virtumonde removal assistance request

M

megashub

New member
I've installed HJT, renamed it to picillo21.exe, and saved the log following the instructions provided to other users. Please note, this HJT log is post-combofix.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:55 AM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
g:\Program Files\Logitech\MouseWare\system\em_exec.exe
G:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
G:\Program Files\MSI\Core Center\CoreCenter.exe
G:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
g:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\piccollo21.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wm3.org/admin
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] G:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PrintServer Diagnostic] g:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "G:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: CoreCenter.lnk = G:\Program Files\MSI\Core Center\CoreCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099544219375
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0475DA5C-6870-484A-9D52-F73B9BC4E593}: NameServer = 68.2.16.245,68.2.16.30,68.6.16.30,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F930461-A262-4E4D-BF47-46BEF45E5E7D}: NameServer = 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{691E223C-1369-4963-BC5D-797E3C31D20F}: NameServer = 4.2.2.1,4.2.2.2,4.2.2.3,4.2.2.4,4.2.2.5,4.2.2.6,68.105.28.12,24.248.131.27
O17 - HKLM\System\CS1\Services\Tcpip\..\{0475DA5C-6870-484A-9D52-F73B9BC4E593}: NameServer = 68.2.16.245,68.2.16.30,68.6.16.30,4.2.2.2
O17 - HKLM\System\CS3\Services\Tcpip\..\{0475DA5C-6870-484A-9D52-F73B9BC4E593}: NameServer = 68.2.16.245,68.2.16.30,68.6.16.30,4.2.2.2
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8106 bytes


I've also run ComboFix, within safe mode (without networking support), and have provided its log below.


ComboFix 07-11-19.3 - Bob 2007-11-23 11:18:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.746 [GMT -7:00]Running from: C:\Documents and Settings\Bob\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\xloadnet
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\kojximay.dll
C:\WINDOWS\system32\mafksedo.dll
C:\WINDOWS\system32\nixqntnt.dll
C:\WINDOWS\system32\rwygdsur.dll
C:\WINDOWS\system32\ugqshbpb.dll
C:\WINDOWS\system32\uumqjivr.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-23 10:53 188,416 --a------ C:\WINDOWS\system32\vbalexpbar.ocx
2007-11-23 10:53 83,968 --a------ C:\WINDOWS\system32\vbaliml.ocx
2007-11-23 10:53 74,752 --a------ C:\WINDOWS\system32\vbalarlb.ocx
2007-11-23 10:53 53,248 --a------ C:\WINDOWS\system32\zlib.dll
2007-11-23 10:53 29,696 --a------ C:\WINDOWS\system32\ssubtmr.dll
2007-11-19 23:34 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\Ahead
2007-11-15 19:39 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\Yahoo! Messenger
2007-11-12 23:36 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\OpenOffice.org2
2007-11-12 23:27 3,564,584 --a------ C:\Program Files\procexp.exe
2007-11-11 17:42 93,184 --a------ C:\Documents and Settings\Bob\iexplore.exe
2007-11-11 13:59 <DIR> d-------- C:\WINDOWS\524228C9826F4B589E474F2E5C7E9F45.TMP
2007-11-11 13:59 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\minuscule
2007-11-06 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-11-06 17:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-02 17:17 <DIR> d-------- C:\Program Files\uTorrent
2007-11-02 17:17 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\uTorrent
2007-10-29 01:49 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-29 01:40 <DIR> d-------- C:\Program Files\Serious Magic
2007-10-25 00:05 1,544,542 --a------ C:\WINDOWS\system32\avcodec.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 11:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-11-22 00:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-21 17:16 --------- d-----w C:\Documents and Settings\Bob\Application Data\AVG7
2007-11-20 06:33 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-17 21:52 --------- d-----w C:\Program Files\Java
2007-11-17 01:05 --------- d-----w C:\Documents and Settings\Bob\Application Data\AdobeUM
2007-11-11 20:59 --------- d-----w C:\Documents and Settings\Bob\Application Data\dvdcss
2007-10-29 08:48 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-19 22:39 --------- d-----w C:\Documents and Settings\Bob\Application Data\MPEG Streamclip
2007-10-19 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-19 16:52 --------- d-----w C:\Documents and Settings\Bob\Application Data\Viewpoint
2007-10-18 21:52 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-12 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-12 22:02 --------- d-----w C:\Program Files\AIM6
2007-10-12 22:02 --------- d-----w C:\Documents and Settings\Bob\Application Data\acccore
2007-10-12 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-12 21:58 --------- d-----w C:\Program Files\Viewpoint
2007-10-12 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-12 21:57 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-12 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-12 21:38 --------- d-----w C:\Program Files\Yahoo!
2007-10-12 07:34 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-11 20:07 --------- d-----w C:\Program Files\Zune
2007-10-11 20:06 --------- d-----w C:\Program Files\DIFX
2007-10-11 20:06 --------- d-----w C:\Program Files\Common Files\ComponentOne
2007-10-08 20:42 --------- d-----w C:\Program Files\Resource Kit
2007-10-06 22:57 --------- d-----w C:\Documents and Settings\Bob\Application Data\PCF-VLC
2007-10-06 22:53 --------- d-----w C:\Documents and Settings\Bob\Application Data\Participatory Culture Foundation
2007-10-06 20:21 --------- d-----w C:\Documents and Settings\Bob\Application Data\TVU Networks
2007-09-30 23:00 --------- d-----w C:\Documents and Settings\Bob\Application Data\FlashFXP
2007-09-26 18:35 --------- d-----w C:\Documents and Settings\Bob\Application Data\InstallShield
2007-08-31 12:36 72,138 ----a-w C:\Program Files\procexp.chm
2007-04-18 18:37 1,399,673 --sh--w C:\WINDOWS\system32\nqtss.bak1
2007-04-18 21:45 1,399,726 --sh--w C:\WINDOWS\system32\nqtss.bak2
2007-04-18 22:43 1,399,953 --sh--w C:\WINDOWS\system32\nqtss.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"Aim6"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Steam"="G:\Program Files\Steam\Steam.exe" [2007-11-21 18:14]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00]
"AHQInit"="G:\Program Files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 09:49]
"nwiz"="nwiz.exe" [2007-09-17 01:07 C:\WINDOWS\system32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 02:50 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"P17Helper"="Rundll32 P17.dll" []
"CTSysVol"="C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32]
"PrintServer Diagnostic"="g:\Program Files\Print Server\PTP\PSDiagnostic.exe" []
"DAEMON Tools-1033"="G:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 08:18]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2006-04-04 14:42]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 17:03]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NWEReboot"="" []
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"!AVG Anti-Spyware"="g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 08:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
C:\WINDOWS\system32\sstqn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xloadnet]
C:\Program Files\xloadnet\xloadnet.exe

