Results 1 to 2 of 2

Thread: Virtumonde.sci Help!

  1. #1
    Junior Member
    Join Date
    Jan 2009
    Posts
    2

    Default

    Well first off, I don't know a whole lot about computers yet, but I'm on my way to learning. If you can make advice or help simple it would be appreciated, but here's my problem. I was playing a game I've played for years and I know is completely safe, and I've not done anything differently but there are other people in my house that use this computer. While I was playing I received a notice "Internet explorer has found a virus and will begin scanning" Which seems horribly wrong to me, first because I never use internet explorer, and second because it has no scanning feature to it that I know of.
    I ran Spybot - Search & Destroy to check if I had a virus and somehow I had 17. I removed them and rescanned immediately to make sure it worked. That number dropped to 13.
    Every time I run spybot it says it cannot get rid of virtumonde.sci and somehow one of the viruses also deleted my system restore points, so I figured I'd ask for help.
    I've also run Hijack this, Ad-Aware SE, and trendmicro's housecall65, but none could solve my problem.
    This is a list from my last Spybot "fix", and I'm running it again currently.

    --- Report generated: 2009-01-30 09:31 ---

    Hint of the Day: Click the bar at the right of this to see more information! ()


    Smitfraud-C.: [SBI $99619F8C] Settings (Registry key, fixed)
    HKEY_USERS\S-1-5-21-2025429265-583907252-682003330-1003\Software\Microsoft\instkey

    Virtumonde: [SBI $8F2A4A7E] Class ID (Registry key, fixed)
    HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

    Virtumonde.generic: [SBI $1BB1339D] Browser helper object (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

    Virtumonde.generic: [SBI $2F10E03B] Settings (Registry value, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}

    Virtumonde: [SBI $1D86E0B2] Configuration file (File, fixed)
    C:\WINDOWS\Tasks\iynursxp.job

    Virtumonde: [SBI $4D2BC948] Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim

    Virtumonde: [SBI $779C9C0D] Settings (Registry key, fixed)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP

    Virtumonde: [SBI $FD08B4B7] Configuration file (File, fixed)
    C:\WINDOWS\system32\kUFPYccf.ini2

    Virtumonde: [SBI $2A2DCEAC] Configuration file (File, fixed)
    C:\WINDOWS\system32\kUFPYccf.ini

    Virtumonde.Dll: [SBI $9D9A5FC6] Library (File, fixed)
    C:\WINDOWS\system32\ddcDvuut.dll

    Virtumonde.sci: [SBI $D87CA6BD] Class ID (Registry value, fixing failed)
    HKEY_CLASSES_ROOT\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\=...C:\WINDOWS\system32\khfFWOEx.dll...


