help with virtumonde

**Cristi** · 2008-07-29, 13:35

Hi

Pls help me remove this malware

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:15:53 PM, on 7/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\W\Explorer.EXE
C:\W\system32\svchost.exe
C:\W\RTHDCPL.EXE
C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\W\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\HiJackThis.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BM935349dd] Rundll32.exe "C:\W\system32\djfugpgr.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA8751] command /c del "C:\W\system32\nnnoLdcd.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8522] cmd /c del "C:\W\system32\nnnoLdcd.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5344] command /c del "C:\W\system32\djfugpgr.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5231] cmd /c del "C:\W\system32\djfugpgr.dll_old"
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [Chsr] "C:\W\DOBE~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKCU\..\RunOnce: [SpybotDeletingB580] command /c del "C:\W\system32\nnnoLdcd.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7158] cmd /c del "C:\W\system32\nnnoLdcd.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9784] command /c del "C:\W\system32\djfugpgr.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1560] cmd /c del "C:\W\system32\djfugpgr.dll_old"
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A26924-2A04-480F-A671-90E1950485AF}: NameServer = 212.73.32.3 212.73.32.67
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3941 bytes

Thx for help
-----------------------------------
pls help:|

i have this virus for 6 months

The sistem is more messed up now

, so i post a new HJT.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:45 AM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\W\system32\svchost.exe
C:\W\system32\wscntfy.exe
C:\W\explorer.exe
C:\W\RTHDCPL.EXE
C:\Program Files\JavaCore\JavaCore.exe
C:\W\DOBE~1\cmd.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\HiJackThis.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [Chsr] "C:\W\DOBE~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A26924-2A04-480F-A671-90E1950485AF}: NameServer = 212.73.32.3 212.73.32.67
O20 - AppInit_DLLs: biccwu.dll
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3195 bytes

**Shaba** · 2008-08-03, 11:10

Hi Cristi

Rename HijackThis.exe to Cristi.exe and post back a fresh HijackThis log, please

**Cristi** · 2008-08-03, 13:41

Here it is

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:38:58 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\W\system32\svchost.exe
C:\W\system32\wscntfy.exe
C:\W\explorer.exe
C:\W\RTHDCPL.EXE
C:\Program Files\JavaCore\JavaCore.exe
C:\W\DOBE~1\cmd.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\w3hph.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\Cristi.exe

O2 - BHO: (no name) - {007C0568-5EEB-45A1-BE86-10AA7BEAB6BB} - C:\W\system32\nnnoLdcd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7F8A5D98-E320-43FA-BDE7-DB3D4C7238DE} - C:\W\system32\tuvVNDvw.dll (file missing)
O2 - BHO: (no name) - {88E6C3E6-13D5-41DF-854E-0F2001FDC928} - (no file)
O2 - BHO: {5cde57bc-d711-c2cb-4c44-29494464df59} - {95fd4644-9492-44c4-bc2c-117dcb75edc5} - C:\W\system32\biccwu.dll
O2 - BHO: (no name) - {BCD12850-2080-4D78-AD4D-C1807F8A4D7F} - C:\Documents and Settings\Cristi.CRISTI-C1582905\Local Settings\Temporary Internet Files\Content.IE5\0X63C5YV\3077ahntdksr[1].dll
O2 - BHO: (no name) - {F935D841-7905-4E1F-9F5C-47E6C50BABD0} - C:\W\system32\vtUmLcdd.dll
O2 - BHO: (no name) - {FA8BE6D5-40E0-48B8-B317-18A4A590918A} - C:\W\system32\vtUopqND.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BM935349dd] Rundll32.exe "C:\W\system32\hmpvxrwp.dll",s
O4 - HKLM\..\Run: [90607a41] rundll32.exe "C:\W\system32\yfevfnpw.dll",b
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [Chsr] "C:\W\DOBE~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A26924-2A04-480F-A671-90E1950485AF}: NameServer = 212.73.32.3 212.73.32.67
O20 - AppInit_DLLs: biccwu.dll
O20 - Winlogon Notify: nnnoLdcd - C:\W\SYSTEM32\nnnoLdcd.dll
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4572 bytes

**Shaba** · 2008-08-03, 13:54

Create own folder for Cristi.exe to desktop and move it into that folder.

