Page 2 of 5 FirstFirst 12345 LastLast
Results 11 to 20 of 42

Thread: New Thread: What's yrndlcit.exe?

  1. #11
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    Okay - here's combofix.txt and hjt log, as you requested.





    ComboFix 08-01-15.4 - SHIRLEY WILLIAMS 2008-01-15 14:54:50.1 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.92 [GMT -6:00]
    Running from: C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\install.dat
    C:\Program Files\Common Files\mcroso~1
    C:\Program Files\mcroso~1
    C:\Program Files\MSN Gaming Zone\lavu.dll
    C:\Program Files\MSN Gaming Zone\lavu441.dll
    C:\Program Files\MSN Gaming Zone\profsy.html
    C:\Program Files\WinBudget
    C:\Program Files\WinBudget\bin\crap.1187063402.old
    C:\Program Files\WinBudget\bin\crapmatrix.dllcrap
    C:\Program Files\Windows Media Player\hokesotu4444.dll
    C:\Program Files\Windows Media Player\hokesotu83122.dll
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\Temp\bkR11
    C:\Temp\bkR11\ftCa.log
    C:\WINDOWS\horrible\tvyxx.ini
    C:\WINDOWS\horrible\tvyxx.ini2
    C:\WINDOWS\system32\aimsmx.dll
    C:\WINDOWS\system32\aosmx.dll
    C:\WINDOWS\system32\cavnfmkr.dll
    C:\WINDOWS\system32\cbxyyww.dll
    C:\WINDOWS\system32\dcuwemai.dll
    C:\WINDOWS\system32\drivers\fad.sys
    C:\WINDOWS\system32\gobptxco.dll
    C:\WINDOWS\system32\gtalsmx.dll
    C:\WINDOWS\system32\info.txt
    C:\WINDOWS\system32\ipv6monk.dll
    C:\WINDOWS\system32\mssdvoql.exe
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\pfxzmtaim.dll
    C:\WINDOWS\system32\pfxzmtforum.dll
    C:\WINDOWS\system32\pfxzmtgtal.dll
    C:\WINDOWS\system32\pfxzmticq.dll
    C:\WINDOWS\system32\pfxzmtsmt.dll
    C:\WINDOWS\system32\pfxzmtsmtspm.dll
    C:\WINDOWS\system32\pfxzmtwbmail.dll
    C:\WINDOWS\system32\pfxzmtymsg.dll
    C:\WINDOWS\SYSTEM32\rkmfnvac.ini
    C:\WINDOWS\system32\rsvp32_2.dll
    C:\WINDOWS\system32\rsvp32_2.dll3f2tjw
    C:\WINDOWS\system32\rsvp32_2.dllewfwe334f
    C:\WINDOWS\system32\rsvp32_2.dllewfweff
    C:\WINDOWS\system32\sfxzmtforum.dll
    C:\WINDOWS\system32\sfxzmtsmt.dll
    C:\WINDOWS\system32\sfxzmtsmtspm.dll
    C:\WINDOWS\system32\sfxzmtwbmail.dll
    C:\WINDOWS\SYSTEM32\tvyxx.ini
    C:\WINDOWS\SYSTEM32\tvyxx.ini2
    C:\WINDOWS\system32\xxyvt.dll
    C:\WINDOWS\system32\ymsgsmx.dll
    C:\WINDOWS\tk58.exe
    C:\WINDOWS\TTC-4444.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CMDSERVICE
    -------\LEGACY_DOMAINSERVICE
    -------\LEGACY_FAD
    -------\LEGACY_NETWORK_MONITOR
    -------\DomainService


    ((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
    .