    --- Spybot - Search & Destroy version: 1.6.0 (build: 20080707) ---

    2008-07-07 blindman.exe (1.0.0.8)
    2008-07-07 SDFiles.exe (1.6.0.4)
    2008-07-07 SDMain.exe (1.0.0.6)
    2008-07-07 SDShred.exe (1.0.2.3)
    2008-07-07 SDUpdate.exe (1.6.0.8)
    2008-07-07 SDWinSec.exe (1.0.0.12)
    2008-07-07 SpybotSD.exe (1.6.0.30)
    2008-09-16 TeaTimer.exe (1.6.3.25)
    2008-11-07 unins000.exe (51.49.0.0)
    2008-07-07 Update.exe (1.6.0.7)
    2008-10-22 advcheck.dll (1.6.2.13)
    2007-04-02 aports.dll (2.1.0.0)
    2008-06-14 DelZip179.dll (1.79.11.1)
    2008-09-15 SDHelper.dll (1.6.2.14)
    2008-06-19 sqlite3.dll
    2008-10-22 Tools.dll (2.1.6.8)
    2009-01-22 Includes\Adware.sbi (*)
    2009-01-22 Includes\AdwareC.sbi (*)
    2009-01-22 Includes\Cookies.sbi (*)
    2009-01-06 Includes\Dialer.sbi (*)
    2009-01-22 Includes\DialerC.sbi (*)
    2009-01-22 Includes\HeavyDuty.sbi (*)
    2008-11-18 Includes\Hijackers.sbi (*)
    2009-01-22 Includes\HijackersC.sbi (*)
    2008-12-09 Includes\Keyloggers.sbi (*)
    2009-01-22 Includes\KeyloggersC.sbi (*)
    2008-11-18 Includes\Malware.sbi (*)
    2009-01-28 Includes\MalwareC.sbi (*)
    2008-12-16 Includes\PUPS.sbi (*)
    2009-01-27 Includes\PUPSC.sbi (*)
    2009-01-22 Includes\Revision.sbi (*)
    2009-01-13 Includes\Security.sbi (*)
    2009-01-27 Includes\SecurityC.sbi (*)
    2008-06-03 Includes\Spybots.sbi (*)
    2008-06-03 Includes\SpybotsC.sbi (*)
    2009-01-28 Includes\Spyware.sbi (*)
    2009-01-28 Includes\SpywareC.sbi (*)
    2008-06-03 Includes\Tracks.uti
    2009-01-21 Includes\Trojans.sbi (*)
    2009-01-27 Includes\TrojansC.sbi (*)
    2008-03-04 Plugins\Chai.dll
    2008-03-05 Plugins\Fennel.dll
    2008-02-26 Plugins\Mate.dll
    2007-12-24 Plugins\TCPIPAddress.dll

    Sorry for the second post, couldn't find a way to edit the original. I've just read the "BEFORE you POST" and this is the log I received from my latest scan.


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:25:40 AM, on 1/30/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\SoftEther VPN Client 2.0\vpnclient.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\VM305_STI.EXE
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://housecall65.trendmicro.com/
    R3 - Default URLSearchHook is missing
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: DXWnd.lnk = C:\Program Files\DXWnd\DXwnd.exe
    O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
    O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
    O20 - AppInit_DLLs: vrbteu.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: PacketiX VPN Client (vpnclient) - SoftEther Corporation - C:\Program Files\SoftEther VPN Client 2.0\vpnclient.exe

    --
    End of file - 4367 bytes

    --------------------------
    FYI: "before You Post"

    Can I edit my own posts?
    1. In the Spybot-S&D forum, there is a 15 minute time frame to edit one's post.
    2. In the Malware Removal Forum, members may not edit their posts. A helper may already be analysing the information given.
    Last edited by tashi; 2009-01-30 at 20:40. Reason: merged two posts. :)

  2. #2
    Junior Member
    Join Date
    Jan 2009
    Posts
    2

    Default

    I was trying to edit it within 5 minutes of posting, though it did randomly log me out...
    I also noticed a new symptom that I didn't expect. For some reason I cannot connect to any other computer on my network now, though the internet still works. That along with my randomly dissapearing system restore dates is confusing me.
    I know I shouldn't jump ahead of people who know more than myself, but I had backed up all of my files on another computer about a week before this problem started, so I thought I'd attempt the general advice that was given to everyone else.
    I backed up my registry with ERUNT, and ran combo fix. Unlike what I've seen in every explanation, it never allowed me to install the recovery console.

    This is my log from combo fix...

    ComboFix 09-01-21.04 - Ryan 2009-01-30 23:02:04.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.648 [GMT -5:00]
    Running from: c:\documents and settings\Ryan\Desktop\ComboFix.exe
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    - REDUCED FUNCTIONALITY MODE -
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\Temp\tmp3.tmp

    .
    ((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-31 )))))))))))))))))))))))))))))))
    .

