Help virtumonde infection

srj666666 · Jun 14, 2008

I have got virtumonde, virtumonde.dll and few other spywares.
Here is the log of hijackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:27 AM, on 6/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\WinSit.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\inf\Other.exe
E:\WINDOWS\system32\config\Win.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\system\Fun.exe
E:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe
E:\WINDOWS\FixCamera.exe
E:\WINDOWS\vsnpstd3.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\WINDOWS\SVIQ.EXE
E:\WINDOWS\system32\Rundll32.exe
E:\WINDOWS\system32\rundll32.exe
C:\flciijjq.exe
E:\Program Files\JavaCore\JavaCore.exe
E:\Documents and Settings\srajan\Application Data\Microsoft\Windows\lsass.exe
E:\WINDOWS\dc.exe
E:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\system32\WinSit.exe
F3 - REG:win.ini: load=E:\WINDOWS\inf\Other.exe
F3 - REG:win.ini: run=E:\WINDOWS\system32\config\Win.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [EasyTuneIV] E:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe
O4 - HKLM\..\Run: [FixCamera] E:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnpstd3] E:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] E:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [e87446f1] rundll32.exe "E:\WINDOWS\system32\aljvbqie.dll",b
O4 - HKLM\..\Run: [BM43fe1884] Rundll32.exe "E:\WINDOWS\system32\tjcyibvg.dll",s
O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WintelUpdate] C:\flciijjq.exe
O4 - HKCU\..\Run: [JavaCore] E:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [lsass] E:\Documents and Settings\srajan\Application Data\Microsoft\Windows\lsass.exe
O4 - HKCU\..\Run: [dc2k5] E:\WINDOWS\SVIQ.EXE
O4 - HKCU\..\Run: [Fun] E:\WINDOWS\system\Fun.exe
O4 - HKCU\..\Run: [dc] E:\WINDOWS\dc.exe
O4 - HKCU\..\Run: [AlcoholAutomount] "E:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{834AC416-BB74-4DC9-BCB3-25AFAE20D403}: NameServer = 218.248.240.23 218.248.240.79
O17 - HKLM\System\CS1\Services\Tcpip\..\{834AC416-BB74-4DC9-BCB3-25AFAE20D403}: NameServer = 218.248.240.23 218.248.240.79
O23 - Service: FCI - Unknown owner - E:\WINDOWS\system32\fci.exe

--
End of file - 4061 bytes

ken545 · Jun 15, 2008

Hello srj666666

Welcome to Safer Networking.

Please read Before You Post
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

You have a very heavily infected system, lets run this tool first , to be effective it has to be run from Safemode so download it to your desktop , then boot to safemode to run it.

To Enter Safemode

Go to Start> Shut off your Computer> Restart

As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.

Use the Up and Down Arrow Keys to scroll up to Safemode

Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

srj666666 · Jun 15, 2008

Thanx for the help.
Here is the report of SDfix

SDFix: Version 1.192
Run by srajan on Sun 06/15/2008 at 05:55 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: E:\SDFix

Checking Services :

Name :
FCI
tcpsr
WINJM82

Path :
E:\WINDOWS\system32\fci.exe
\??\E:\WINDOWS\System32\drivers\tcpsr.sys
\SystemRoot\System32\Drivers\Winjm82.sys

FCI - Deleted
tcpsr - Deleted
WINJM82 - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

E:\WINDOWS\system32\khfEVNef.dll - Deleted
E:\autorun.inf - Deleted
E:\Program Files\JavaCore\JavaCore.exe - Deleted
E:\Program Files\JavaCore\UnInstall.exe - Deleted
E:\WINDOWS\mrofinu1535.exe - Deleted
E:\WINDOWS\system32\fci.exe - Deleted
E:\WINDOWS\system32\WinCtrl32.dll - Deleted
E:\WINDOWS\system32\WinNt32.dll - Deleted
E:\WINDOWS\system32\WLCtrl32.dll - Deleted
E:\WINDOWS\system32\drivers\WINJM82.sys - Deleted

Folder E:\Program Files\JavaCore - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-15 17:58:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"E:\\Program Files\\Microsoft Games\\Rise of Nations\\Thrones.exe"="E:\\Program Files\\Microsoft Games\\Rise of Nations\\Thrones.exe:*:Enabled:Rise of Nations"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled

xpsp2res.dll,-22019"

Remaining Files :

File Backups: - E:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sat 14 Jun 2008 115,058 ..SHR --- "E:\WINDOWS\system32\amvo.exe"
Sun 15 Jun 2008 74,752 ..SHR --- "E:\WINDOWS\system32\amvo0.dll"
Sat 14 Jun 2008 74,752 ..SHR --- "E:\WINDOWS\system32\amvo1.dll"
Mon 28 Jan 2008 1,404,240 A.SHR --- "E:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 9 Jun 2008 86,016 ..SH. --- "E:\Documents and Settings\srajan\Application Data\Microsoft\Windows\lsass.exe"
Wed 28 May 2008 444 ...HR --- "E:\Documents and Settings\srajan\Application Data\SecuROM\UserData\securom_v7_01.bak"
Tue 3 Jun 2008 31,514 A..H. --- "E:\Deckard\System Scanner\backup\DOCUME~1\srajan\LOCALS~1\Temp\7iipw8do.dll"
Sat 14 Jun 2008 30,208 A..H. --- "E:\Deckard\System Scanner\backup\DOCUME~1\srajan\LOCALS~1\Temp\bm.dll"
Sun 15 Jun 2008 30,720 A..H. --- "E:\Deckard\System Scanner\backup\DOCUME~1\srajan\LOCALS~1\Temp\iem.dll"

Finished!

Now the log of HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:17 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\Rundll32.exe
E:\WINDOWS\system\Fun.exe
E:\WINDOWS\dc.exe
E:\WINDOWS\SVIQ.EXE
E:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\system32\WinSit.exe
F3 - REG:win.ini: load=E:\WINDOWS\inf\Other.exe
F3 - REG:win.ini: run=E:\WINDOWS\system32\config\Win.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [BM43fe1884] Rundll32.exe "E:\WINDOWS\system32\tjcyibvg.dll",s
O4 - HKCU\..\Run: [Fun] E:\WINDOWS\system\Fun.exe
O4 - HKCU\..\Run: [dc] E:\WINDOWS\dc.exe
O4 - HKCU\..\Run: [dc2k5] E:\WINDOWS\SVIQ.EXE
O4 - HKCU\..\Run: [amva] E:\WINDOWS\system32\amvo.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{834AC416-BB74-4DC9-BCB3-25AFAE20D403}: NameServer = 218.248.240.23 218.248.240.135
O17 - HKLM\System\CS1\Services\Tcpip\..\{834AC416-BB74-4DC9-BCB3-25AFAE20D403}: NameServer = 218.248.240.23 218.248.240.135
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3099 bytes

ken545 · Jun 15, 2008

Hello,

Is this your ISP??

218.248.0.0 - 218.248.255.255
National Internet Backbone
Bharat Sanchar Nigam Limited
Sanchar Bhawan, 20, Ashoka Road, New Delhi-110001, India

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

F2 - REG:system.ini: Shell=Explorer.exe E:\WINDOWS\system32\WinSit.exe

F3 - REG:win.ini: load=E:\WINDOWS\inf\Other.exe
F3 - REG:win.ini: run=E:\WINDOWS\system32\config\Win.exe

04 - HKLM\..\Run: [BM43fe1884] Rundll32.exe "E:\WINDOWS\system32\tjcyibvg.dll",s
O4 - HKCU\..\Run: [Fun] E:\WINDOWS\system\Fun.exe
O4 - HKCU\..\Run: [dc] E:\WINDOWS\dc.exe
O4 - HKCU\..\Run: [dc2k5] E:\WINDOWS\SVIQ.EXE
O4 - HKCU\..\Run: [amva] E:\WINDOWS\system32\amvo.exe

Please download OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

E:\WINDOWS\system32\amvo.exe
E:\WINDOWS\system32\amvo0.dll
E:\WINDOWS\system32\amvo1.dll
E:\WINDOWS\system\Fun.exe
E:\WINDOWS\system32\WinSit.exe
E:\WINDOWS\inf\Other.exe
E:\WINDOWS\SVIQ.EXE
E:\WINDOWS\dc.exe
E:\WINDOWS\system32\tjcyibvg.dll
E:\WINDOWS\system32\config\Win.exe
E:\Documents and Settings\srajan\Application Data\Microsoft\Windows\lsass.exe

Click to expand...
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.