    2008-01-15 14:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-15 14:17 . 2008-01-15 14:17 15,663 --a------ C:\WINDOWS\BMa345ea2a.xml
    2008-01-15 14:17 . 2008-01-15 14:17 22 --a------ C:\WINDOWS\pskt.ini
    2008-01-15 13:01 . 2008-01-15 13:01 10,949 --a------ C:\deck.zip
    2008-01-15 12:30 . 2008-01-15 12:30 <DIR> d-------- C:\Deckard
    2008-01-11 16:19 . 2008-01-11 16:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
    2008-01-11 16:19 . 2008-01-11 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-01-11 13:10 . 2008-01-15 12:18 2,184 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
    2008-01-11 12:26 . 2008-01-15 14:58 <DIR> d-------- C:\WINDOWS\horrible
    2008-01-11 12:14 . 2005-05-28 06:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
    2008-01-04 18:18 . 2008-01-15 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
    2008-01-04 18:18 . 2008-01-15 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot
    2008-01-03 13:41 . 2008-01-03 13:41 <DIR> d-------- C:\Documents and Settings\SHIRLEY WILLIAMS\windowscrap
    2007-12-17 17:45 . 2007-12-17 17:46 <DIR> d-------- C:\Program Files\WinPcap
    2007-12-17 16:31 . 2007-12-17 17:46 <DIR> d-------- C:\Program Files\Wireshark
    2007-12-16 14:31 . 2007-12-16 14:31 <DIR> d-------- C:\Program Files\Enigma Software Group

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-15 18:18 --------- d-----w C:\Program Files\LogMeIn
    2007-12-16 21:51 --------- d-----w C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\AVG7
    2007-12-16 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-07 17:55 --------- d-----w C:\Program Files\Apophysis 2.0
    2007-12-03 21:23 --------- d-----w C:\Program Files\DBF Viewer 2000
    2007-02-28 00:09 47,992 ----a-w C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02012421-489E-444E-BE90-5334553E729B}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{093725DF-43BD-4D73-BFC3-015648EBC06F}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18034704-9EFB-4839-9959-565B4FADE80D}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{297B7695-14FC-4F79-B9CD-372FA4E50E1E}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3cba2671-44ea-4f46-8418-6ee56620909d}]
    C:\WINDOWS\System32\nvpqsmo.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89F5EC1A-C524-4D56-A67F-0A3FB5C8CF54}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A505F7C-4637-4C91-92C0-8CDABC4908AD}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84DE7AC-2968-79EC-1486-00E2970227EA}]
    C:\WINDOWS\System32\mpum.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF50EE5C-27CC-4403-9E23-CE08E01482C9}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5EEA2B3-CFF1-45A4-858C-0FE06C5D2A35}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F00B9FB6-B92A-4328-82F9-85CE971ED9FA}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F74096E3-9F6E-4C7E-A5A3-F50B243B2D97}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
    "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:00 13312]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
    "WebBuying"="C:\Program Files\Web Buying\v1.8.6\webbuying.exe" [ ]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [ ]
    "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-06-30 19:56 188416]
    "LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-06-30 20:00 65536]
    "zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 10:38 892928]
    "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
    "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 13:03 63048]
    "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
    "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 05:00 145408]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2005-06-25 21:47 74286]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-08-01 19:52:17]
    WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-10-10 09:07:40]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    LMIinit.dll 2007-11-27 14:27 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
    --a------ 2005-06-25 21:46 343599 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
    --a------ 2005-06-25 21:46 228404 C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
    --a------ 2003-02-24 18:34 122880 C:\WINDOWS\BCMSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2002-08-29 05:00 13312 C:\WINDOWS\System32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    C:\Program Files\Dell Support\DSAgnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
    --a------ 2002-07-17 10:18 28672 C:\WINDOWS\System32\DSentry.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    --a------ 2003-01-24 08:05 114688 C:\WINDOWS\System32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    --a------ 2003-01-24 08:17 155648 C:\WINDOWS\System32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    C:\Program Files\MSN Messenger\MsnMsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\bak\qttask.exe

    R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\System32\DRIVERS\EAPPkt.sys [2005-04-01 10:43]
    R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 13:00]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\System32\drivers\LMIRfsDriver.sys [2007-04-05 10:55]
    R2 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-06-28 18:01]
    R3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\System32\drivers\A311.sys [2003-02-04 22:04]
    R3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\System32\drivers\A310.sys [2003-02-04 22:04]
    S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\System32\Drivers\usbscan.sys [2002-08-29 01:48]
    S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\System32\drivers\lccfltr.sys [2003-11-07 03:50]
    S3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\System32\DRIVERS\rtl8180.sys [2003-09-30 20:54]
    S3 Ndisusb;GeneLink Network Driver;C:\WINDOWS\System32\DRIVERS\genelan.sys []
    S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS [2004-03-23 20:12]
    S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\System32\DRIVERS\CamDrL21.sys [2002-12-10 04:53]
    S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\wg111v2.sys [2006-03-27 16:53]
    S3 USBHSB;GeneLink USB Driver;C:\WINDOWS\System32\Drivers\glkusb.sys [2001-07-10 02:05]

