46 58,688 a--sh--- c:\windows\system32\VxxIPXyb.ini
2009-02-15 20:46 302,592 a------- c:\windows\system32\byXPIxxV.dll
2009-02-15 20:02 36,352 a------- c:\windows\system32\khfGxULd.dll
==================== Find3M ====================
2009-01-25 03:11 19,136 a---h--- c:\windows\system32\mlfcache.dat
2009-01-07 23:28 717,296 a------- c:\windows\system32\drivers\sptd.sys
2007-11-15 09:26 18,616 a------- c:\docume~1\raddad~1\applic~1\GDIPFONTCACHEV1.DAT
2005-05-15 23:54 4,833,824 a------- c:\program files\winamp509_full_emusic-8basic.exe
============= FINISH: 17:08:40.21 ===============
(and)
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-02-01.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/10/2007 8:38:58 PM
System Uptime: 2/20/2009 6:19:54 AM (11 hours ago)
Motherboard: Intel Corporation | | D815EEA
Processor: Intel Pentium III processor | J4L1 | 996/133mhz
==== Disk Partitions =========================
A: is Removable
C: is FIXED (FAT32) - 19 GiB total, 2.856 GiB free.
D: is CDROM (CDFS)
E: is CDROM ()
F: is Removable
==== Disabled Device Manager Items =============
Class GUID: {4D36E96F-E325-11CE-BFC1-08002BE10318}
Description: Microsoft PS/2 Mouse
Device ID: ACPI\PNP0F03\4&15F50029&0
Manufacturer: Microsoft
Name: Microsoft PS/2 Mouse
PNP Device ID: ACPI\PNP0F03\4&15F50029&0
Service: i8042prt
==== System Restore Points ===================
RP354: 2/16/2009 10:42:32 AM - System Checkpoint
RP355: 2/16/2009 10:42:33 AM - System Checkpoint
RP356: 2/16/2009 10:42:37 AM - System Checkpoint
RP357: 2/16/2009 10:42:37 AM - System Checkpoint
RP358: 2/16/2009 10:42:37 AM - System Checkpoint
RP359: 2/16/2009 10:42:37 AM - System Checkpoint
RP360: 2/16/2009 10:42:38 AM - System Checkpoint
RP361: 2/16/2009 10:42:38 AM - System Checkpoint
RP362: 2/16/2009 10:42:39 AM - System Checkpoint
RP363: 2/16/2009 10:42:39 AM - System Checkpoint
RP364: 2/16/2009 10:42:39 AM - System Checkpoint
RP365: 2/16/2009 10:42:39 AM - System Checkpoint
RP366: 2/16/2009 10:42:39 AM - System Checkpoint
RP367: 2/16/2009 10:42:39 AM - System Checkpoint
RP368: 2/16/2009 10:42:40 AM - System Checkpoint
RP369: 2/16/2009 10:42:40 AM - Last known good configuration
RP370: 2/16/2009 10:43:10 AM - Last known good configuration
RP371: 2/17/2009 10:53:29 AM - System Checkpoint
RP372: 2/18/2009 11:22:30 AM - System Checkpoint
RP373: 2/19/2009 12:40:50 PM - System Checkpoint
RP374: 2/20/2009 4:12:57 PM - System Checkpoint
==== Installed Programs ======================
7-Zip 4.56 beta
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop 5.0 Limited Edition
Adobe Reader 8.1.1
Adobe Shockwave Player
Apple Software Update
Cooperation
Creative MediaSource 5
Creative Software AutoUpdate
Creative Surround Mixer
Creative System Information
doPDF 5.3 printer
ERUNT 1.1j
HijackThis 2.0.2
hp psc 700 series
Index.dat Analyzer v2.0
Java(TM) 6 Update 3
Java(TM) 6 Update 5
KODAK DC3400 Software
Lunabar
Microsoft Office XP Professional with FrontPage
mIRC
Mozilla Firefox (3.0.6)
Netstorm Launcher (Console)
NVIDIA Drivers
QuickTime
RegAlyzer (OpenSBI Edition)
Sid Meier's Railroad Tycoon
Sound Blaster Audigy
Spybot - Search & Destroy
System Requirements Lab
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB842773
Yahoo! Messenger
==== Event Viewer Messages From Past Week ========
2/15/2009 11:53:47 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
2/17/2009 12:52:59 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Windows Installer service to connect.