After that:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic - Free anti-virus software for Windows. Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts. If you choose to install more than one antivirus program on your computer, then only one of them should be active in memory at a time.

Please post back a fresh HijackThis log after that and we'll continue

**Cristi** · 2008-08-03, 16:02

Thanx for your help

When i open the laptop it does not open explorer.exe and it does not show icons on the deskop or start bar only the picture on the deskop,i must CTRL+ALT DELETE than new task than i must open "C:\Documents and Settings\Cristi.CRISTI-C1582905\Start Menu\Programs\Accessories\Windows Explorer.lnk" to work normal.

I downloaded Antivir than scaned and found 127 viruses

,and every 10 sec it shows a virus in "C:\W\system32\vtUmLcdd.dll" it says that it is TR/Vundo.fci.3 Trojan,i selected delete but it shows this trojan every 10 seconds.

Sorry for my pure enlish

Here it is the HJT renamed Cristi.exe and moved to a foldar in deskop.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:04 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\W\system32\svchost.exe
C:\W\system32\wscntfy.exe
C:\W\explorer.exe
C:\W\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Program Files\JavaCore\JavaCore.exe
c:\program files\avira\antivir personaledition classic\avcenter.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\Cristi\Cristi.exe

O2 - BHO: (no name) - {007C0568-5EEB-45A1-BE86-10AA7BEAB6BB} - C:\W\system32\nnnoLdcd.dll
O2 - BHO: (no name) - {289E7B19-E671-4A0B-955B-489706ABECD8} - C:\W\system32\vtUmLcdd.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7F8A5D98-E320-43FA-BDE7-DB3D4C7238DE} - C:\W\system32\tuvVNDvw.dll (file missing)
O2 - BHO: (no name) - {88E6C3E6-13D5-41DF-854E-0F2001FDC928} - (no file)
O2 - BHO: {5cde57bc-d711-c2cb-4c44-29494464df59} - {95fd4644-9492-44c4-bc2c-117dcb75edc5} - C:\W\system32\biccwu.dll
O2 - BHO: (no name) - {BCD12850-2080-4D78-AD4D-C1807F8A4D7F} - C:\Documents and Settings\Cristi.CRISTI-C1582905\Local Settings\Temporary Internet Files\Content.IE5\0X63C5YV\3077ahntdksr[1].dll (file missing)
O2 - BHO: (no name) - {FA8BE6D5-40E0-48B8-B317-18A4A590918A} - C:\W\system32\vtUopqND.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [BM935349dd] Rundll32.exe "C:\W\system32\hmpvxrwp.dll",s
O4 - HKLM\..\Run: [90607a41] rundll32.exe "C:\W\system32\yfevfnpw.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [Chsr] "C:\W\DOBE~1\cmd.exe" -vt yazb
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A26924-2A04-480F-A671-90E1950485AF}: NameServer = 212.73.32.3 212.73.32.67
O20 - AppInit_DLLs: biccwu.dll
O20 - Winlogon Notify: nnnoLdcd - C:\W\SYSTEM32\nnnoLdcd.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5243 bytes

**Shaba** · 2008-08-03, 16:44

We will begin with ComboFix. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