    2009-01-30 23:02 . 2009-01-30 23:02 120 ---hs---- c:\windows\system32\rvsvafxw.ini
    2009-01-30 13:17 . 2009-01-30 13:17 <DIR> d-------- c:\windows\LastGood
    2009-01-30 11:07 . 2009-01-30 11:07 <DIR> d-------- c:\program files\ERUNT
    2009-01-30 10:18 . 2009-01-30 23:02 40,630 --ahs---- c:\windows\system32\kUFPYccf.ini2
    2009-01-30 09:39 . 2009-01-30 09:39 129,024 --a------ c:\windows\system32\vrbteu.dll
    2009-01-30 09:39 . 2009-01-30 09:39 129,024 --a------ c:\windows\system32\nxtxbynj.dll
    2009-01-30 09:36 . 2009-01-30 09:36 72,704 --a------ c:\windows\system32\wxfavsvr.dll
    2009-01-30 09:33 . 2009-01-30 09:33 75,776 --a------ c:\windows\system32\semkbdyp.dll
    2009-01-30 09:33 . 2009-01-30 23:02 40,630 --ahs---- c:\windows\system32\kUFPYccf.ini
    2009-01-30 00:18 . 2009-01-30 00:18 95 --a------ c:\windows\wininit.ini
    2009-01-29 03:40 . 2009-01-29 03:40 129,024 --a------ c:\windows\system32\xwrhzp.dll
    2009-01-29 03:40 . 2009-01-29 03:40 129,024 --a------ c:\windows\system32\whlthqvi.dll
    2009-01-29 03:33 . 2009-01-29 03:33 315,904 --a------ c:\windows\system32\fccYPFUk.dll
    2009-01-29 02:33 . 2009-01-29 02:33 315,904 --a------ c:\windows\system32\mlJDuuuu.dll
    2009-01-29 02:27 . 2009-01-29 02:27 36,352 --a------ c:\windows\system32\khfFWOEx.dll
    2009-01-11 14:33 . 2009-01-11 14:33 <DIR> d-------- C:\AeriaGames
    2009-01-05 23:07 . 2009-01-05 23:07 <DIR> d-------- c:\program files\Pando Networks
    2009-01-05 23:07 . 2009-01-05 23:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\PMB Files
    2009-01-04 17:32 . 2009-01-04 17:32 <DIR> d-------- c:\program files\Winamp
    2009-01-04 17:32 . 2009-01-05 10:47 <DIR> d-------- c:\documents and settings\Ryan\Application Data\Winamp
    2008-12-23 18:06 . 2008-12-23 18:06 262 --a------ c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
    2008-12-22 02:19 . 2008-12-22 02:26 139,264 --a------ c:\windows\War3Unin.exe
    2008-12-22 02:19 . 2008-12-22 02:26 54,766 --a------ c:\windows\War3Unin.dat
    2008-12-22 02:19 . 2008-12-22 02:26 2,829 --a------ c:\windows\War3Unin.pif
    2008-12-22 02:15 . 2009-01-27 23:42 <DIR> d-------- c:\program files\Warcraft III
    2008-12-22 01:23 . 2008-12-22 01:23 <DIR> d-------- c:\documents and settings\Ryan\Application Data\My Games
    2008-12-22 00:15 . 2008-12-22 00:15 <DIR> d-------- c:\documents and settings\Ryan\Application Data\InstallShield Installation Information
    2008-12-22 00:15 . 2008-12-22 00:15 <DIR> d-------- c:\documents and settings\Ryan\Application Data\Firaxis Games
    2008-12-07 10:24 . 2008-12-07 10:25 <DIR> d-------- c:\program files\CodeBlocks
    2008-12-05 16:57 . 2008-12-05 16:57 54,156 --ah----- c:\windows\QTFont.qfn
    2008-12-05 16:57 . 2008-12-05 16:57 1,409 --a------ c:\windows\QTFont.for
    2008-12-03 15:01 . 2008-11-10 05:43 410,984 --a------ c:\windows\system32\deploytk.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-31 03:03 --------- d-----w c:\program files\Windows Live Safety Center
    2009-01-30 07:19 --------- d-----w c:\program files\SoftEther VPN Client 2.0
    2009-01-25 00:14 --------- d-----w c:\documents and settings\Ryan\Application Data\uTorrent
    2009-01-21 06:08 --------- d-----w c:\documents and settings\All Users\Application Data\Dragon's Eye Productions
    2008-12-23 23:07 --------- d-----w c:\documents and settings\Ryan\Application Data\Ventrilo
    2008-12-23 23:06 --------- d-----w c:\program files\Ventrilo
    2008-12-23 23:06 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
    2008-12-16 18:12 --------- d-----w c:\documents and settings\Ryan\Application Data\codeblocks
    2008-12-12 18:59 --------- d-----w c:\program files\Java
    2008-12-08 22:33 --------- d--h--w c:\program files\Objects
    2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
    2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
    2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
    2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
    2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
    2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
    2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
    2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
    2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
    2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
    2008-08-11 04:08 978,396 ----a-w c:\program files\BDAXP.cab
    2008-05-14 15:19 0 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
    2008-04-09 13:15 20 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7708A939-1971-4239-8D92-660F80E70CC3}]
    2009-01-29 03:33 315904 --a------ c:\windows\system32\fccYPFUk.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
    "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
    "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-09 282624]
    "BigDog305"="c:\windows\VM305_STI.EXE" [2005-08-05 61440]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
    "0c6f0127"="c:\windows\system32\wxfavsvr.dll" [2009-01-30 72704]
    "SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