2/17/2009 12:52:59 PM, error: Service Control Manager [7000] - The Windows Installer service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
==== End Of File ===========================
Good. Now we continue :)
Please visit this webpage for download links, and instructions for running ComboFix tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleansing the system:
C:\ComboFix.txt
New HijackThis log.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
ComboFix 09-02-19.01 - Rad Dad 2009-02-20 18:52:53.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.511.336 [GMT -6:00]
Running from: c:\documents and settings\Rad Dad\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Netscape\Netscape\plugins\npclntax.dll
c:\windows\SysNotifier.exe
c:\windows\system32\aicojyef.dll
c:\windows\system32\audwpyeq.ini
c:\windows\system32\btyfyjbd.ini
c:\windows\System32\byXPIxxV.dll
c:\windows\system32\cbfrot.dll
c:\windows\system32\cowddd.dll
c:\windows\system32\cscuku.dll
c:\windows\system32\dbjyfytb.dll
c:\windows\system32\djtxdgyi.dll
c:\windows\system32\duevjm.dll
c:\windows\system32\iygdxtjd.ini
c:\windows\system32\jutkjsym.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mywafoju.dll
c:\windows\system32\oajwhg.dll
c:\windows\system32\oeisaojx.dll
c:\windows\system32\pdkxuikp.dll
c:\windows\system32\qamfmrhb.dll
c:\windows\system32\qeypwdua.dll
c:\windows\system32\qvnjlwyn.ini
c:\windows\system32\qwpkbkqm.ini
c:\windows\system32\tjcyjogm.dll
c:\windows\system32\tziidi.dll
c:\windows\system32\uraxjamm.dll
c:\windows\system32\vdrrgk.dll
c:\windows\system32\VxxIPXyb.ini
c:\windows\system32\VxxIPXyb.ini2
c:\windows\system32\wbilxcun.ini
c:\windows\system32\xfdttmpg.dll
c:\windows\system32\xjoasieo.ini
c:\windows\system32\xkmvqx.dll
.
((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.
2009-02-20 19:03 . 2009-02-20 19:04 48,128 --a------ c:\windows\system32\mlJYrrsT.dll
2009-02-18 00:58 . 2009-02-18 00:58 409,991 --a------ c:\documents and settings\Rad Dad\XPShieldSetup.exe
2009-02-17 18:52 . 2009-02-17 18:52 438,298 --a------ c:\windows\system32\apbniwdf.exe
2009-02-17 18:52 . 2009-02-17 18:52 56,832 --a------ c:\windows\system32\drivers\UACd.sys
2009-02-16 21:37 . 2009-02-16 21:37 <DIR> d-------- c:\program files\Trend Micro
2009-02-16 21:34 . 2009-02-16 21:34 <DIR> d-------- c:\program files\ERUNT
2009-02-16 20:34 . 2009-02-16 20:34 <DIR> d-------- c:\program files\Safer Networking
2009-02-16 20:34 . 2009-02-16 20:34 <DIR> d-------- c:\documents and settings\Rad Dad\Application Data\Safer Networking
2009-02-15 20:02 . 2009-02-15 20:03 36,352 --a------ c:\windows\system32\khfGxULd.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-18 01:42 --------- d-----w c:\documents and settings\All Users\Application Data\Avg7
2009-01-10 18:34 --------- d-----w c:\program files\Index.dat Analyzer
2009-01-08 17:00 19,072 ----a-w c:\documents and settings\GreenLady\Application Data\GDIPFONTCACHEV1.DAT
2009-01-08 05:39 --------- d-----w c:\program files\Alcohol Soft
2009-01-08 05:28 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-12-27 02:29 --------- d-----w c:\program files\2K Games
2008-12-27 02:27 --------- d-----w c:\program files\RR_tycoon
2008-12-26 03:41 --------- d-----w c:\program files\DOS
2007-11-15 15:26 18,616 ----a-w c:\documents and settings\Rad Dad\Application Data\GDIPFONTCACHEV1.DAT
2005-05-16 05:54 4,833,824 ----a-w c:\program files\winamp509_full_emusic-8basic.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1CAD29DF-1D6D-41A2-8C55-EAA2C7EDCDEB}]
2009-02-17 18:52 299008 --a------ c:\windows\msagent\chars\unt32.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6769699C-D13E-4D17-A74B-CACFAE49F670}]
2009-02-20 19:04 302592 --a------ c:\windows\System32\xxyvvVPG.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2009-02-15 20:03 36352 --a------ c:\windows\system32\khfGxULd.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 52\axcmd.exe" [2008-11-22 203208]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2006-10-22 86016]
"nwiz"="nwiz.exe" [2006-10-22 c:\windows\system32\nwiz.exe]
c:\documents and settings\GreenLady\Start Menu\Programs\Startup\
Lunabar Taskbar Icon.lnk - c:\program files\Lunabar\Lunabar.exe [2007-10-24 369664]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
HPAiODevice(hp psc 700 series) - 1.lnk - c:\program files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe [2002-04-30 487484]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\documents and settings\Rad Dad\Desktop\say_uncle3.jpg
FriendlyName=
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
Source= c:\documents and settings\Rad Dad\My Documents\My Webs\Tunes.htm
FriendlyName=
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\khfGxULd.dll" [2009-02-15 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\unt32]
2009-02-17 18:52 299008 c:\windows\msagent\chars\unt32.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfGxULd]
2009-02-15 20:03 36352 c:\windows\system32\khfGxULd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=cscuku.dll vdrrgk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"MSVideo"= ucdvfw.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\System32\xxyvvVPG
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
R3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [2007-10-11 54271]
S3 XIRLINK;Veo Mobile/Advanced Web Camera;c:\windows\system32\drivers\ucdnt.sys [2004-01-26 728083]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
.