R2 X4HSX32;X4HSX32;\??\g:\Program Files\GameTap\bin\Release\X4HSX32.Sys
R3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);C:\WINDOWS\system32\DRIVERS\mausbft.sys
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 PCAlertDriver;PCAlertDriver;\??\G:\Program Files\MSI\Core Center\NTGLM7X.sys
R3 RushTopDevice;RushTopDevice;\??\G:\Program Files\MSI\Core Center\RushTop.sys
S3 cur_bus;Curitel USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\cur_bus.sys
S3 cur_mdfl;Curitel Packet Service Filter;C:\WINDOWS\system32\DRIVERS\cur_mdfl.sys
S3 cur_mdm;Curitel Packet Service Drivers;C:\WINDOWS\system32\DRIVERS\cur_mdm.sys
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\cur_serd.sys
S3 MA763010;M-Audio Fast Track;C:\WINDOWS\system32\drivers\MA763010.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys
S3 Udisusrvawfi;Udisusrvawfi;C:\WINDOWS\system32\drivers\ati1pdxx.sys
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys
S3 VNic;ULan Network Driver Module;C:\WINDOWS\system32\DRIVERS\VNic.sys
S3 WCG200BXP;Linksys WCG200 Wireless-G Cable Gateway(B);C:\WINDOWS\system32\DRIVERS\WCGBXP.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4412b128-02f4-11da-bc25-0002b34c634f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe maskrider2001.vbs

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 11:23:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-23 11:25:55 - machine was rebooted
.
--- E O F ---
 
Kaspersky Scan issues

I would have also included the Kaspersky Labs scanner results, but their online scanner isn't able to download daily.avc from any of the kaspersky-labs.com ftp servers, so it eventually fails out with this pop-up error message:

"Update process FAILED. No further antivirus actions can be performed!

Attention, you must be online to activate Kaspersky Online Scanner, since the latest Anti-Virus bases version must be downloaded prior to scan. Otherwise we cannot guarantee detection of latest viruses. [21]"

Internet Explorer is allowed via Windows Firewall, and it downloads the application itself and 92% of the virus definitions before failing. I'll keep trying it, and if it eventually completes, I will post the results.
 
Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D

I apologize for the delay in responding, but as you can probably see the forums are quite busy
and helpers look for posts with zero replies.
Unfortunately there are far more people needing help than there are helpers.

Please post a fresh Hijack This log to this thread.
I will be notified and I will get back to you ASAP.
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:06:59 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe
g:\Program Files\Logitech\MouseWare\system\em_exec.exe
G:\Program Files\D-Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
G:\Program Files\MSI\Core Center\CoreCenter.exe
C:\Program Files\uTorrent\uTorrent.exe
G:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\system32\CPdeSrvU.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\zstatus.exe
G:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\piccollo21.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wm3.org/admin
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - G:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - G:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] G:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PrintServer Diagnostic] g:\Program Files\Print Server\PTP\PSDiagnostic.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "G:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] G:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "G:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: CoreCenter.lnk = G:\Program Files\MSI\Core Center\CoreCenter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1099544219375
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} (DLC Class) - http://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/bejeweled2/popcaploader_v6.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15014/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0475DA5C-6870-484A-9D52-F73B9BC4E593}: NameServer = 68.2.16.245,68.2.16.30,68.6.16.30,4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{0F930461-A262-4E4D-BF47-46BEF45E5E7D}: NameServer = 4.2.2.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{691E223C-1369-4963-BC5D-797E3C31D20F}: NameServer = 4.2.2.1,4.2.2.2,4.2.2.3,4.2.2.4,4.2.2.5,4.2.2.6,68.105.28.12,24.248.131.27
O17 - HKLM\System\CS1\Services\Tcpip\..\{0475DA5C-6870-484A-9D52-F73B9BC4E593}: NameServer = 68.2.16.245,68.2.16.30,68.6.16.30,4.2.2.2
O17 - HKLM\System\CS3\Services\Tcpip\..\{0475DA5C-6870-484A-9D52-F73B9BC4E593}: NameServer = 68.2.16.245,68.2.16.30,68.6.16.30,4.2.2.2
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - g:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: M-Audio Fast Track Installer (FastTrackInstallerService) - Avid Technology, Inc. - C:\Program Files\M-Audio\Fast Track USB\MAUSBFTInst.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8280 bytes
 
Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.


Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O16 - DPF: {CAFEEFAC-0014-0002-0005-ABCDEFFEDCBA} (Java Plug-in 1.4.2_05) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
Click to expand...
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\Documents and Settings\Bob\iexplore.exe
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\WINDOWS\524228C9826F4B589E474F2E5C7E9F45.TMP

If Virustotal is too busy please try Jotti

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.ini2
C:\WINDOWS\system32\sstqn.dll
C:\WINDOWS\maskrider2001.vbs
Folder::
C:\Program Files\xloadnet

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"=-
"REGSHAVE"=-
"NWEReboot"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xloadnet]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4412b128-02f4-11da-bc25-0002b34c634f}]
  • Save this as CFScript.txt and place it on your desktop.


    CFScript.gif


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Something went wrong with that Kaspersky log, and it is virtually unreadable
You will need to do it again, but first I suggest that you empty the following folders using Thunderbird
mail.visionman.com\Inbox
mail.wm3.org\Inbox
pop.cableaz.com\Inbox
mail.visionman.com\Sent
mail.wm3.org\Sent
pop.cableaz.com\Junk
pop.cableaz.com\Saved Mail <<<< ( anything from the 8 April 2005)

You also have infected mail in
G:\Storage\oldc
 
katana said:
Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident

You asked that I report anything that's inconsistent with the instructions instead of continuing onward.

Currently, the Spybot system tray icon is not present at all. I haven't manually closed Spybot, but Teatimer is still running in my Processes list. How would you like me to proceed? Shall I manually End Task on Tea Timer? I await your instructions.

Thanks for your assistance!!

Bob
Click to expand...
 
Disabled Spybot/TeaTimer as instructed.

Fixed the items you specified using HJT, as instructed.