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-15 15:10:11
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-15 15:12:56 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-15 21:12:38






    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:21:19 PM, on 1/15/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\totalcmd\TOTALCMD.EXE
    C:\Program Files\internet explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://co.brewster.tx.us/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {3cba2671-44ea-4f46-8418-6ee56620909d} - C:\WINDOWS\System32\nvpqsmo.dll (file missing)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {C84DE7AC-2968-79EC-1486-00E2970227EA} - C:\WINDOWS\System32\mpum.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
    O8 - Extra context menu item: &Search - ?p=ZCxdm565YYUS
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O15 - Trusted Zone: *.amaena.com
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.hardintech.com/inc/kaxRemote.dll
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C4A43124-5643-4FFD-9FBF-74BB08C30948}: NameServer = 68.94.156.1,68.94.157.1
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 6512 bytes

  2. #12
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    I may have to call you "Lucky Leo" as that seems to have made a serious dent in the malware. It needs a bit more cleanup so give me a few minutes to pour through all these logs to put together some next steps.

    I'll be back in a bit. Were you able to get the online KAV scan done on this? If so were there infected files found?

    I'm asking because some variants of Vundo will infect programs files and it isn't always clear on these logs which ones if that is the case
    Microsoft MVP 2003-2009
    Windows-Security

  3. #13
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    Go to the Control Panel and in Add/Remove programs find this one and remove it.
    Java 2 Runtime Environment, SE v1.4.2

    That is an old version of Sun Java that is vulnerable to malware exploit (And Vundo loves to use that one)
    If you need a new version that is safe to use, go here to get the newest version:
    http://www.java.com/en/download/manual.jsp
    (You can do that later after the machine is cleaned up)
    .........................

    Open HijackThis and choose to do a *system scan only*
    When it finishes, checkmark these entries in the list, then press the *fix checked* button

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

    O2 - BHO: (no name) - {3cba2671-44ea-4f46-8418-6ee56620909d} - C:\WINDOWS\System32\nvpqsmo.dll (file missing)

    O2 - BHO: (no name) - {C84DE7AC-2968-79EC-1486-00E2970227EA} - C:\WINDOWS\System32\mpum.dll (file missing)

    O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)

    O8 - Extra context menu item: &Search - ?p=ZCxdm565YYUS

    O15 - Trusted Zone: *.amaena.com

    Once you have pressed the *fix checked* button you can go ahead and close HijackThis
    ....................
    Do these steps next:

    Make a copy of this instruction to have handy as these next steps need to be done with all browsers and any open windows closed.

    1. Close any open browsers.

    2. Open notepad and copy/paste the text you see in the the bluebox of the quotebox below into it (but not the word: quote)

    File::
    C:\WINDOWS\BMa345ea2a.xml
    C:\WINDOWS\pskt.ini

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02012421-489E-444E-BE90-5334553E729B}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{093725DF-43BD-4D73-BFC3-015648EBC06F}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18034704-9EFB-4839-9959-565B4FADE80D}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{297B7695-14FC-4F79-B9CD-372FA4E50E1E}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89F5EC1A-C524-4D56-A67F-0A3FB5C8CF54}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A505F7C-4637-4C91-92C0-8CDABC4908AD}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF50EE5C-27CC-4403-9E23-CE08E01482C9}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5EEA2B3-CFF1-45A4-858C-0FE06C5D2A35}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F00B9FB6-B92A-4328-82F9-85CE971ED9FA}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F74096E3-9F6E-4C7E-A5A3-F50B243B2D97}]
    Save this as CFScript.txt, in the same location as ComboFix.exe




    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at "C:\ComboFix.txt"
    [*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.[/list]


    Reminder:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
    Microsoft MVP 2003-2009
    Windows-Security

  4. #14
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    Color me stoopid - I checked several times and have seen no responses. This morning I noticed that the little green light (on the thread messages) was dark and said I was offline... looked at ipconfig and found some totally bizarre ip address and realized this computer was not online, ran release/renew and got no change, and finally after two or three reboots it actually dhcp'ed itself into a connection and now it sees the net again.

    Combofix seems to have repaired at least the more horrible aspects of virtumonde... is there anything else really nasty in sight on the log?