- - - - ORPHANS REMOVED - - - -
BHO-{2E60380C-F3EE-48E7-BDE2-8540F8A89915} - c:\windows\System32\byXPIxxV.dll
BHO-{c802ed9b-5c04-4e1f-821c-f6fd52242271} - c:\windows\System32\vdrrgk.dll
HKLM-Run-3ded22a2 - c:\windows\System32\qeypwdua.dll
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
FF - ProfilePath - c:\documents and settings\Rad Dad\Application Data\Mozilla\Firefox\Profiles\0yk62d9i.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\Rad Dad\Application Data\Mozilla\Firefox\Profiles\0yk62d9i.default\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}\platform\WINNT_x86-msvc\components\SSSLauncher.dll
FF - component: c:\documents and settings\Rad Dad\Application Data\Mozilla\Firefox\Profiles\0yk62d9i.default\extensions\speedtest@gotomyhelp.com\components\NetDiag.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Rad Dad\Application Data\Mozilla\Firefox\Profiles\0yk62d9i.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-20 19:03:50
Windows 5.1.2600 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\ODBC32.dll
c:\windows\msagent\chars\unt32.dll
c:\windows\system32\khfGxULd.dll
- - - - - - - > 'lsass.exe'(704)
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\NVSVC32.EXE
c:\program files\ALCOHOL SOFT\ALCOHOL 52\STARWIND\STARWINDSERVICEAE.EXE
c:\windows\SYSTEM32\WDFMGR.EXE
c:\windows\SYSTEM32\DEVLDR32.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
c:\program files\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOEVM07.EXE
c:\windows\SYSTEM32\HPOIPM07.EXE
c:\program files\HEWLETT-PACKARD\AIO\SHARED\BIN\HPOSTS07.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2009-02-20 19:08:29 - machine was rebooted [Rad Dad]
ComboFix-quarantined-files.txt 2009-02-21 01:08:24
Pre-Run: 2,920,235,008 bytes free
Post-Run: 4,124,868,608 bytes free
177
(and)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:05 PM, on 2/20/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 52\axcmd.exe" /automount
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: HPAiODevice(hp psc 700 series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp psc 700 series\Bin\hpobrt07.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192143161053
O16 - DPF: {BE319D04-18BD-4B34-AECC-EE7CB610FCA9} (BewitchedGameClass Control) - http://download.games.yahoo.com/games/web_games/sony/bewitched/main.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
O16 - DPF: {FE5B9F54-7764-4C01-89F0-4862601EE954} (DigWebHelper Class) - http://photos.msn.com/resources/neutral/controls/DigWebX2.cab?10,0,910,0
O20 - AppInit_DLLs: cscuku.dll vdrrgk.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 52\StarWind\StarWindServiceAE.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\Rad Dad\Desktop\say_uncle3.jpg
O24 - Desktop Component 2: (no name) - C:\Documents and Settings\Rad Dad\My Documents\My Webs\Tunes.htm
--
End of file - 4626 bytes
(also)
received an error message box:
Run DLL
error loading c:/windows/system32/wvumedw.dll
a dynamic link library (DLL) initialization routine failed.
(in case that means anything important to this process)
Hi,
Before we go any further you have to install Service pack 1a (http://www.microsoft.com/downloads/details.aspx?familyid=0136E5F8-1684-4202-B2D0-C6A43430F12A&displaylang=en) to your Windows.
Post back a fresh hjt log when service pack installation is done and then we continue :)
damned service pack failed to install. said something about piracy. I bought this computer at some garage sale several years ago, never had a problem with it until now. so now what?? what was that service pack supposed to do?
Windows without service pack is very vulnerable meaning risks getting re-infected are big.
You also mentioned that system doesn't seem to be legit one. As posted here (http://forums.spybot.info/showpost.php?p=25290&postcount=4), since pirated OS seems to be in question we can't help any further with this case.