Virustotal results:
\bob\Iexplore.exe:
Webwasher-Gateway: BlockReason.0
MD5: e7484514c0464642be7b4dc2689354c8

The .TMP file is actually a folder, containing 3 files, all of which I scanned with Virustotal. They are clean. (let me know if you'd like the filenames)


Combofix results:

ComboFix 07-12-02.5 - Bob 2007-12-02 14:21:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.648 [GMT -7:00]
Running from: C:\Documents and Settings\Bob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bob\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\maskrider2001.vbs
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.ini2
C:\WINDOWS\system32\sstqn.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-02 13:52 . 2007-12-02 13:52 <DIR> d-------- C:\WINDOWS\LastGood
2007-12-02 13:52 . 2007-12-02 13:52 <DIR> d-------- C:\Program Files\Sierra Wireless
2007-12-02 13:52 . 2004-07-21 11:40 17,920 --a------ C:\WINDOWS\system32\apintfnt.dll
2007-12-02 13:51 . 2007-12-02 13:51 <DIR> d-------- C:\WINDOWS\Sierra
2007-11-28 19:00 . 2007-11-28 19:00 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\Sibelius Software
2007-11-26 01:50 . 2007-11-26 01:50 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-26 01:50 . 2007-11-26 01:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-26 01:01 . 2007-11-26 01:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-23 10:53 . 1997-01-16 00:00 958,224 --a------ C:\WINDOWS\system32\mschart.ocx
2007-11-23 10:53 . 2000-05-22 16:58 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2007-11-23 10:53 . 2003-11-11 20:47 188,416 --a------ C:\WINDOWS\system32\vbalexpbar.ocx
2007-11-23 10:53 . 1998-11-11 11:26 114,176 --a------ C:\WINDOWS\system32\ccrpdtp.ocx
2007-11-23 10:53 . 2003-04-01 08:33 83,968 --a------ C:\WINDOWS\system32\vbaliml.ocx
2007-11-23 10:53 . 2003-07-04 23:27 74,752 --a------ C:\WINDOWS\system32\vbalarlb.ocx
2007-11-23 10:53 . 2002-03-13 16:46 53,248 --a------ C:\WINDOWS\system32\zlib.dll
2007-11-23 10:53 . 2003-01-22 20:37 29,696 --a------ C:\WINDOWS\system32\ssubtmr.dll
2007-11-19 23:34 . 2007-11-25 15:17 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\Ahead
2007-11-19 16:00 . 2004-05-26 21:37 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-11-19 16:00 . 2003-03-19 11:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2007-11-19 16:00 . 2006-09-16 19:44 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2007-11-15 19:39 . 2007-11-15 19:39 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\Yahoo! Messenger
2007-11-12 23:36 . 2007-11-21 15:48 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\OpenOffice.org2
2007-11-12 23:33 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-12 23:27 . 2007-11-05 07:54 3,564,584 --a------ C:\Program Files\procexp.exe
2007-11-11 17:42 . 2004-08-04 00:56 93,184 --a------ C:\Documents and Settings\Bob\iexplore.exe
2007-11-11 13:59 . 2007-11-11 13:59 <DIR> d-------- C:\WINDOWS\524228C9826F4B589E474F2E5C7E9F45.TMP
2007-11-11 13:59 . 2007-11-11 13:59 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\minuscule
2007-11-06 17:02 . 2007-11-06 17:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2007-11-06 17:01 . 2007-11-06 17:01 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-02 17:17 . 2007-11-02 17:17 <DIR> d-------- C:\Program Files\uTorrent
2007-11-02 17:17 . 2007-12-02 13:07 <DIR> d-------- C:\Documents and Settings\Bob\Application Data\uTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 13:29 --------- d-----w C:\Documents and Settings\Bob\Application Data\AVG7
2007-12-02 11:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-01 19:43 --------- d-----w C:\Documents and Settings\Bob\Application Data\AdobeUM
2007-11-27 03:32 --------- d-----w C:\Documents and Settings\Bob\Application Data\dvdcss
2007-11-26 21:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-22 00:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 06:33 --------- d-----w C:\Program Files\Common Files\Ahead
2007-11-17 21:52 --------- d-----w C:\Program Files\Java
2007-10-29 08:49 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-10-29 08:48 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-29 08:40 --------- d-----w C:\Program Files\Serious Magic
2007-10-19 22:39 --------- d-----w C:\Documents and Settings\Bob\Application Data\MPEG Streamclip
2007-10-19 22:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-19 16:52 --------- d-----w C:\Documents and Settings\Bob\Application Data\Viewpoint
2007-10-18 21:52 --------- d-----w C:\Program Files\Microsoft.NET
2007-10-12 22:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2007-10-12 22:02 --------- d-----w C:\Program Files\AIM6
2007-10-12 22:02 --------- d-----w C:\Documents and Settings\Bob\Application Data\acccore
2007-10-12 22:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2007-10-12 21:58 --------- d-----w C:\Program Files\Viewpoint
2007-10-12 21:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-12 21:57 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-12 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-10-12 21:38 --------- d-----w C:\Program Files\Yahoo!
2007-10-12 07:34 --------- d-----w C:\Program Files\MSXML 6.0
2007-10-11 20:07 --------- d-----w C:\Program Files\Zune
2007-10-11 20:06 --------- d-----w C:\Program Files\DIFX
2007-10-11 20:06 --------- d-----w C:\Program Files\Common Files\ComponentOne
2007-10-08 20:42 --------- d-----w C:\Program Files\Resource Kit
2007-10-06 22:57 --------- d-----w C:\Documents and Settings\Bob\Application Data\PCF-VLC
2007-10-06 22:53 --------- d-----w C:\Documents and Settings\Bob\Application Data\Participatory Culture Foundation
2007-10-06 20:21 --------- d-----w C:\Documents and Settings\Bob\Application Data\TVU Networks
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\nvusmb.exe
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\nvumctl.exe
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\nvuide.exe
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\nvugart.exe
2007-09-17 09:10 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-09-17 08:07 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-09-17 08:07 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-09-17 08:07 8,491,008 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-09-17 08:07 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-09-17 08:07 6,746,112 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-09-17 08:07 6,344,704 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-09-17 08:07 5,783,040 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-09-17 08:07 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-09-17 08:07 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-09-17 08:07 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-09-17 08:07 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-09-17 08:07 364,544 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-09-17 08:07 36,864 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-09-17 08:07 36,864 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-09-17 08:07 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-09-17 08:07 3,551,232 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-09-17 08:07 3,334,144 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-09-17 08:07 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-09-17 08:07 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-09-17 08:07 2,371,584 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-09-17 08:07 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-09-17 08:07 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-09-17 08:07 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-09-17 08:07 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-09-17 08:07 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-09-17 08:07 1,478,656 ----a-w C:\WINDOWS\system32\nview.dll
2007-09-17 08:07 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-09-17 08:07 1,150,976 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-09-17 08:07 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-09-11 23:14 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-08-31 12:36 72,138 ----a-w C:\Program Files\procexp.chm
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Steam"="G:\Program Files\Steam\Steam.exe" [2007-11-30 00:42]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AHQInit"="G:\Program Files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 09:49]
"nwiz"="nwiz.exe" [2007-09-17 01:07 C:\WINDOWS\system32\nwiz.exe]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 02:50 C:\WINDOWS\LOGI_MWX.EXE]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"P17Helper"="Rundll32 P17.dll" []
"CTSysVol"="C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe" [2003-09-17 10:43]
"PrintServer Diagnostic"="g:\Program Files\Print Server\PTP\PSDiagnostic.exe" []
"DAEMON Tools-1033"="G:\Program Files\D-Tools\daemon.exe" [2004-08-22 17:05]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-10-22 08:18]
"M-Audio Taskbar Icon"="C:\WINDOWS\System32\M-AudioTaskBarIcon.exe" [2006-04-04 14:42]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2007-03-14 17:03]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"!AVG Anti-Spyware"="G:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-22 08:18]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