Post the OTMoveIt log, the Malwarebytes log and a new HJT log please, it may not all fit in one reply so take as many replies as you need

srj666666 · Jun 15, 2008

OTMoveIT log

My ISP is same as given above.

Here it is

E:\WINDOWS\system32\amvo.exe moved successfully.
DllUnregisterServer procedure not found in E:\WINDOWS\system32\amvo0.dll
E:\WINDOWS\system32\amvo0.dll NOT unregistered.
E:\WINDOWS\system32\amvo0.dll moved successfully.
DllUnregisterServer procedure not found in E:\WINDOWS\system32\amvo1.dll
E:\WINDOWS\system32\amvo1.dll NOT unregistered.
E:\WINDOWS\system32\amvo1.dll moved successfully.
E:\WINDOWS\system\Fun.exe moved successfully.
E:\WINDOWS\system32\WinSit.exe moved successfully.
E:\WINDOWS\inf\Other.exe moved successfully.
E:\WINDOWS\SVIQ.EXE moved successfully.
E:\WINDOWS\dc.exe moved successfully.
DllUnregisterServer procedure not found in E:\WINDOWS\system32\tjcyibvg.dll
E:\WINDOWS\system32\tjcyibvg.dll NOT unregistered.
E:\WINDOWS\system32\tjcyibvg.dll moved successfully.
E:\WINDOWS\system32\config\Win.exe moved successfully.
E:\Documents and Settings\srajan\Application Data\Microsoft\Windows\lsass.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 06152008_190322

srj666666 · Jun 15, 2008

Malwarebytes' Antimalware log

Malwarebytes' Anti-Malware 1.17
Database version: 846

7:25:05 PM 6/15/2008
mbam-log-6-15-2008 (19-25-04).txt

Scan type: Quick Scan
Objects scanned: 37051
Time elapsed: 2 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
E:\WINDOWS\system32\opnnnOhh.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8fffad79-7b14-4b1e-92c3-a879f1056425} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8fffad79-7b14-4b1e-92c3-a879f1056425} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c83f6149-4782-4dab-a478-96f195a376a2} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM43fe1884 (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: e:\windows\system32\opnnnohh -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: e:\windows\system32\opnnnohh -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
E:\WINDOWS\system32\aljvbqie.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\eiqbvjla.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\opnnnOhh.dll (Trojan.Vundo) -> Delete on reboot.
E:\WINDOWS\system32\hhOnnnpo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\hhOnnnpo.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\nnnnKbBr.dll_old (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\rBbKnnnn.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\rBbKnnnn.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\ddcCtsrQ.dll_old (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\QrstCcdd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\QrstCcdd.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\jjnyvfyl.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\xlgqwvfq.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\yfusooxs.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\rwwmmhjx.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\oulqpvqf.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\ljJCvUOf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\khfddExW.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\iifCUnlj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
E:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
E:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

srj666666 · Jun 15, 2008

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:41 PM, on 6/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Mozilla Firefox 3 Beta 2\firefox.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {1D078030-DCF2-4B8D-A397-DB0347A8B393} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {3D649E0D-4C7F-4C49-B2D1-1B2B32C0D112} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: {77932ae6-696b-f54a-7cc4-21a11f80f216} - {612f08f1-1a12-4cc7-a45f-b6966ea23977} - E:\WINDOWS\system32\atbppxxl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {CE2BC825-AD09-460F-A992-5964D433C3CA} - (no file)
O2 - BHO: (no name) - {FFD36AA8-F3C0-4791-8F30-9492E8776A69} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{834AC416-BB74-4DC9-BCB3-25AFAE20D403}: NameServer = 218.248.240.23 218.248.240.135
O17 - HKLM\System\CS1\Services\Tcpip\..\{834AC416-BB74-4DC9-BCB3-25AFAE20D403}: NameServer = 218.248.240.23 218.248.240.135
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3389 bytes

Great appreciation for your help

ken545 · Jun 15, 2008

Hello,

Remove these with HJT.
O2 - BHO: (no name) - {1D078030-DCF2-4B8D-A397-DB0347A8B393} - (no file)
O2 - BHO: (no name) - {3D649E0D-4C7F-4C49-B2D1-1B2B32C0D112} - (no file)
O2 - BHO: {77932ae6-696b-f54a-7cc4-21a11f80f216} - {612f08f1-1a12-4cc7-a45f-b6966ea23977} - E:\WINDOWS\system32\atbppxxl.dll
O2 - BHO: (no name) - {CE2BC825-AD09-460F-A992-5964D433C3CA} - (no file)
O2 - BHO: (no name) - {FFD36AA8-F3C0-4791-8F30-9492E8776A69} - (no file)

Run this file through OTMoveIt
E:\WINDOWS\system32\atbppxxl.dll

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

srj666666 · Jun 17, 2008

hello
i can't find the following file
E:\WINDOWS\system32\atbppxxl.dll

What should i do ?

ken545 · Jun 17, 2008

Hi,

That file may be gone, but run Combofix and if its still present it will show up on the log,

Post both the Combofix log and a New HJT log please

srj666666 · Jun 17, 2008

Hjt Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:21 PM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\vsnpstd3.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [snpstd3] E:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3571 bytes

srj666666 · Jun 17, 2008

Combo fix log

ComboFix 08-06-16.2 - srajan 2008-06-17 17:34:07.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.88 [GMT 5.5:30]
Running from: E:\Documents and Settings\srajan\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
D:\Autorun.inf
E:\autorun.inf
E:\WINDOWS\BM43fe1884.xml
E:\WINDOWS\help\Other.exe
E:\WINDOWS\pskt.ini
E:\WINDOWS\system32\amvo.exe
E:\WINDOWS\system32\amvo0.dll
E:\WINDOWS\system32\amvo1.dll
E:\WINDOWS\system32\ayueuwen.dll
E:\WINDOWS\system32\bsxblfuw.dll
E:\WINDOWS\system32\cxesrqxu.dll
E:\WINDOWS\system32\drivers\Fjm71.sys
E:\WINDOWS\system32\dvosqkba.dll
E:\WINDOWS\system32\fmmgekqf.dll
E:\WINDOWS\system32\fpfsvbci.ini
E:\WINDOWS\system32\goeggiyj.ini
E:\WINDOWS\system32\gspboswc.dll
E:\WINDOWS\system32\hhOnnnpo.ini
E:\WINDOWS\system32\hhOnnnpo.ini2
E:\WINDOWS\system32\ifhhvmwg.ini
E:\WINDOWS\system32\ijsbtvhe.dll
E:\WINDOWS\system32\innticlv.ini
E:\WINDOWS\system32\jgmbvnwg.dll
E:\WINDOWS\system32\kkxgsrmj.dll
E:\WINDOWS\system32\lnxrrdgk.dll
E:\WINDOWS\system32\mcrh.tmp
E:\WINDOWS\system32\morokghq.dll
E:\WINDOWS\system32\opnnnOhh.dll
E:\WINDOWS\system32\pyxekomf.dll
E:\WINDOWS\system32\qhjfkiyp.ini
E:\WINDOWS\system32\RXHOonmp.ini
E:\WINDOWS\system32\RXHOonmp.ini2
E:\WINDOWS\system32\sxqfafhg.dll
E:\WINDOWS\system32\uFNWaGgh.ini
E:\WINDOWS\system32\uFNWaGgh.ini2
E:\WINDOWS\system32\upymskxq.ini
E:\WINDOWS\system32\vsonnvux.dll
E:\WINDOWS\system32\wglinubi.dll
E:\WINDOWS\system32\WinCtrl32.dll
E:\WINDOWS\system32\WinNt32.dll
E:\WINDOWS\system32\WLCtrl32.dll
E:\WINDOWS\system32\wwftxkhj.dll
E:\WINDOWS\system32\xkmiroak.dll
E:\WINDOWS\system32\xpoqmlxt.ini
F:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FJM71
-------\Service_Fjm71