**Cristi** · 2008-08-03, 17:33

Combofix

ComboFix 08-08-02.01 - Cristi 2008-08-03 17:12:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.567 [GMT 2:00]
Running from: C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Cristi.CRISTI-C1582905\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\Cristi.CRISTI-C1582905\Local Settings\Temporary Internet Files\CPV.stt
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\Spcron
C:\Program Files\Spcron\Spc.dll
C:\Program Files\Temporary
C:\W\BM935349dd.txt
C:\W\BM935349dd.xml
C:\W\cookies.ini
C:\W\dobe~1
C:\W\dobe~1\?dobe\
C:\W\pskt.ini
C:\W\system32\axngzo.dll
C:\W\system32\bhnpscsy.ini
C:\W\system32\biccwu.dll
C:\W\system32\cmslhnkf.ini
C:\W\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\W\system32\ddcLmUtv.ini
C:\W\system32\ddcLmUtv.ini2
C:\W\system32\dobe~1
C:\W\system32\dobe~1\?dobe\
C:\W\system32\dpyyfvng.ini
C:\W\system32\ftnuqhcj.dll
C:\W\system32\ganqmnud.ini
C:\W\system32\gmjglvqo.ini
C:\W\system32\gsbgqpwwfw.sys
C:\W\system32\hjtjvfhl.dll
C:\W\system32\hllmixhh.ini
C:\W\system32\hmpvxrwp.dll
C:\W\system32\huvjfy.dll
C:\W\system32\imdrgute.dll
C:\W\system32\ivkmqosu.ini
C:\W\system32\jchquntf.ini
C:\W\system32\jcnjfrja.ini
C:\W\system32\jklpnlri.ini
C:\W\system32\jrskggut.ini
C:\W\system32\jxbrxnys.ini
C:\W\system32\jyhgdfih.dll
C:\W\system32\kvmlrbak.ini
C:\W\system32\lhfvjtjh.ini
C:\W\system32\lqrnqikt.ini
C:\W\system32\mcrh.tmp
C:\W\system32\meujoenj.dll
C:\W\system32\mkfikcgb.ini
C:\W\system32\mlyjya.dll
C:\W\system32\moxhrspf.ini
C:\W\system32\mpmevjol.dll
C:\W\system32\muubjm.dll
C:\W\system32\mvkxpedm.ini
C:\W\system32\mwsvrfnl.ini
C:\W\system32\nikuftrg.ini
C:\W\system32\nnnoLdcd.dll
C:\W\system32\qdxhxwxg.ini
C:\W\system32\qesyer.dll
C:\W\system32\qfetdwek.dll
C:\W\system32\qgqxjdwi.ini
C:\W\system32\qkamoqqd.dll
C:\W\system32\reuegihm.dll
C:\W\system32\rtyqwcut.dll
C:\W\system32\scurit~1
C:\W\system32\sgwadjpy.dll
C:\W\system32\synxrbxj.dll
C:\W\system32\tuggksrj.dll
C:\W\system32\ubhxicpt.ini
C:\W\system32\vtUmLcdd.dll
C:\W\system32\wmroaucq.ini
C:\W\system32\wpnfvefy.ini
C:\W\system32\wvDNVvut.ini
C:\W\system32\wvDNVvut.ini2
C:\W\system32\xxsomksv.ini
C:\W\system32\yarogmjx.dll
C:\W\system32\yfevfnpw.dll
C:\W\system32\ypjdawgs.ini
C:\W\system32\yyjlad.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gsbgqpwwfw

((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-08-03 14:27 . 2008-08-03 14:27 <DIR> d-------- C:\Program Files\Avira
2008-08-03 14:27 . 2008-08-03 14:27 <DIR> d-------- C:\Documents and Settings\All Users.W\Application Data\Avira
2008-07-31 16:53 . 2008-07-31 16:53 <DIR> d-------- C:\Program Files\Common Files\MainConcept
2008-07-31 16:53 . 2008-07-31 16:53 <DIR> d-------- C:\Documents and Settings\Cristi.CRISTI-C1582905\.SimpleCenter
2008-07-31 16:41 . 2008-07-31 16:41 <DIR> d-------- C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\AdobeUM
2008-07-31 16:35 . 2008-07-31 16:35 <DIR> d-------- C:\Program Files\SimpleCenter
2008-07-31 16:35 . 2008-07-31 16:35 <DIR> d-------- C:\Program Files\Common Files\i4j_jres
2008-07-31 16:25 . 2008-07-31 16:28 <DIR> d-------- C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\Nokia Multimedia Player
2008-07-31 16:23 . 2008-07-31 16:40 <DIR> d--hs---- C:\Documents and Settings\Cristi.CRISTI-C1582905\Phone Browser
2008-07-29 21:27 . 2008-07-29 21:27 <DIR> d-------- C:\Program Files\Xvid
2008-07-29 21:27 . 2008-04-27 10:33 765,952 --a------ C:\W\system32\xvidcore.dll
2008-07-29 21:27 . 2008-04-27 10:35 180,224 --a------ C:\W\system32\xvidvfw.dll
2008-07-29 21:27 . 2007-06-28 18:55 77,824 --a------ C:\W\system32\xvid.ax
2008-07-29 19:16 . 2008-07-29 19:16 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-29 19:05 . 2008-07-29 19:05 <DIR> d-------- C:\W\Sun
2008-07-27 15:56 . 2008-07-27 15:56 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-07-27 15:56 . 2007-02-22 10:15 137,216 --a------ C:\W\system32\drivers\nmwcd.sys
2008-07-27 15:56 . 2007-02-22 10:15 65,536 --a------ C:\W\system32\nmwcdcocls.dll
2008-07-27 15:56 . 2007-02-22 10:15 12,288 --a------ C:\W\system32\drivers\nmwcdcm.sys
2008-07-27 15:56 . 2007-02-22 10:15 12,288 --a------ C:\W\system32\drivers\nmwcdcj.sys
2008-07-27 15:56 . 2007-02-22 10:15 8,320 --a------ C:\W\system32\drivers\nmwcdc.sys
2008-07-27 15:54 . 2008-07-27 16:41 <DIR> d-------- C:\Documents and Settings\All Users.W\Application Data\Installations
2008-07-26 17:26 . 2008-06-10 02:32 73,728 --a------ C:\W\system32\javacpl.cpl
2008-07-26 17:25 . 2008-07-26 17:26 <DIR> d-------- C:\Program Files\Java
2008-07-26 17:25 . 2008-07-26 17:25 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-26 16:53 . 2008-07-26 16:53 <DIR> d-------- C:\W\SxsCaPendDel
2008-07-25 20:22 . 2008-07-27 15:57 <DIR> d-------- C:\Program Files\Common Files\Nokia
2008-07-25 20:22 . 2008-07-25 20:22 <DIR> d-------- C:\Documents and Settings\All Users.W\Application Data\Nokia
2008-07-25 20:20 . 2008-07-31 16:24 <DIR> d-------- C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\Nokia
2008-07-25 20:20 . 2008-07-25 20:26 <DIR> d-------- C:\Documents and Settings\All Users.W\Application Data\PC Suite
2008-07-25 20:18 . 2008-07-27 15:59 <DIR> d-------- C:\Program Files\DIFX
2008-07-25 20:18 . 2008-07-27 15:57 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-07-25 20:18 . 2008-07-27 16:06 <DIR> d-------- C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\PC Suite
2008-07-25 20:17 . 2008-07-27 15:57 <DIR> d-------- C:\Program Files\Nokia
2008-07-25 20:17 . 2007-02-22 10:15 90,624 --a------ C:\W\system32\nmwcdcls.dll
2008-07-25 18:42 . 2008-07-25 18:42 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-24 12:14 . 2008-07-24 12:18 139,264 --a------ C:\W\War3Unin.exe
2008-07-24 12:14 . 2008-07-24 13:00 68,979 --a------ C:\W\War3Unin.dat
2008-07-24 12:14 . 2008-07-24 12:18 2,829 --a------ C:\W\War3Unin.pif
2008-07-09 17:43 . 2008-07-09 17:43 <DIR> d-------- C:\Documents and Settings\All Users.W\Application Data\Yahoo!
2008-07-09 17:42 . 2008-07-09 18:13 <DIR> d-------- C:\Program Files\Yahoo!
2008-07-08 17:45 . 2008-07-08 17:45 <DIR> d-------- C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\MSNInstaller

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-02 08:08 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-25 16:44 --------- d-----w C:\Documents and Settings\All Users.W\Application Data\Spybot - Search & Destroy
2008-06-16 17:04 --------- d-----w C:\Program Files\WinPcap
2008-06-03 17:46 --------- d-----w C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\Winamp
2008-06-03 17:45 --------- d-----w C:\Program Files\Winamp
2008-05-19 16:01 21,840 ----atw C:\W\system32\SIntfNT.dll
2008-05-19 16:01 17,212 ----atw C:\W\system32\SIntf32.dll
2008-05-19 16:01 12,067 ----atw C:\W\system32\SIntf16.dll
2008-05-15 10:57 315,392 ----a-w C:\W\HideWin.exe
2006-11-02 12:48 174 --sh--w C:\Program Files\desktop.ini
.

------- Sigcheck -------

2007-02-18 23:39 360704 9941382a1c2289f5fb4c87d0daacc21c C:\W\$NtUninstallKB941644$\tcpip.sys
2008-05-19 08:55 360832 ce3ec03c9f65302e44af5c452d20a86f C:\W\system32\dllcache\TCPIP.SYS
2008-05-19 08:55 360832 ce3ec03c9f65302e44af5c452d20a86f C:\W\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VodafoneUSBPP.exe"="C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe" [2007-03-03 17:49 954368]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-02-18 21:41 1694208]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 17:43 4670704]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 10:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-11-09 00:00 128920]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 14:28 266497]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 09:28 16126464 C:\W\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 17:35 1294336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=biccwu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-07-14 15:09 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2008-03-17 07:05 159744 C:\W\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2008-03-17 07:05 135168 C:\W\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NSLauncher]
--a------ 2007-05-09 08:57 3084288 C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
--a------ 2008-03-17 07:05 131072 C:\W\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sclauncher]
--a------ 2007-01-30 11:41 94208 C:\Program Files\SimpleCenter\bin\win\sclauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-04-01 20:49 36352 C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
-r------- 2005-05-03 12:43 69632 C:\W\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

S3 NPF;NetGroup Packet Filter Driver;C:\W\system32\drivers\npf.sys [2007-11-06 22:22]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{397a75f4-3eb5-11dd-87b1-cab105524245}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{eb034041-2280-11dd-b3d6-806d6172696f}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{7F8A5D98-E320-43FA-BDE7-DB3D4C7238DE} - C:\W\system32\tuvVNDvw.dll
BHO-{BCD12850-2080-4D78-AD4D-C1807F8A4D7F} - C:\Documents and Settings\Cristi.CRISTI-C1582905\Local Settings\Temporary Internet Files\Content.IE5\0X63C5YV\3077ahntdksr[1].dll
HKCU-Run-Chsr - C:\W\DOBE~1\cmd.exe
HKLM-Run-BM935349dd - C:\W\system32\hmpvxrwp.dll
HKLM-Run-90607a41 - C:\W\system32\yfevfnpw.dll
MSConfigStartUp-90607a41 - C:\W\system32\sgwadjpy.dll
MSConfigStartUp-BM935349dd - C:\W\system32\yarogmjx.dll
MSConfigStartUp-Steam - C:\Program Files\Steam\Steam.exe
MSConfigStartUp-Svconr - C:\Program Files\Svconr\Svconr.exe
MSConfigStartUp-userinit - C:\W\system32\ntos.exe

.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Cristi.CRISTI-C1582905\Application Data\Mozilla\Firefox\Profiles\fzwohwse.default\

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 17:23:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\W\explorer.exe [1512] 0x863FFB10

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\W\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
.
**************************************************************************
.
Completion time: 2008-08-03 17:28:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-03 15:28:29

Pre-Run: 55,194,734,592 bytes free
Post-Run: 55,084,552,192 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\W
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\W="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

256 --- E O F --- 2008-05-17 00:04:31

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:49 PM, on 8/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\W\System32\smss.exe
C:\W\system32\winlogon.exe
C:\W\system32\services.exe
C:\W\system32\lsass.exe
C:\W\system32\svchost.exe
C:\W\System32\svchost.exe
C:\W\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\W\system32\svchost.exe
C:\W\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\W\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\W\explorer.exe
C:\W\system32\notepad.exe
c:\program files\avira\antivir personaledition classic\avcenter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe
C:\Documents and Settings\Cristi.CRISTI-C1582905\Desktop\Cristi\Cristi.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [VodafoneUSBPP.exe] C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe windows
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\W\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{23A26924-2A04-480F-A671-90E1950485AF}: NameServer = 212.73.32.3 212.73.32.67
O20 - AppInit_DLLs: biccwu.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4425 bytes

**Shaba** · 2008-08-03, 17:43

Looks much better

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.

**Cristi** · 2008-08-03, 18:03

Thanx you verry much,the computer it feels like new

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2008-08-03 18:02:06
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF73EEAC8]
SSDT sptd.sys ZwEnumerateKey [0xF73EEC22]
SSDT sptd.sys ZwEnumerateValueKey [0xF73EEF9A]
SSDT sptd.sys ZwOpenKey [0xF73EE98E]
SSDT sptd.sys ZwQueryKey [0xF73EF064]
SSDT sptd.sys ZwQueryValueKey [0xF73EEEFC]
SSDT sptd.sys ZwSetValueKey [0xF73EF0EC]

---- Kernel code sections - GMER 1.0.14 ----

? C:\W\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
? C:\W\System32\Drivers\SPTD7453.SYS The process cannot access the file because it is being used by another process.
? Combo-Fix.sys The system cannot find the file specified. !
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F69F94F0 16 Bytes [ BC, 78, 1E, C9, 5F, 8D, 25, ... ]
.text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F69F9501 31 Bytes [ 80, 9F, F6, 18, EC, 6A, 32, ... ]
? C:\W\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process.
? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\W\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!GetSysColor 7E418E68 5 Bytes JMP 10021170 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!GetSysColorBrush 7E418E9B 5 Bytes JMP 100211E0 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!SetScrollInfo 7E419046 7 Bytes JMP 10021060 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!GetScrollInfo 7E4217D8 7 Bytes JMP 10020FB0 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!ShowScrollBar 7E42F2E7 5 Bytes JMP 10021130 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!GetScrollPos 7E42F6F4 5 Bytes JMP 10020FF0 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!SetScrollPos 7E42F740 5 Bytes JMP 100210A0 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!GetScrollRange 7E42F777 5 Bytes JMP 10021020 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!SetScrollRange 7E42F98B 5 Bytes JMP 100210E0 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)
.text C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\VodafoneUSBPP.exe[1264] USER32.dll!EnableScrollBar 7E467F55 7 Bytes JMP 10020F70 C:\Program Files\Huawei technologies\Vodafone Mobile Connect Modem\SkinMagicU.dll (SkinMagic Toolkit/Appspeed Inc.)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73EAAD2] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73EAC0E] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73EAB96] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73EB76C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73EB642] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F740D056] sptd.sys

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\W\explorer.exe[3844] @ C:\W\explorer.exe [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)
IAT C:\W\explorer.exe[3844] @ C:\W\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CB77774] C:\W\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 865C75D0
Device \Driver\00000056 \Device\00000047 sptd.sys
Device \Driver\00000056 \Device\00000047 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume1 865C7C78
Device \Driver\Cdrom \Device\CdRom0 863BC6B8
Device \FileSystem\Rdbss \Device\FsWrap 861C40E8
Device \Driver\Cdrom \Device\CdRom1 863BC6B8
Device \Driver\Cdrom \Device\CdRom2 863BC6B8
Device \Driver\Cdrom \Device\CdRom3 863BC6B8
Device \Driver\Cdrom \Device\CdRom4 863BC6B8
Device \Driver\NetBT \Device\NetBt_Wins_Export 863A54F0
Device \Driver\NetBT \Device\NetbiosSmb 863A54F0
Device \Driver\usbstor \Device\00000094 86376280
Device \Driver\NetBT \Device\NetBT_Tcpip_{23A26924-2A04-480F-A671-90E1950485AF} 863A54F0
Device \Driver\usbstor \Device\00000096 86376280
Device \Driver\Disk \Device\Harddisk0\DR0 865C7808
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 861BD0E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 861BD0E8
Device \FileSystem\Npfs \Device\NamedPipe 861FB0E8
Device \Driver\Ftdisk \Device\FtControl 865C7C78
Device \FileSystem\Msfs \Device\Mailslot 862050E8
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target1Lun0 862EB9B0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target0Lun0 862EB9B0
Device \Driver\dtscsi \Device\Scsi\dtscsi1Port2Path0Target2Lun0 862EB9B0
Device \Driver\dtscsi \Device\Scsi\dtscsi1 862EB9B0
Device \FileSystem\Cdfs \Cdfs 861B60E8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 49410658
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1983241070
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 191877387
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3D 0x3C 0x98 0x49 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8F 0xEF 0xF7 0x07 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x77 0x88 0x89 0xFE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x17 0xA9 0x5B 0xB7 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0jf42
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0jf42@khjeh 0xDF 0xE2 0xE4 0x82 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3D 0x3C 0x98 0x49 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x8F 0xEF 0xF7 0x07 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x77 0x88 0x89 0xFE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x17 0xA9 0x5B 0xB7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0jf42
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0jf42@khjeh 0xDF 0xE2 0xE4 0x82 ...

---- EOF - GMER 1.0.14 ----

**Shaba** · 2008-08-03, 18:06

OK, that seemed to be catchme bug.

Still problems with explorer.exe?

Please go to Kaspersky website and perform an online antivirus scan.

Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply along with a fresh HijackThis log.

Thread: help with virtumonde

Thread Tools

Display

help with virtumonde

Posting Permissions