R2 X4HSX32;X4HSX32;\??\g:\Program Files\GameTap\bin\Release\X4HSX32.Sys
R3 MAUSBFT;Service for M-Audio Fast Track USB (WDM);C:\WINDOWS\system32\DRIVERS\mausbft.sys
R3 P17;Sound Blaster Live! 24-bit;C:\WINDOWS\system32\drivers\P17.sys
R3 PCAlertDriver;PCAlertDriver;\??\G:\Program Files\MSI\Core Center\NTGLM7X.sys
R3 RushTopDevice;RushTopDevice;\??\G:\Program Files\MSI\Core Center\RushTop.sys
R3 SWMX00;Sierra Wireless USB MUX Driver (#00);C:\WINDOWS\system32\DRIVERS\swmx00.sys
R3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00);C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys
S3 cur_bus;Curitel USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\cur_bus.sys
S3 cur_mdfl;Curitel Packet Service Filter;C:\WINDOWS\system32\DRIVERS\cur_mdfl.sys
S3 cur_mdm;Curitel Packet Service Drivers;C:\WINDOWS\system32\DRIVERS\cur_mdm.sys
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\cur_serd.sys
S3 MA763010;M-Audio Fast Track;C:\WINDOWS\system32\drivers\MA763010.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 SetupNTGLM7X;SetupNTGLM7X;\??\D:\NTGLM7X.sys
S3 Udisusrvawfi;Udisusrvawfi;C:\WINDOWS\system32\drivers\ati1pdxx.sys
S3 Usblink;Usblink Driver;C:\WINDOWS\system32\Drivers\ulink.sys
S3 USBNET_XP;Instant Wireless XP USB Network Adapter ver.2.6 Driver;C:\WINDOWS\system32\DRIVERS\netusbxp.sys
S3 VNic;ULan Network Driver Module;C:\WINDOWS\system32\DRIVERS\VNic.sys
S3 WCG200BXP;Linksys WCG200 Wireless-G Cable Gateway(B);C:\WINDOWS\system32\DRIVERS\WCGBXP.sys

*Newly Created Service* - PROCEXP90
*Newly Created Service* - SPCSUTILITYSERVICE
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-02 14:22:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-02 14:23:19
C:\ComboFix2.txt ... 2007-11-25 12:35
C:\ComboFix3.txt ... 2007-11-23 18:01
.
--- E O F ---


New Kaspersky scan (HTML version):
http://www.megashub.com/megashub-kaspersky.html
 
katana said:
but first I suggest that you empty the following folders using Thunderbird
mail.visionman.com\Inbox
mail.wm3.org\Inbox
pop.cableaz.com\Inbox
mail.visionman.com\Sent
mail.wm3.org\Sent
pop.cableaz.com\Junk
pop.cableaz.com\Saved Mail <<<< ( anything from the 8 April 2005)

You also have infected mail in
G:\Storage\oldc
Click to expand...

The above are still showing in the log

Do you know what this relates to ?
G:\Program Files\SniffPass\SniffPass.exe
 
The mail-related entries can be purged outright. In fact I thought I had. I went into the app, and removed the content you suggested (wholesale, emptied entire folders into trash), and then emptied my trash. They still showed up. Not sure why.

I don't even use Thunderbird anymore, and would be happy to just uninstall the app and nuke whatever folders you supply to me, if that course of action would be quicker?

With regard to sniffpass, I'm a technical consultant, and was evaluating a network password sniffer for a client to self-monitor their network. It can be uninstalled and its folders purged if necessary.
 
As long as you know what sniffpass is, and that it was there that is fine.

If you don't use Thunderbird, it would be quicker to remove the program :)
Just uninstall via Add/Remove programs
and then check that
C:\Documents and Settings\Bob\Application Data\Thunderbird
has been deleted

I would also delete G:\dump\Zoo Tycoon 2 Full.rar

How are things running now ?
 
Things are running well. Things dramatically improved after I initially ran ComboFix, but since Virtumonde kept showing up in scans, I knew it was re-occur unless I stopped it.

I assume the machine is not yet clean (enough)?

I'm not so much concerned with performance at this point, as I am about making sure I'm fully clean so I'm not back here again in a few weeks. heh.

This install of windows is many years old at this point, and its showing signs of general instability anyway. I've gotten used to a certain amount of irritation. :)

I'll purge Thunderbird and its storehouses.
 
Let's do one more scan to be certain

TotalScan

Please go to this site Link >> TotalScan << LINK
  • Under Scan Now click the Full Scan button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.
 
Thunderbird has been removed. App Data has also been removed. Also removed the Thunderbird directory in g:\storage\oldc, just for good measure. (there was no old app data stored on G: that I could find)

What's next?
 
katana said:
Let's do one more scan to be certain

TotalScan

Please go to this site Link >> TotalScan << LINK
  • Under Scan Now click the Full Scan button
  • Follow the prompts to install the Active X if necessary
  • Go and make a cup of tea/coffee/beverage of your choice and watch some TV :)
  • When the scan is finished, a report will be generated
  • Next to Scan Details click the small Save button and save the report to your desktop.
  • Please post the report in your reply.
Click to expand...

:D: Beat you to it :D:
 
ROFL... installed the plugin, waiting for it to download updates... could be a while waiting on that (hasn't moved in a while.. we shall see). Anyway, I'll post the results once it's done. :cool:
 
Alright... after letting it sit to hopefully receive its updates for approximately 3 hours, I decided to cancel it and restart the process to see if it just stalled. It's still just sitting there at 0% waiting to receive updates.

Next?
 
Try this instead

Run Panda Online Scan
Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- Save the log file to your desktop
 
katana said:
Try this instead

Run Panda Online Scan
Run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- Save the log file to your desktop
Click to expand...

Please find the results attached. Thanks!
Bob
 
You must log in or register to reply here.
Back
Top