((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-16 00:29 . 2004-08-03 22:58 14,848 --a------ E:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-16 00:29 . 2004-08-03 22:58 14,848 --a------ E:\WINDOWS\system32\dllcache\kbdhid.sys
2008-06-16 00:28 . 2004-08-03 23:08 31,616 --a------ E:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-16 00:28 . 2004-08-03 23:08 31,616 --a------ E:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-16 00:17 . 2008-06-16 00:17 <DIR> d--hs---- E:\FOUND.012
2008-06-15 21:48 . 2008-06-15 21:48 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\Yahoo!
2008-06-15 21:48 . 2008-06-15 21:48 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-15 19:58 . 2008-06-15 19:58 <DIR> d-------- E:\Program Files\Yahoo!
2008-06-15 19:40 . 2008-06-15 19:41 2,320,640 --a------ E:\WINDOWS\system32\TUKernel.exe
2008-06-15 19:08 . 2008-06-15 19:08 <DIR> d-------- E:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 19:08 . 2008-06-15 19:08 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\Malwarebytes
2008-06-15 19:08 . 2008-06-15 19:08 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 19:08 . 2008-06-10 19:02 34,296 --a------ E:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 19:08 . 2008-06-10 19:02 15,864 --a------ E:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 19:03 . 2008-06-15 19:03 <DIR> d-------- E:\_OTMoveIt
2008-06-15 18:13 . 2008-06-15 18:13 <DIR> d-------- E:\Documents and Settings\Administrator
2008-06-15 17:51 . 2008-06-15 17:51 <DIR> d-------- E:\WINDOWS\ERUNT
2008-06-15 17:50 . 2008-06-14 01:37 <DIR> d-------- E:\SDFix
2008-06-15 17:40 . 2008-06-15 17:40 <DIR> d--hs---- E:\FOUND.011
2008-06-15 11:20 . 2008-06-15 11:20 <DIR> d-------- E:\Program Files\TuneUp Utilities 2007
2008-06-15 11:20 . 2008-06-15 11:20 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 11:20 . 2008-06-15 11:20 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\TuneUp Software
2008-06-15 11:20 . 2008-06-15 11:20 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-06-15 11:20 . 2006-12-19 16:53 24,072 --a------ E:\WINDOWS\system32\uxtuneup.dll
2008-06-15 10:10 . 2008-06-15 10:10 <DIR> d-------- E:\Deckard
2008-06-15 09:21 . 2008-06-15 09:21 <DIR> d--hs---- E:\FOUND.010
2008-06-15 09:08 . 2008-06-15 09:08 <DIR> d-------- E:\WINDOWS\Sun
2008-06-15 09:05 . 2008-06-15 09:05 <DIR> d-------- E:\Program Files\Google
2008-06-15 09:04 . 2008-03-25 02:37 69,632 --a------ E:\WINDOWS\system32\javacpl.cpl
2008-06-15 09:03 . 2008-06-15 09:03 <DIR> d-------- E:\Program Files\Java
2008-06-15 08:56 . 2008-06-15 08:56 <DIR> d-------- E:\Program Files\Common Files\Java
2008-06-14 14:35 . 2008-06-14 14:35 <DIR> d--hs---- E:\FOUND.009
2008-06-14 11:22 . 2008-06-17 08:20 114,769 -r-hs---- E:\6x8be16.cmd
2008-06-13 16:20 . 2008-06-13 16:21 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\MahJong Suite
2008-06-13 14:53 . 2008-06-13 14:53 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\SolSuite
2008-06-12 19:26 . 2008-06-12 19:26 <DIR> d-------- E:\Program Files\Trend Micro
2008-06-12 13:38 . 2008-06-12 13:38 <DIR> d-------- E:\Program Files\Ballance
2008-06-12 13:32 . 2008-06-12 13:32 <DIR> d-------- E:\Program Files\Alcohol Soft
2008-06-12 13:29 . 2008-06-12 13:29 715,248 --a------ E:\WINDOWS\system32\drivers\sptd.sys
2008-06-09 13:27 . 2008-06-15 18:51 204 --a------ E:\WINDOWS\wininit.ini
2008-06-09 07:38 . 2008-06-09 07:38 <DIR> d--hs---- E:\FOUND.008
2008-06-06 17:39 . 2008-06-06 17:39 <DIR> d-------- E:\race
2008-06-06 16:58 . 2008-06-06 16:58 <DIR> d--hs---- E:\FOUND.007
2008-06-05 16:29 . 2006-05-15 19:15 97,184 -ra------ E:\WINDOWS\system32\drivers\SE30mdm.sys
2008-06-05 16:29 . 2006-05-15 19:15 9,360 -ra------ E:\WINDOWS\system32\drivers\SE30mdfl.sys
2008-06-05 16:29 . 2006-05-15 19:15 6,240 -ra------ E:\WINDOWS\system32\drivers\SE30cmnt.sys
2008-06-05 16:29 . 2006-05-15 19:15 6,240 -ra------ E:\WINDOWS\system32\drivers\SE30cm.sys
2008-06-05 16:28 . 2006-05-15 19:15 61,600 -ra------ E:\WINDOWS\system32\drivers\SE30bus.sys
2008-06-05 16:28 . 2006-05-15 19:15 5,872 -ra------ E:\WINDOWS\system32\drivers\SE30whnt.sys
2008-06-05 16:28 . 2006-05-15 19:15 5,872 -ra------ E:\WINDOWS\system32\drivers\SE30wh.sys
2008-06-05 16:25 . 2008-06-05 16:25 <DIR> d-------- E:\WINDOWS\system32\DRVSTORE
2008-06-05 16:23 . 2008-06-05 16:23 <DIR> d-------- E:\Program Files\Common Files\InstallShield
2008-06-05 09:49 . 2008-06-05 09:49 <DIR> d--hs---- E:\FOUND.006
2008-06-05 09:12 . 2008-06-05 09:12 <DIR> d-------- E:\Program Files\Microsoft Games
2008-06-05 09:05 . 2008-06-05 09:05 <DIR> d-------- E:\Program Files\Common Files\Adobe
2008-06-05 08:56 . 2008-06-05 08:56 <DIR> d-------- E:\Program Files\GameSpy Arcade
2008-06-05 08:46 . 2008-06-05 08:46 29 --a------ E:\WINDOWS\system32\retypogh.tmp
2008-06-05 08:37 . 2008-06-05 08:37 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\Microsoft Games
2008-06-04 22:52 . 2008-06-04 22:52 <DIR> d--hs---- E:\FOUND.005
2008-06-04 13:43 . 2008-06-04 13:43 11,689 --a------ E:\WINDOWS\cdplayer.ini
2008-06-04 12:32 . 2008-06-04 12:32 <DIR> d-------- E:\Program Files\Acoustica MP3 CD Burner
2008-06-04 12:32 . 2002-11-05 15:16 57,344 --a------ E:\WINDOWS\system32\Wnaspint.dll
2008-06-04 11:26 . 2004-08-03 23:08 26,496 --a------ E:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-04 09:34 . 2008-06-04 09:34 <DIR> d--hs---- E:\FOUND.004
2008-06-03 20:20 . 2008-06-03 20:20 <DIR> d--hs---- E:\FOUND.003
2008-05-31 23:30 . 2004-08-03 23:10 85,376 --a------ E:\WINDOWS\system32\drivers\NABTSFEC.sys
2008-05-31 23:29 . 2004-08-04 00:56 90,624 --a------ E:\WINDOWS\system32\kswdmcap.ax
2008-05-31 23:29 . 2004-08-04 00:56 90,624 --a------ E:\WINDOWS\system32\dllcache\kswdmcap.ax
2008-05-31 23:29 . 2004-08-04 00:56 61,952 --a------ E:\WINDOWS\system32\kstvtune.ax
2008-05-31 23:29 . 2004-08-04 00:56 61,952 --a------ E:\WINDOWS\system32\dllcache\kstvtune.ax
2008-05-31 23:29 . 2004-08-04 00:56 53,760 --a------ E:\WINDOWS\system32\vfwwdm32.dll
2008-05-31 23:29 . 2004-08-04 00:56 53,760 --a------ E:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-05-31 23:29 . 2004-08-04 00:56 43,008 --a------ E:\WINDOWS\system32\ksxbar.ax
2008-05-31 23:29 . 2004-08-04 00:56 43,008 --a------ E:\WINDOWS\system32\dllcache\ksxbar.ax
2008-05-31 23:29 . 2004-08-04 00:56 28,672 --a------ E:\WINDOWS\system32\vidcap.ax
2008-05-31 23:29 . 2004-08-04 00:56 28,672 --a------ E:\WINDOWS\system32\dllcache\vidcap.ax
2008-05-31 23:24 . 2008-05-31 23:24 <DIR> d-------- E:\Program Files\Common Files\snpstd3
2008-05-31 23:24 . 2008-05-31 23:24 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\InstallShield
2008-05-31 23:24 . 2007-07-25 17:23 10,375,552 --a------ E:\WINDOWS\system32\drivers\snpstd3.sys
2008-05-31 23:24 . 2007-05-10 13:18 835,584 --a------ E:\WINDOWS\vsnpstd3.exe
2008-05-31 23:24 . 2007-04-21 09:32 270,336 --a------ E:\WINDOWS\tsnpstd3.exe
2008-05-31 23:24 . 2007-07-23 18:04 155,648 --a------ E:\WINDOWS\system32\rsnpstd3.dll
2008-05-31 23:24 . 2006-07-03 10:31 94,208 --a------ E:\WINDOWS\amcap.exe
2008-05-31 23:24 . 2007-07-23 18:09 57,344 --a------ E:\WINDOWS\system32\vsnpstd3.dll
2008-05-31 23:24 . 2005-11-23 13:55 53,248 --a------ E:\WINDOWS\system32\csnpstd3.dll
2008-05-31 23:24 . 2005-11-23 13:55 53,248 --a------ E:\WINDOWS\csnpstd3.dll
2008-05-31 23:24 . 2004-02-27 17:36 15,498 --a------ E:\WINDOWS\snpstd3.ini
2008-05-31 23:24 . 2004-02-27 17:36 13,023 --a------ E:\WINDOWS\snpstd3.src
2008-05-31 18:11 . 2001-08-17 13:48 12,160 --a------ E:\WINDOWS\system32\drivers\mouhid.sys
2008-05-31 18:11 . 2001-08-17 13:48 12,160 --a------ E:\WINDOWS\system32\dllcache\mouhid.sys
2008-05-31 18:11 . 2001-08-17 14:02 9,600 --a------ E:\WINDOWS\system32\drivers\hidusb.sys
2008-05-31 18:11 . 2001-08-17 14:02 9,600 --a------ E:\WINDOWS\system32\dllcache\hidusb.sys
2008-05-29 09:35 . 2008-05-29 09:35 <DIR> d-------- E:\Program Files\Home
2008-05-29 07:59 . 2007-10-29 10:34 <DIR> d-------- E:\Program Files\EA SPORTS
2008-05-28 13:57 . 2008-05-28 13:57 <DIR> d-------- E:\Program Files\Hasbro
2008-05-28 13:57 . 2008-05-28 13:57 <DIR> dr-h----- E:\Documents and Settings\srajan\Application Data\SecuROM
2008-05-28 13:57 . 2008-05-28 13:57 107,888 --a------ E:\WINDOWS\system32\CmdLineExt.dll
2008-05-28 10:51 . 2008-05-28 10:51 <DIR> d--hs---- E:\FOUND.002
2008-05-28 10:06 . 2008-05-28 10:06 <DIR> d-------- E:\Program Files\Smart Projects
2008-05-27 20:46 . 2008-05-27 20:46 300 --a------ E:\WINDOWS\EPSTPLOG.BAK
2008-05-27 13:23 . 2008-05-27 13:23 <DIR> d-------- E:\Pocket Tanks Deluxe
2008-05-26 15:38 . 2008-05-26 15:38 <DIR> d--h----- E:\Program Files\InstallShield Installation Information
2008-05-26 15:38 . 2008-05-26 15:39 0 --ah----- E:\WINDOWS\SwSys2.bmp
2008-05-26 15:38 . 2008-05-26 15:39 0 --ah----- E:\WINDOWS\SwSys1.bmp
2008-05-26 15:37 . 2008-05-26 15:37 <DIR> d-------- E:\WINDOWS\Downloaded Installations
2008-05-26 15:37 . 2008-05-26 15:37 <DIR> d-------- E:\Program Files\Xplosiv
2008-05-26 13:51 . 2008-05-26 13:51 <DIR> d-------- E:\Program Files\Gigabyte
2008-05-26 13:51 . 1998-10-02 19:00 327,168 --a------ E:\WINDOWS\IsUninst.exe
2008-05-26 13:51 . 2002-04-17 14:45 39,880 -ra------ E:\WINDOWS\system32\drivers\ETDrv.sys
2008-05-26 13:45 . 2003-02-11 11:37 1,663,488 -ra------ E:\WINDOWS\system32\ALSNDMGR.CPL
2008-05-26 13:45 . 2002-11-21 12:37 765,952 -ra------ E:\WINDOWS\system\crlds3d.dll
2008-05-26 13:45 . 2002-08-27 13:53 720,896 --a------ E:\WINDOWS\system32\dllcache\a3d.dll
2008-05-26 13:45 . 2002-08-27 13:53 720,896 -ra------ E:\WINDOWS\system32\Audio3D.dll
2008-05-26 13:45 . 2002-08-27 13:53 720,896 -ra------ E:\WINDOWS\system32\a3d.dll
2008-05-26 13:45 . 2003-02-11 13:04 696,284 -ra------ E:\WINDOWS\system32\drivers\ALCXWDM.SYS
2008-05-26 13:45 . 2002-02-05 11:24 141,016 -ra------ E:\WINDOWS\system32\ALSNDMGR.WAV
2008-05-26 13:45 . 2003-02-10 13:29 47,104 -ra------ E:\WINDOWS\SOUNDMAN.EXE
2008-05-26 13:16 . 2008-05-26 13:16 2,560 --a------ E:\WINDOWS\system32\bitcometres.dll
2008-05-26 12:32 . 2008-05-26 12:32 <DIR> d--h----- E:\WINDOWS\PIF
2008-05-26 12:01 . 2008-05-26 12:01 <DIR> d-------- E:\Program Files\Spybot - Search & Destroy
2008-05-26 12:01 . 2008-05-26 12:01 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 06:26 --------- d-----w E:\Program Files\Mozilla Firefox 3 Beta 2
2008-05-26 06:25 --------- d-----w E:\Program Files\ASL-25020
2008-05-26 05:36 --------- d-----w E:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 21:58 4269296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"snpstd3"="E:\WINDOWS\vsnpstd3.exe" [2007-05-10 13:18 835584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-12-22 12:53 221568 E:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]
E:\WINDOWS\system32\amvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM43fe1884]
E:\WINDOWS\system32\tjcyibvg.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc]
E:\WINDOWS\dc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc2k5]
E:\WINDOWS\SVIQ.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e87446f1]
E:\WINDOWS\system32\aljvbqie.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneIV]
--a------ 2003-03-28 14:37 217088 E:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
E:\WINDOWS\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fun]
E:\WINDOWS\system\Fun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]
E:\Program Files\\JavaCore\\JavaCore.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
E:\WINDOWS\inf\Other.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsass]
E:\Documents and Settings\srajan\Application Data\Microsoft\Windows\lsass.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 E:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
E:\WINDOWS\system32\config\Win.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
--a------ 2007-05-10 13:18 835584 E:\WINDOWS\vsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2003-02-10 13:29 47104 E:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 E:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
--a------ 2007-04-21 09:32 270336 E:\WINDOWS\tsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WintelUpdate]
--a------ 2008-06-05 08:46 12800 C:\flciijjq.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"amva"=E:\WINDOWS\system32\amvo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM43fe1884"=Rundll32.exe "E:\WINDOWS\system32\tjcyibvg.dll",s

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"E:\\Program Files\\Microsoft Games\\Rise of Nations\\Thrones.exe"=
"E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9144:TCP"= 9144:TCP:BitComet 9144 TCP
"9144:UDP"= 9144:UDP:BitComet 9144 UDP

R2 ETDrv;ETDrv;E:\WINDOWS\system32\drivers\ETDrv.sys [2002-04-17 14:45]
R2 UxTuneUp;TuneUp Design Expansion;E:\WINDOWS\System32\svchost.exe [2004-08-03 22:56]
R3 iadusb;ASL-25020;E:\WINDOWS\system32\DRIVERS\glauiad.sys [2004-07-02 13:50]
S3 SE30bus;Sony Ericsson Device 048 Driver driver (WDM);E:\WINDOWS\system32\DRIVERS\SE30bus.sys [2006-05-15 19:15]
S3 SE30mdfl;Sony Ericsson Device 048 USB WMC Modem Filter;E:\WINDOWS\system32\DRIVERS\SE30mdfl.sys [2006-05-15 19:15]
S3 SE30mdm;Sony Ericsson Device 048 USB WMC Modem Driver;E:\WINDOWS\system32\DRIVERS\SE30mdm.sys [2006-05-15 19:15]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\C]
\Shell\AutoRun\command - C:\6x8be16.cmd
\Shell\explore\Command - C:\6x8be16.cmd
\Shell\open\Command - C:\6x8be16.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\6x8be16.cmd
\Shell\explore\Command - D:\6x8be16.cmd
\Shell\open\Command - D:\6x8be16.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\6x8be16.cmd
\Shell\explore\Command - F:\6x8be16.cmd
\Shell\open\Command - F:\6x8be16.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19fd750a-36b8-11dd-889e-ac35064d1481}]
\Shell\AutoRun\command - H:\x6.bat
\Shell\explore\Command - H:\x6.bat
\Shell\open\Command - H:\x6.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8aa9461c-32ee-11dd-8882-001802930af6}]
\Shell\AutoRun\command - H:\x6.bat
\Shell\explore\Command - H:\x6.bat
\Shell\open\Command - H:\x6.bat

.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 05:50:50 E:\WINDOWS\Tasks\1-Click Maintenance.job"
- E:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 17:44:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
E:\WINDOWS\SYSTEM32\WSCNTFY.EXE
.
**************************************************************************
.
Completion time: 2008-06-17 17:44:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 12:14:38

Pre-Run: 4,936,269,824 bytes free
Post-Run: 4,885,970,944 bytes free

306

ken545 · Jun 17, 2008

Hi,

Open Notepad ( this will only work in Notepad ), go to Start> All Programs> Assessories> Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Code:

File::
E:\WINDOWS\system\Fun.exe
E:\WINDOWS\system32\TUKernel.exe
E:\WINDOWS\system32\atbppxxl.dll
E:\WINDOWS\system32\amvo.exe
E:\WINDOWS\system32\tjcyibvg.dll
E:\WINDOWS\dc.exe
E:\WINDOWS\SVIQ.EXE
E:\WINDOWS\system32\aljvbqie.dll
E:\WINDOWS\inf\Other.exe
E:\Documents and Settings\srajan\Application Data\Microsoft\Windows\lsass.exe
E:\WINDOWS\system32\config\Win.exe
C:\flciijjq.exe

Folder::
E:\Program Files\JavaCore

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amva]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM43fe1884]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dc2k5]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e87446f1]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Fun]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\JavaCore]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lsass]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WintelUpdate]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"amva"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BM43fe1884"=-

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

srj666666 · Jun 17, 2008

Combo fix log

ComboFix 08-06-16.2 - srajan 2008-06-17 18:44:51.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.69 [GMT 5.5:30]
Running from: E:\Documents and Settings\srajan\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\srajan\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\flciijjq.exe
E:\Documents and Settings\srajan\Application Data\Microsoft\Windows\lsass.exe
E:\WINDOWS\dc.exe
E:\WINDOWS\inf\Other.exe
E:\WINDOWS\SVIQ.EXE
E:\WINDOWS\system\Fun.exe
E:\WINDOWS\system32\aljvbqie.dll
E:\WINDOWS\system32\amvo.exe
E:\WINDOWS\system32\atbppxxl.dll
E:\WINDOWS\system32\config\Win.exe
E:\WINDOWS\system32\tjcyibvg.dll
E:\WINDOWS\system32\TUKernel.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\flciijjq.exe
E:\WINDOWS\system32\TUKernel.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 18:30 . 2008-06-17 18:30 <DIR> d-------- E:\Program Files\Common Files\snpstd3
2008-06-17 18:30 . 2008-06-17 18:30 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\InstallShield
2008-06-17 18:19 . 2008-06-17 18:19 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-16 00:29 . 2004-08-03 22:58 14,848 --a------ E:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-16 00:29 . 2004-08-03 22:58 14,848 --a------ E:\WINDOWS\system32\dllcache\kbdhid.sys
2008-06-16 00:28 . 2004-08-03 23:08 31,616 --a------ E:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-16 00:28 . 2004-08-03 23:08 31,616 --a------ E:\WINDOWS\system32\dllcache\usbccgp.sys
2008-06-16 00:17 . 2008-06-16 00:17 <DIR> d--hs---- E:\FOUND.012
2008-06-15 21:48 . 2008-06-15 21:48 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\Yahoo!
2008-06-15 21:48 . 2008-06-15 21:48 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-06-15 19:58 . 2008-06-15 19:58 <DIR> d-------- E:\Program Files\Yahoo!
2008-06-15 19:08 . 2008-06-15 19:08 <DIR> d-------- E:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 19:08 . 2008-06-15 19:08 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\Malwarebytes
2008-06-15 19:08 . 2008-06-15 19:08 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 19:08 . 2008-06-10 19:02 34,296 --a------ E:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-15 19:08 . 2008-06-10 19:02 15,864 --a------ E:\WINDOWS\system32\drivers\mbam.sys
2008-06-15 19:03 . 2008-06-15 19:03 <DIR> d-------- E:\_OTMoveIt
2008-06-15 18:13 . 2008-06-15 18:13 <DIR> d-------- E:\Documents and Settings\Administrator
2008-06-15 17:51 . 2008-06-15 17:51 <DIR> d-------- E:\WINDOWS\ERUNT
2008-06-15 17:50 . 2008-06-14 01:37 <DIR> d-------- E:\SDFix
2008-06-15 17:40 . 2008-06-15 17:40 <DIR> d--hs---- E:\FOUND.011
2008-06-15 11:20 . 2008-06-15 11:20 <DIR> d-------- E:\Program Files\TuneUp Utilities 2007
2008-06-15 11:20 . 2008-06-15 11:20 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2008-06-15 11:20 . 2008-06-15 11:20 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\TuneUp Software
2008-06-15 11:20 . 2008-06-15 11:20 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-06-15 11:20 . 2006-12-19 16:53 24,072 --a------ E:\WINDOWS\system32\uxtuneup.dll
2008-06-15 10:10 . 2008-06-15 10:10 <DIR> d-------- E:\Deckard
2008-06-15 09:21 . 2008-06-15 09:21 <DIR> d--hs---- E:\FOUND.010
2008-06-15 09:08 . 2008-06-15 09:08 <DIR> d-------- E:\WINDOWS\Sun
2008-06-15 09:05 . 2008-06-15 09:05 <DIR> d-------- E:\Program Files\Google
2008-06-15 09:04 . 2008-03-25 02:37 69,632 --a------ E:\WINDOWS\system32\javacpl.cpl
2008-06-15 09:03 . 2008-06-15 09:03 <DIR> d-------- E:\Program Files\Java
2008-06-15 08:56 . 2008-06-15 08:56 <DIR> d-------- E:\Program Files\Common Files\Java
2008-06-14 14:35 . 2008-06-14 14:35 <DIR> d--hs---- E:\FOUND.009
2008-06-14 11:22 . 2008-06-17 08:20 114,769 -r-hs---- E:\6x8be16.cmd
2008-06-13 16:20 . 2008-06-13 16:21 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\MahJong Suite
2008-06-13 14:53 . 2008-06-13 14:53 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\SolSuite
2008-06-12 19:26 . 2008-06-12 19:26 <DIR> d-------- E:\Program Files\Trend Micro
2008-06-12 13:38 . 2008-06-12 13:38 <DIR> d-------- E:\Program Files\Ballance
2008-06-12 13:32 . 2008-06-12 13:32 <DIR> d-------- E:\Program Files\Alcohol Soft
2008-06-12 13:29 . 2008-06-12 13:29 715,248 --a------ E:\WINDOWS\system32\drivers\sptd.sys
2008-06-09 13:27 . 2008-06-15 18:51 204 --a------ E:\WINDOWS\wininit.ini
2008-06-09 07:38 . 2008-06-09 07:38 <DIR> d--hs---- E:\FOUND.008
2008-06-06 17:39 . 2008-06-06 17:39 <DIR> d-------- E:\race
2008-06-06 16:58 . 2008-06-06 16:58 <DIR> d--hs---- E:\FOUND.007
2008-06-05 16:29 . 2006-05-15 19:15 97,184 -ra------ E:\WINDOWS\system32\drivers\SE30mdm.sys
2008-06-05 16:29 . 2006-05-15 19:15 9,360 -ra------ E:\WINDOWS\system32\drivers\SE30mdfl.sys
2008-06-05 16:29 . 2006-05-15 19:15 6,240 -ra------ E:\WINDOWS\system32\drivers\SE30cmnt.sys
2008-06-05 16:29 . 2006-05-15 19:15 6,240 -ra------ E:\WINDOWS\system32\drivers\SE30cm.sys
2008-06-05 16:28 . 2006-05-15 19:15 61,600 -ra------ E:\WINDOWS\system32\drivers\SE30bus.sys
2008-06-05 16:28 . 2006-05-15 19:15 5,872 -ra------ E:\WINDOWS\system32\drivers\SE30whnt.sys
2008-06-05 16:28 . 2006-05-15 19:15 5,872 -ra------ E:\WINDOWS\system32\drivers\SE30wh.sys
2008-06-05 16:25 . 2008-06-05 16:25 <DIR> d-------- E:\WINDOWS\system32\DRVSTORE
2008-06-05 16:23 . 2008-06-05 16:23 <DIR> d-------- E:\Program Files\Common Files\InstallShield
2008-06-05 09:49 . 2008-06-05 09:49 <DIR> d--hs---- E:\FOUND.006
2008-06-05 09:12 . 2008-06-05 09:12 <DIR> d-------- E:\Program Files\Microsoft Games
2008-06-05 09:05 . 2008-06-05 09:05 <DIR> d-------- E:\Program Files\Common Files\Adobe
2008-06-05 08:56 . 2008-06-05 08:56 <DIR> d-------- E:\Program Files\GameSpy Arcade
2008-06-05 08:46 . 2008-06-05 08:46 29 --a------ E:\WINDOWS\system32\retypogh.tmp
2008-06-05 08:37 . 2008-06-05 08:37 <DIR> d-------- E:\Documents and Settings\srajan\Application Data\Microsoft Games
2008-06-04 22:52 . 2008-06-04 22:52 <DIR> d--hs---- E:\FOUND.005
2008-06-04 13:43 . 2008-06-04 13:43 11,689 --a------ E:\WINDOWS\cdplayer.ini
2008-06-04 12:32 . 2008-06-04 12:32 <DIR> d-------- E:\Program Files\Acoustica MP3 CD Burner
2008-06-04 12:32 . 2002-11-05 15:16 57,344 --a------ E:\WINDOWS\system32\Wnaspint.dll
2008-06-04 11:26 . 2004-08-03 23:08 26,496 --a------ E:\WINDOWS\system32\dllcache\usbstor.sys
2008-06-04 09:34 . 2008-06-04 09:34 <DIR> d--hs---- E:\FOUND.004
2008-06-03 20:20 . 2008-06-03 20:20 <DIR> d--hs---- E:\FOUND.003
2008-05-31 23:30 . 2004-08-03 23:10 85,376 --a------ E:\WINDOWS\system32\drivers\NABTSFEC.sys
2008-05-31 23:29 . 2004-08-04 00:56 90,624 --a------ E:\WINDOWS\system32\kswdmcap.ax
2008-05-31 23:29 . 2004-08-04 00:56 90,624 --a------ E:\WINDOWS\system32\dllcache\kswdmcap.ax
2008-05-31 23:29 . 2004-08-04 00:56 61,952 --a------ E:\WINDOWS\system32\kstvtune.ax
2008-05-31 23:29 . 2004-08-04 00:56 61,952 --a------ E:\WINDOWS\system32\dllcache\kstvtune.ax
2008-05-31 23:29 . 2004-08-04 00:56 53,760 --a------ E:\WINDOWS\system32\vfwwdm32.dll
2008-05-31 23:29 . 2004-08-04 00:56 53,760 --a------ E:\WINDOWS\system32\dllcache\vfwwdm32.dll
2008-05-31 23:29 . 2004-08-04 00:56 43,008 --a------ E:\WINDOWS\system32\ksxbar.ax
2008-05-31 23:29 . 2004-08-04 00:56 43,008 --a------ E:\WINDOWS\system32\dllcache\ksxbar.ax
2008-05-31 23:29 . 2004-08-04 00:56 28,672 --a------ E:\WINDOWS\system32\vidcap.ax
2008-05-31 23:29 . 2004-08-04 00:56 28,672 --a------ E:\WINDOWS\system32\dllcache\vidcap.ax
2008-05-31 23:24 . 2006-07-03 10:31 94,208 --a------ E:\WINDOWS\amcap.exe
2008-05-31 18:11 . 2001-08-17 13:48 12,160 --a------ E:\WINDOWS\system32\drivers\mouhid.sys
2008-05-31 18:11 . 2001-08-17 13:48 12,160 --a------ E:\WINDOWS\system32\dllcache\mouhid.sys
2008-05-31 18:11 . 2001-08-17 14:02 9,600 --a------ E:\WINDOWS\system32\drivers\hidusb.sys
2008-05-31 18:11 . 2001-08-17 14:02 9,600 --a------ E:\WINDOWS\system32\dllcache\hidusb.sys
2008-05-29 09:35 . 2008-05-29 09:35 <DIR> d-------- E:\Program Files\Home
2008-05-29 07:59 . 2007-10-29 10:34 <DIR> d-------- E:\Program Files\EA SPORTS
2008-05-28 13:57 . 2008-05-28 13:57 <DIR> d-------- E:\Program Files\Hasbro
2008-05-28 13:57 . 2008-05-28 13:57 <DIR> dr-h----- E:\Documents and Settings\srajan\Application Data\SecuROM
2008-05-28 13:57 . 2008-05-28 13:57 107,888 --a------ E:\WINDOWS\system32\CmdLineExt.dll
2008-05-28 10:51 . 2008-05-28 10:51 <DIR> d--hs---- E:\FOUND.002
2008-05-28 10:06 . 2008-05-28 10:06 <DIR> d-------- E:\Program Files\Smart Projects
2008-05-27 20:46 . 2008-05-27 20:46 300 --a------ E:\WINDOWS\EPSTPLOG.BAK
2008-05-27 13:23 . 2008-05-27 13:23 <DIR> d-------- E:\Pocket Tanks Deluxe
2008-05-26 15:38 . 2008-05-26 15:38 <DIR> d--h----- E:\Program Files\InstallShield Installation Information
2008-05-26 15:38 . 2008-05-26 15:39 0 --ah----- E:\WINDOWS\SwSys2.bmp
2008-05-26 15:38 . 2008-05-26 15:39 0 --ah----- E:\WINDOWS\SwSys1.bmp
2008-05-26 15:37 . 2008-05-26 15:37 <DIR> d-------- E:\WINDOWS\Downloaded Installations
2008-05-26 15:37 . 2008-05-26 15:37 <DIR> d-------- E:\Program Files\Xplosiv
2008-05-26 13:51 . 2008-05-26 13:51 <DIR> d-------- E:\Program Files\Gigabyte
2008-05-26 13:51 . 1998-10-02 19:00 327,168 --a------ E:\WINDOWS\IsUninst.exe
2008-05-26 13:51 . 2002-04-17 14:45 39,880 -ra------ E:\WINDOWS\system32\drivers\ETDrv.sys
2008-05-26 13:45 . 2003-02-11 11:37 1,663,488 -ra------ E:\WINDOWS\system32\ALSNDMGR.CPL
2008-05-26 13:45 . 2002-11-21 12:37 765,952 -ra------ E:\WINDOWS\system\crlds3d.dll
2008-05-26 13:45 . 2002-08-27 13:53 720,896 --a------ E:\WINDOWS\system32\dllcache\a3d.dll
2008-05-26 13:45 . 2002-08-27 13:53 720,896 -ra------ E:\WINDOWS\system32\Audio3D.dll
2008-05-26 13:45 . 2002-08-27 13:53 720,896 -ra------ E:\WINDOWS\system32\a3d.dll
2008-05-26 13:45 . 2003-02-11 13:04 696,284 -ra------ E:\WINDOWS\system32\drivers\ALCXWDM.SYS
2008-05-26 13:45 . 2002-02-05 11:24 141,016 -ra------ E:\WINDOWS\system32\ALSNDMGR.WAV
2008-05-26 13:45 . 2003-02-10 13:29 47,104 -ra------ E:\WINDOWS\SOUNDMAN.EXE
2008-05-26 13:16 . 2008-05-26 13:16 2,560 --a------ E:\WINDOWS\system32\bitcometres.dll
2008-05-26 12:32 . 2008-05-26 12:32 <DIR> d--h----- E:\WINDOWS\PIF
2008-05-26 12:01 . 2008-05-26 12:01 <DIR> d-------- E:\Program Files\Spybot - Search & Destroy
2008-05-26 12:01 . 2008-05-26 12:01 <DIR> d-------- E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-26 07:02 2,855 ----a-w E:\WINDOWS\PIF\setup.PIF
2008-05-26 06:26 --------- d-----w E:\Program Files\Mozilla Firefox 3 Beta 2
2008-05-26 06:25 --------- d-----w E:\Program Files\ASL-25020
2008-05-26 05:36 --------- d-----w E:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((( snapshot@2008-06-17_17.44.25.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 12:13:48 2,048 --s-a-w E:\WINDOWS\bootstat.dat
+ 2008-06-17 13:00:00 2,048 --s-a-w E:\WINDOWS\bootstat.dat
+ 2007-07-11 10:39:48 20,480 ----a-w E:\WINDOWS\FixCamera.exe
+ 2005-11-23 08:25:32 53,248 ----a-w E:\WINDOWS\LastGood\system32\csnpstd3.dll
+ 2004-08-03 17:45:22 140,928 ----a-w E:\WINDOWS\LastGood\system32\drivers\ks.sys
+ 2007-07-25 11:53:14 10,375,552 ----a-w E:\WINDOWS\LastGood\system32\drivers\snpstd3.sys
+ 2004-08-03 19:26:44 47,616 ----a-w E:\WINDOWS\LastGood\system32\iyuv_32.dll
+ 2004-08-03 19:26:44 4,096 ----a-w E:\WINDOWS\LastGood\system32\ksuser.dll
+ 2004-08-03 19:26:58 294,912 ----a-w E:\WINDOWS\LastGood\system32\msh263.drv
+ 2004-08-03 19:26:46 17,408 ----a-w E:\WINDOWS\LastGood\system32\msyuv.dll
+ 2001-08-17 17:06:34 8,192 ----a-w E:\WINDOWS\LastGood\system32\tsbyuv.dll
+ 2004-08-03 19:26:48 53,760 ----a-w E:\WINDOWS\LastGood\system32\vfwwdm32.dll
+ 2007-07-23 12:39:06 57,344 ----a-w E:\WINDOWS\LastGood\system32\vsnpstd3.dll
+ 2005-08-01 10:31:48 57,344 ----a-w E:\WINDOWS\LastGood\twain_32\snpstd3a\TwainUI.dll
+ 2005-08-01 10:31:48 57,344 ----a-w E:\WINDOWS\LastGood\twain_32\snpstd3b\TwainUI.dll
+ 2005-08-01 10:31:48 57,344 ----a-w E:\WINDOWS\LastGood\twain_32\snpstd3c\TwainUI.dll
+ 2005-08-01 10:31:48 57,344 ----a-w E:\WINDOWS\LastGood\twain_32\snpstd3d\TwainUI.dll
+ 2007-05-10 07:48:26 835,584 ----a-w E:\WINDOWS\LastGood\vsnpstd3.exe
+ 2008-06-17 13:00:06 16,384 ----a-w E:\WINDOWS\TEMP\Perflib_Perfdata_558.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 21:58 4269296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FixCamera"="E:\WINDOWS\FixCamera.exe" [2007-07-11 16:09 20480]
"tsnpstd3"="E:\WINDOWS\tsnpstd3.exe" [2007-04-21 09:32 270336]
"snpstd3"="E:\WINDOWS\vsnpstd3.exe" [2007-05-10 13:18 835584]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-12-22 12:53 221568 E:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyTuneIV]
--a------ 2003-03-28 14:37 217088 E:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\et4Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]
--a------ 2007-07-11 16:09 20480 E:\WINDOWS\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-08-04 01:06 1667584 E:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\snpstd3]
--------- 2007-05-10 13:18 835584 E:\WINDOWS\vsnpstd3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
-ra------ 2003-02-10 13:29 47104 E:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-03-25 04:28 144784 E:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tsnpstd3]
--a------ 2007-04-21 09:32 270336 E:\WINDOWS\tsnpstd3.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"E:\\Program Files\\Microsoft Games\\Rise of Nations\\Thrones.exe"=
"E:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9144:TCP"= 9144:TCP:BitComet 9144 TCP
"9144:UDP"= 9144:UDP:BitComet 9144 UDP

R2 ETDrv;ETDrv;E:\WINDOWS\system32\drivers\ETDrv.sys [2002-04-17 14:45]
R2 UxTuneUp;TuneUp Design Expansion;E:\WINDOWS\System32\svchost.exe [2004-08-03 22:56]
R3 iadusb;ASL-25020;E:\WINDOWS\system32\DRIVERS\glauiad.sys [2004-07-02 13:50]
S3 SE30bus;Sony Ericsson Device 048 Driver driver (WDM);E:\WINDOWS\system32\DRIVERS\SE30bus.sys [2006-05-15 19:15]
S3 SE30mdfl;Sony Ericsson Device 048 USB WMC Modem Filter;E:\WINDOWS\system32\DRIVERS\SE30mdfl.sys [2006-05-15 19:15]
S3 SE30mdm;Sony Ericsson Device 048 USB WMC Modem Driver;E:\WINDOWS\system32\DRIVERS\SE30mdm.sys [2006-05-15 19:15]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{19fd750a-36b8-11dd-889e-ac35064d1481}]
\Shell\AutoRun\command - H:\x6.bat
\Shell\explore\Command - H:\x6.bat
\Shell\open\Command - H:\x6.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8aa9461c-32ee-11dd-8882-001802930af6}]
\Shell\AutoRun\command - H:\x6.bat
\Shell\explore\Command - H:\x6.bat
\Shell\open\Command - H:\x6.bat

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-15 05:50:50 E:\WINDOWS\Tasks\1-Click Maintenance.job"
- E:\Program Files\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 18:45:45
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-17 18:46:06
ComboFix-quarantined-files.txt 2008-06-17 13:16:06
ComboFix2.txt 2008-06-17 12:14:44

Pre-Run: 4,625,154,048 bytes free
Post-Run: 4,618,141,696 bytes free

246

srj666666 · Jun 17, 2008

Hjt Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:44 PM, on 6/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\wscntfy.exe
E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
E:\WINDOWS\tsnpstd3.exe
E:\WINDOWS\explorer.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - E:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\PROGRA~1\YAHOO!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [FixCamera] E:\WINDOWS\FixCamera.exe
O4 - HKLM\..\Run: [tsnpstd3] E:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [snpstd3] E:\WINDOWS\vsnpstd3.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "E:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{834AC416-BB74-4DC9-BCB3-25AFAE20D403}: NameServer = 218.248.240.23 218.248.240.135
O17 - HKLM\System\CS1\Services\Tcpip\..\{834AC416-BB74-4DC9-BCB3-25AFAE20D403}: NameServer = 218.248.240.23 218.248.240.135
O23 - Service: Google Updater Service (gusvc) - Google - E:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

--
End of file - 3902 bytes

ken545 · Jun 17, 2008

This one is questionable.

You need to enable windows to show all files and folders, instructions Here

Go to VirusTotal and submit this file for analysis, just use the Browse feature and then Submit this file , you will get a report back, post the report into this thread for me to see.

E:\WINDOWS\FixCamera.exe

srj666666 · Jun 17, 2008

virus total report

File FixCamera.exe received on 06.17.2008 15:56:37 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.6.17.0 2008.06.17 -
AntiVir 7.8.0.55 2008.06.17 -
Authentium 5.1.0.4 2008.06.17 -
Avast 4.8.1195.0 2008.06.16 -
AVG 7.5.0.516 2008.06.16 -
BitDefender 7.2 2008.06.17 -
CAT-QuickHeal 9.50 2008.06.16 -
ClamAV 0.93.1 2008.06.17 -
DrWeb 4.44.0.09170 2008.06.17 -
eSafe 7.0.15.0 2008.06.16 -
eTrust-Vet 31.6.5881 2008.06.17 -
Ewido 4.0 2008.06.17 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.17 -
Fortinet 3.14.0.0 2008.06.17 -
GData 2.0.7306.1023 2008.06.17 -
Ikarus T3.1.1.26.0 2008.06.17 -
Kaspersky 7.0.0.125 2008.06.17 -
McAfee 5318 2008.06.16 -
Microsoft 1.3604 2008.06.17 -
NOD32v2 3193 2008.06.17 -
Norman 5.80.02 2008.06.16 -
Panda 9.0.0.4 2008.06.16 Suspicious file
Prevx1 V2 2008.06.17 -
Rising 20.49.11.00 2008.06.17 -
Sophos 4.30.0 2008.06.17 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.17 -
TheHacker 6.2.92.352 2008.06.17 -
TrendMicro 8.700.0.1004 2008.06.17 -
VBA32 3.12.6.7 2008.06.17 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.17 -
Additional information
File size: 20480 bytes
MD5...: 1c1db86a882ab2532eec09507190e019
SHA1..: 439970c503f460e7dabb0d661038bd411a5c6d61
SHA256: 16204ff683c992bee4776c2716476ba61c432d674966bed3b350b099af8a2975
SHA512: 74e5278edaefca28d3cd4c3d469083c221a739596b277381b83529a5918914dc 4e31e0d2c02e7e07f9e7ade4779f713cf770f1ff7403dcb64fdc8a1a721be123
PEiD..: Armadillo v1.71
PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x4019be timedatestamp.....: 0x4694904b (Wed Jul 11 08:09:47 2007) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0xc12 0x1000 4.79 2bf6e63696bdec92fe810787bd019e29 .rdata 0x2000 0xa5e 0x1000 3.76 d67d30c868afb5a48b37a42cca0349f6 .data 0x3000 0x198 0x1000 0.32 b6941301e1b1663258b4825697a4d8ec .rsrc 0x4000 0xa18 0x1000 2.34 951c08db347f88bf189d7eba399407c4 ( 5 imports ) > MFC42.DLL: -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, - > MSVCRT.dll: _except_handler3, __set_app_type, __p__fmode, __p__commode, _adjust_fdiv, __setusermatherr, _initterm, __getmainargs, _acmdln, _setmbcp, __CxxFrameHandler, _strupr, strstr, _controlfp, __dllonexit, _onexit, _exit, _XcptFilter, exit > KERNEL32.dll: GetModuleHandleA, GetCurrentProcessId, CreateToolhelp32Snapshot, Process32First, OpenProcess, TerminateProcess, CloseHandle, GetStartupInfoA, GetCurrentProcess, Process32Next > USER32.dll: EnableWindow, KillTimer, IsIconic, GetSystemMetrics, DrawIcon, SendMessageA, SetTimer, LoadIconA, GetClientRect > ADVAPI32.dll: RegEnumValueA, RegDeleteValueA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, AdjustTokenPrivileges, RegOpenKeyExA ( 0 exports )

ken545 · Jun 17, 2008

Looks like it may be ok.

How is your system running now??

srj666666 · Jun 17, 2008

I think that is working properly and does not crashes anymore.
Thanks for your help. It is running efficiently.

srj666666 · Jun 17, 2008

I think that is working properly and does not crashes anymore.
Thanks for your help and it is because of your efforts it is running efficiently.

Help virtumonde infection

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

New member

Emeritus-Security Expert

New member

Emeritus-Security Expert

New member

New member