    c:\documents and settings\Ryan\Start Menu\Programs\Startup\
    DXWnd.lnk - c:\program files\DXWnd\DXwnd.exe [2007-09-12 266240]
    ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
    Winamp.lnk - c:\program files\Winamp\winamp.exe [2008-08-03 1345376]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\khfFWOEx.dll" [2009-01-29 36352]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfFWOEx]
    2009-01-29 02:27 36352 c:\windows\system32\khfFWOEx.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=G

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.3iv2"= 3ivxVfWCodec.dll
    "msacm.divxa32"= divxa32.acm
    "VIDC.HFYU"= huffyuv.dll
    "VIDC.i263"= i263_32.drv
    "msacm.imc"= imc32.acm
    "VIDC.VP31"= vp31vfw.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\fccYPFUk

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    "UpdatesDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
    "l:\files\Games\Combat Arms\Combat Arms\CombatArms.exe"= l:\files\Games\Combat Arms\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
    "l:\files\Games\Combat Arms\Combat Arms\Engine.exe"= l:\files\Games\Combat Arms\Combat Arms\Engine.exe:*Enabled:Engine.exe
    "l:\\Files\\Games\\Combat Arms\\Combat Arms\\NMService.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Documents and Settings\\Ryan\\Application Data\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
    "c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
    "c:\\Program Files\\SoftEther VPN Client 2.0\\vpnclient.exe"=
    "c:\\Program Files\\SoftEther VPN Client 2.0\\vpncmgr.exe"=
    "c:\\Program Files\\SoftEther VPN Client 2.0\\vpncmd.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58342:TCP"= 58342:TCP:Pando Media Booster
    "58342:UDP"= 58342:UDP:Pando Media Booster

    S3 Neo_VPN;VPN Client Device Driver - VPN;c:\windows\system32\drivers\Neo_0108.sys [2008-04-03 22264]
    S3 ZSMC0305;ZVC7100 PC CAMERA (VC0305);c:\windows\system32\drivers\usbVM305.sys [2008-06-18 392444]
    S4 npkcjpn;npkcjpn;\??\f:\files\Games\JMS\npkcjpn.sys --> f:\files\Games\JMS\npkcjpn.sys [?]