    I'll be gone for a few hours now, as I have grand jury duty in about fifteen minutes and the DA says he's got a full slate for us...

  5. #15
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    Ahhhh NOW I see your responses, Jane... 's funny, but they didn't show up when I first got reconnected, but only after I posted the preceding... I've GOT to run to get to Court, but as soon as that's over, I'll get right back on this...

    THANKS!!!

  6. #16
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    Looks pretty good so far - I still have all icons on the desktop highlighted, tho' - hmmmm...




    *******************************************************************
    ComboFix 08-01-15.4 - SHIRLEY WILLIAMS 2008-01-17 14:12:29.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.1.FILE
    C:\WINDOWS\BMa345ea2a.xml
    C:\WINDOWS\pskt.ini
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\BMa345ea2a.xml
    C:\WINDOWS\pskt.ini

    .
    ((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
    .

    2008-01-15 15:20 . 2008-01-15 15:20 <DIR> d-------- C:\Program Files\Trend Micro
    2008-01-15 14:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-15 13:01 . 2008-01-15 13:01 10,949 --a------ C:\deck.zip
    2008-01-15 12:30 . 2008-01-15 12:30 <DIR> d-------- C:\Deckard
    2008-01-11 16:19 . 2008-01-11 16:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
    2008-01-11 16:19 . 2008-01-11 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-01-11 13:10 . 2008-01-15 12:18 2,184 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
    2008-01-11 12:26 . 2008-01-15 14:58 <DIR> d-------- C:\WINDOWS\horrible
    2008-01-11 12:14 . 2005-05-28 06:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
    2008-01-04 18:18 . 2008-01-17 09:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
    2008-01-04 18:18 . 2008-01-15 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot
    2008-01-03 13:41 . 2008-01-03 13:41 <DIR> d-------- C:\Documents and Settings\SHIRLEY WILLIAMS\windowscrap
    2007-12-17 17:45 . 2007-12-17 17:46 <DIR> d-------- C:\Program Files\WinPcap
    2007-12-17 16:31 . 2007-12-17 17:46 <DIR> d-------- C:\Program Files\Wireshark

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-17 20:03 --------- d-----w C:\Program Files\Java
    2008-01-17 06:00 --------- d-----w C:\Program Files\LogMeIn
    2007-12-16 21:51 --------- d-----w C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\AVG7
    2007-12-16 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-12-16 20:31 --------- d-----w C:\Program Files\Enigma Software Group
    2007-12-07 17:55 --------- d-----w C:\Program Files\Apophysis 2.0
    2007-12-03 21:23 --------- d-----w C:\Program Files\DBF Viewer 2000
    2007-11-27 20:27 87,352 ----a-w C:\WINDOWS\SYSTEM32\LMIinit.dll
    2007-11-27 20:27 83,288 ----a-w C:\WINDOWS\SYSTEM32\LMIRfsClientNP.dll
    2007-11-27 20:27 23,736 ----a-w C:\WINDOWS\SYSTEM32\lmimirr.dll
    2007-11-27 20:27 21,496 ----a-w C:\WINDOWS\SYSTEM32\LMIport.dll
    2007-11-27 20:27 10,040 ----a-w C:\WINDOWS\SYSTEM32\lmimirr2.dll
    2007-02-28 00:09 47,992 ----a-w C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\GDIPFONTCACHEV1.DAT
    .

    ((((((((((((((((((((((((((((( snapshot@2008-01-15_15.12.11.53 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2008-01-15 20:54:13 765,952 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
    + 2008-01-17 20:12:04 765,952 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
    - 2008-01-15 20:54:13 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
    + 2008-01-17 20:12:04 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
    - 2008-01-15 20:54:13 765,952 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
    + 2008-01-17 20:12:04 765,952 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
    - 2008-01-15 20:54:13 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
    + 2008-01-17 20:12:04 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
    - 2008-01-15 20:54:14 3,465,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
    + 2008-01-17 20:12:05 3,465,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
    - 2008-01-15 20:54:14 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
    + 2008-01-17 20:12:05 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
    - 2008-01-15 20:54:37 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
    + 2008-01-17 20:12:21 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
    "ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:00 13312]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [ ]
    "LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-06-30 19:56 188416]
    "LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-06-30 20:00 65536]
    "zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 10:38 892928]
    "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
    "LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 13:03 63048]
    "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
    "MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 05:00 145408]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2005-06-25 21:47 74286]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-08-01 19:52:17]
    WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-10-10 09:07:40]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    LMIinit.dll 2007-11-27 14:27 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
    --a------ 2005-06-25 21:46 343599 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
    --a------ 2005-06-25 21:46 228404 C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
    --a------ 2003-02-24 18:34 122880 C:\WINDOWS\BCMSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2002-08-29 05:00 13312 C:\WINDOWS\System32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    C:\Program Files\Dell Support\DSAgnt.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
    --a------ 2002-07-17 10:18 28672 C:\WINDOWS\System32\DSentry.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
    --a------ 2003-01-24 08:05 114688 C:\WINDOWS\System32\hkcmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
    --a------ 2003-01-24 08:17 155648 C:\WINDOWS\System32\igfxtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    C:\Program Files\MSN Messenger\MsnMsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    C:\Program Files\QuickTime\bak\qttask.exe

    R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\System32\DRIVERS\EAPPkt.sys [2005-04-01 10:43]
    R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 13:00]
    R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\System32\drivers\LMIRfsDriver.sys [2007-04-05 10:55]
    R2 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-06-28 18:01]
    R3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\System32\drivers\A311.sys [2003-02-04 22:04]
    R3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\System32\drivers\A310.sys [2003-02-04 22:04]
    S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\System32\Drivers\usbscan.sys [2002-08-29 01:48]
    S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\System32\drivers\lccfltr.sys [2003-11-07 03:50]
    S3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\System32\DRIVERS\rtl8180.sys [2003-09-30 20:54]
    S3 Ndisusb;GeneLink Network Driver;C:\WINDOWS\System32\DRIVERS\genelan.sys []
    S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS [2004-03-23 20:12]
    S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\System32\DRIVERS\CamDrL21.sys [2002-12-10 04:53]
    S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\wg111v2.sys [2006-03-27 16:53]
    S3 USBHSB;GeneLink USB Driver;C:\WINDOWS\System32\Drivers\glkusb.sys [2001-07-10 02:05]

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-17 14:15:48
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-01-17 14:17:17
    ComboFix-quarantined-files.txt 2008-01-17 20:16:56
    ComboFix2.txt 2008-01-15 21:12:57








    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 2:34:03 PM, on 1/17/2008
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\System32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\LogMeIn\x86\RaMaint.exe
    C:\Program Files\LogMeIn\x86\LogMeIn.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\RealVNC\VNC4\WinVNC4.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\Video\LogiTray.exe
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
    C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://co.brewster.tx.us/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
    O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
    O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
    O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.hardintech.com/inc/kaxRemote.dll
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{C4A43124-5643-4FFD-9FBF-74BB08C30948}: NameServer = 68.94.156.1,68.94.157.1
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
    O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
    O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

    --
    End of file - 5263 bytes

  7. #17
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    It's 15:45 here, and I just started KAV online scan on the (hopefully formerly) infected computer.

    If my previous experience is any guide, it'll be 3 or 4 hours before I can do anything else on that computer.

  8. #18
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    Welllll... that wasn't so bad - only an hour. Here's the KASV log. I haven't done anything with any of the reported problems. I know VNC stuff isn't a virus (okay, I don't KNOW, but I'm pretty sure...) and there's some other stuff that I'm certain about.

    Ooops, the *&#$ thing's 37K - attached as a zip file.

  9. #19
    Member
    Join Date
    Jan 2008
    Posts
    36

    Default

    Okay - I'm looking at a black bubble, saying I'm NOT online. I'm not sure if this is indicating a problem with this computer or it's just some sort of standard thing with the forum. I've brought up a couple of other windows in IE just to be really sure I'm seeing the world. Thought I'd post a message here and see if that would green the bubble... does it?

  10. #20
    In Memoriam -Always in our heart CalamityJane's Avatar
    Join Date
    Oct 2005
    Location
    Central Florida, USA
    Posts
    651

    Default

    Hi Leo,

    Welcome back! Yes, you posted ok. Maybe it's that you need to make sure you have logged into your account when trying to post? Any way, it did take. I've got your logs here and going over them now. Give me a few minutes to review them.
    Microsoft MVP 2003-2009
    Windows-Security

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •