Rainyday_Superstar
2009-06-17, 14:09
Before I found this forum I deleted some reg entries and ran some fixes but I don't really know what I'm doing.
The computer is a Dell Inspiron 8200
XP Pro
I have spybot w/out tea timer
Here is the Hijackthis logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:25 AM, on 6/17/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\zomutaho.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 2785 bytes
And here is the malwarebytes logfile
Malwarebytes' Anti-Malware 1.37
Database version: 2295
Windows 5.1.2600
6/17/2009 4:00:48 AM
mbam-log-2009-06-17 (04-00-29).txt
Scan type: Quick Scan
Objects scanned: 95861
Time elapsed: 22 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 24
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) -> No action taken.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmena (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmena (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmena (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmenadrv (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmenadrv (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmenadrv (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SSODL (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: dral32.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
C:\Program Files\podmena (Trojan.Downloader) -> No action taken.
Files Infected:
c:\WINDOWS\system32\fufakili.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\ilikafuf.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\dral32.dll (Trojan.Vundo.H) -> No action taken.
c:\program files\podmena\podmena.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\rogumike.exe (Trojan.Downloader) -> No action taken.
c:\WINDOWS\system32\gikosiha.exe (Trojan.Downloader) -> No action taken.
c:\WINDOWS\system32\tanokoge.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\JS\local settings\temporary internet files\Content.IE5\428SR7CL\Setup%20Registry%20Defender[1].exe (Rogue.Installer) -> No action taken.
c:\documents and settings\JS\local settings\temporary internet files\Content.IE5\8IPNRFW3\srm_free_setup[1].exe (Rogue.SpywareRemover) -> No action taken.
c:\documents and settings\JS\local settings\temporary internet files\Content.IE5\NER1LXVV\pdrv[1].exe (Trojan.Dropper) -> No action taken.
c:\documents and settings\JS\local settings\temporary internet files\Content.IE5\NER1LXVV\vsm_free_setup[1].exe (Rogue.VirusRemover) -> No action taken.
c:\documents and settings\JS\local settings\temporary internet files\Content.IE5\SR85A1MJ\pin[1].exe (Trojan.LdPinch) -> No action taken.
c:\documents and settings\JS\local settings\temporary internet files\Content.IE5\UZOJN0DO\srm_free_setup[1].exe (Rogue.SpywareRemover) -> No action taken.
c:\documents and settings\all users\application data\update_free.exe (Rogue.SpywareRemover) -> No action taken.
c:\program files\podmena\podmena.sys (Trojan.Downloader) -> No action taken.
C:\WINDOWS\msmark2.dat (Worm.KoobFace) -> No action taken.
C:\WINDOWS\system32\nigobani.dll (Trojan.Vundo) -> No action taken.
c:\WINDOWS\mstre19.exe (Worm.KoobFace) -> No action taken.
C:\d45.bat (Malware.Trace) -> No action taken.
c:\WINDOWS\zaponce52621.dat (Worm.Koobface) -> No action taken.
c:\WINDOWS\zaponce52689.dat (Worm.Koobface) -> No action taken.
c:\WINDOWS\zaponce53173.dat (Worm.Koobface) -> No action taken.
c:\WINDOWS\zaponce53222.dat (Worm.Koobface) -> No action taken.
c:\WINDOWS\zaponce53290.dat (Worm.Koobface) -> No action taken.
The computer is a Dell Inspiron 8200
XP Pro
I have spybot w/out tea timer
Here is the Hijackthis logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:02:25 AM, on 6/17/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O20 - AppInit_DLLs: C:\WINDOWS\System32\zomutaho.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
--
End of file - 2785 bytes
And here is the malwarebytes logfile
Malwarebytes' Anti-Malware 1.37
Database version: 2295
Windows 5.1.2600
6/17/2009 4:00:48 AM
mbam-log-2009-06-17 (04-00-29).txt
Scan type: Quick Scan
Objects scanned: 95861
Time elapsed: 22 minute(s), 32 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 24
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
c:\program files\podmena\podmena.dll (Trojan.Agent) -> No action taken.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmena (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmena (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmena (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\podmenadrv (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\podmenadrv (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\podmenadrv (Trojan.Downloader) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SSODL (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\podmena (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: dral32.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
C:\Program Files\podmena (Trojan.Downloader) -> No action taken.
Files Infected:
c:\WINDOWS\system32\fufakili.dll (Trojan.Vundo.H) -> No action taken.
c:\WINDOWS\system32\ilikafuf.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\dral32.dll (Trojan.Vundo.H) -> No action taken.
c:\program files\podmena\podmena.dll (Trojan.Agent) -> No action taken.
c:\WINDOWS\system32\rogumike.exe (Trojan.Downloader) -> No action taken.
c:\WINDOWS\system32\gikosiha.exe (Trojan.Downloader) -> No action taken.
c:\WINDOWS\system32\tanokoge.exe (Trojan.Downloader) -> No action taken.
c:\documents and settings\JS\local settings\temporary internet files\Content.IE5\428SR7CL\Setup%20Registry%20Defender[1].exe (Rogue.Installer) -> No action taken.
c:\documents and settings\JS\local settings\temporary internet files\Content.IE5\8IPNRFW3\srm_free_setup[1].exe (Rogue.SpywareRemover) -> No action taken.
c:\documents and settings\JS\local settings\temporary internet files\Content.IE5\NER1LXVV\pdrv[1].exe (Trojan.Dropper) -> No action taken.
c:\documents and settings\JS\local settings\temporary internet files\Content.IE5\NER1LXVV\vsm_free_setup[1].exe (Rogue.VirusRemover) -> No action taken.
c:\documents and settings\JS\local settings\temporary internet files\Content.IE5\SR85A1MJ\pin[1].exe (Trojan.LdPinch) -> No action taken.
c:\documents and settings\JS\local settings\temporary internet files\Content.IE5\UZOJN0DO\srm_free_setup[1].exe (Rogue.SpywareRemover) -> No action taken.
c:\documents and settings\all users\application data\update_free.exe (Rogue.SpywareRemover) -> No action taken.
c:\program files\podmena\podmena.sys (Trojan.Downloader) -> No action taken.
C:\WINDOWS\msmark2.dat (Worm.KoobFace) -> No action taken.
C:\WINDOWS\system32\nigobani.dll (Trojan.Vundo) -> No action taken.
c:\WINDOWS\mstre19.exe (Worm.KoobFace) -> No action taken.
C:\d45.bat (Malware.Trace) -> No action taken.
c:\WINDOWS\zaponce52621.dat (Worm.Koobface) -> No action taken.
c:\WINDOWS\zaponce52689.dat (Worm.Koobface) -> No action taken.
c:\WINDOWS\zaponce53173.dat (Worm.Koobface) -> No action taken.
c:\WINDOWS\zaponce53222.dat (Worm.Koobface) -> No action taken.
c:\WINDOWS\zaponce53290.dat (Worm.Koobface) -> No action taken.