    --- Other Services/Drivers In Memory ---

    *Deregistered* - aawservice
    *Deregistered* - ALG
    *Deregistered* - Ati HotKey Poller
    *Deregistered* - ATI Smart
    *Deregistered* - AudioSrv
    *Deregistered* - Browser
    *Deregistered* - CachemanXPService
    *Deregistered* - COMSysApp
    *Deregistered* - CryptSvc
    *Deregistered* - DcomLaunch
    *Deregistered* - Dhcp
    *Deregistered* - dmserver
    *Deregistered* - Dnscache
    *Deregistered* - ehRecvr
    *Deregistered* - ehSched
    *Deregistered* - ERSvc
    *Deregistered* - EventSystem
    *Deregistered* - FastUserSwitchingCompatibility
    *Deregistered* - ForcewareWebInterface
    *Deregistered* - helpsvc
    *Deregistered* - HidServ
    *Deregistered* - HTTPFilter
    *Deregistered* - JavaQuickStarterService
    *Deregistered* - lanmanserver
    *Deregistered* - lanmanworkstation
    *Deregistered* - LmHosts
    *Deregistered* - Netman
    *Deregistered* - Nla
    *Deregistered* - NPPTNT2
    *Deregistered* - nSvcLog
    *Deregistered* - PolicyAgent
    *Deregistered* - ProtectedStorage
    *Deregistered* - RasMan
    *Deregistered* - RemoteRegistry
    *Deregistered* - RpcSs
    *Deregistered* - SamSs
    *Deregistered* - Schedule
    *Deregistered* - seclogon
    *Deregistered* - SENS
    *Deregistered* - SharedAccess
    *Deregistered* - ShellHWDetection
    *Deregistered* - Spooler
    *Deregistered* - srservice
    *Deregistered* - SSDPSRV
    *Deregistered* - stisvc
    *Deregistered* - TapiSrv
    *Deregistered* - TermService
    *Deregistered* - Themes
    *Deregistered* - TrkWks
    *Deregistered* - usnjsvc
    *Deregistered* - Viewpoint Manager Service
    *Deregistered* - vpnclient
    *Deregistered* - W32Time
    *Deregistered* - WebClient
    *Deregistered* - winmgmt
    *Deregistered* - wscsvc
    *Deregistered* - WudfSvc
    *Deregistered* - WZCSVC

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3487f8e5-f20e-11dc-a139-806d6172696f}]
    \Shell\AutoRun\command - F:\ASUSACPI.exe
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{C28D2835-BBFF-40A0-9D71-7C7C782DBC14} - (no file)
    WebBrowser-{A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - (no file)
    HKCU-Run-Aim6 - (no file)


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://housecall65.trendmicro.com/
    FF - ProfilePath - c:\documents and settings\Ryan\Application Data\Mozilla\Firefox\Profiles\e4vwcojx.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.startup.homepage - about:blank
    FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPBelv32.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true.

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-30 23:04:55
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    BigDog305 = c:\windows\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)???????????????????0?????????@??????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-2025429265-583907252-682003330-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(616)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\khfFWOEx.dll

    - - - - - - - > 'lsass.exe'(676)
    c:\windows\system32\fccYPFUk.dll
    .
    Completion time: 2009-01-30 23:09:23
    ComboFix-quarantined-files.txt 2009-01-31 04:08:47

    Pre-Run: 5,739,376,640 bytes free
    Post-Run: 5,974,663,168 bytes free

    251 --- E O F --- 2008-08-28 19:11:46





    *******And a log from re-running hijack this






    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:20:48 PM, on 1/30/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\svchost.exe
    C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\SoftEther VPN Client 2.0\vpnclient.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\VM305_STI.EXE
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Live\Messenger\usnsvc.exe
    C:\Program Files\DXWnd\DXwnd.exe
    C:\Documents and Settings\Ryan\Desktop\Utilities\jtk374en\JoyToKey.exe
    C:\Program Files\Winamp\winamp.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://housecall65.trendmicro.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [BigDog305] C:\WINDOWS\VM305_STI.EXE VIMICRO USB PC Camera (ZC0305)
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [0c6f0127] rundll32.exe "C:\WINDOWS\system32\wxfavsvr.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: DXWnd.lnk = C:\Program Files\DXWnd\DXwnd.exe
    O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
    O4 - Startup: Winamp.lnk = C:\Program Files\Winamp\winamp.exe
    O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
    O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
    O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
    O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: PacketiX VPN Client (vpnclient) - SoftEther Corporation - C:\Program Files\SoftEther VPN Client 2.0\vpnclient.exe

    --
    End of file - 4923 bytes

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •