New Thread: What's yrndlcit.exe?

I

itsleo

New member
New Thread: What's yrndlcit.exe?

I posted the original of this yesterday. No, I didn't post logs, because I wasn't sure if this was the right place or not, and right this instant, I'm not sure how to go about GETting log (keep reading, I'll explain).

I searched for yrndlcit and yrndlcit.exe and found zero references... kinda surprising - is it "the" problem or something totally off the wall?

Anyway, this "yrndlcit.exe" was popping up several times a minute - I'd put it on the blacklist - but either I accidentally put it on the white list too or it managed to add itself - I was getting multiple boxes on the screen announcing that yrndlcit.exe was running because it was white listed followed by boxes announcing that it was terminated because it was blacklisted... somehow I got into the lists - don't recall what I did - and deleted the white list entry, so at least I don't see the *(&#$@ boxes anymore. But something's up - still... my desktop icons are all highlighted all the time, and the computer is slow, and it keeps kicking off IE (I use FF) and complaining about being offline (I have no intention of putting it online on my little home LAN until something is resolved - only one other computer is Windows, but...).

I saw the stickies about the procedure - S&D is running right now [ NOTE: WAS when I write the original - keep reading for results ] on the infected computer, so when it's done I'll d/l the other progs, CD them and copy onto El Sicko and run, if there's any point to it...

Here's what happened next: I went back to edit my original, and provide some more information... but, of course, you can't edit your posts here, so I replied to it (is there some other alternative?), and I got a response, which was basically "RTFM" - which I think I had indicated (see above) that I had done already - and asked to start a new thread, which I am doing right now.

The result of the S&D scan was that it found 3 instances of virtumonde in the registry and said they were fixed (which I took to mean erased). When I rebooted it, intending to hook the computer directly to the DSL and avoid infecting others on my LAN, it came up with nothing but a desktopn wallpaper - no icons, no taskbar. Ctrl-Alt-Del does bring up the Task Manager, but I'm not sure where to go next. I can get it up in safe mode (although on this Dell notebook, the screen in this mode is about half the size of the full screen and a little hard to work with).

I understand that this post, like the previous one, is in violation of the requirement to post logs from Kaspersky Online, as well as some of the following ones, but I can't GET online, which makes it a bit of a problem.

Perhaps I should start somewhere else???

Anyway, if someone can help me get past this point, I promise I'll do my best to keep to the requirements the rest of the way.

Thanks!
 
itsleo said:
New Thread: What's yrndlcit.exe?
Click to expand...
Probably a random name in the infection.
itsleo said:
The result of the S&D scan was that it found 3 instances of virtumonde in the registry and said they were fixed (which I took to mean erased). When I rebooted it, intending to hook the computer directly to the DSL and avoid infecting others on my LAN, it came up with nothing but a desktopn wallpaper - no icons, no taskbar. Ctrl-Alt-Del does bring up the Task Manager, but I'm not sure where to go next. I can get it up in safe mode (although on this Dell notebook, the screen in this mode is about half the size of the full screen and a little hard to work with).
Click to expand...

I will leave a note for our helpers to see if they have any ideas.

Best wishes.
 
It's very confusing with all the posts going on here but I'll help if I can get some logs from you. We can't tell anything from descriptions. I saw the other log on the "good computer" and didn't see any problems, so let's just concentrate on the one you know is infected here. It probably IS Vundo and some of the new variants come with other multiple infections as well, so there are many scenerios for the behavior you describe. There is not a one-fix step so we need to try to find out some info on the infected machine (i.e.: logs specifically)

Are you able to get online in SAFE MODE with Networking?
If so, try that for the KAV scan.

Meanwhile let's get a report from this free tool.
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

That will give me something to start with.
 
Also, if you can attach the scan log from Spybot that might help too to see that report. When you go to post a reply, scroll down a bit and you'll see an area to "attach files" in *Additional Options*. That is how you can attach a report, but the DSS logs I want you to just paste that in as it shouldn't be too long and is easier to read that way
 
Hello, Jane - I finally got this #(@*&$ notebook to show icons and desktop and got online. Here are the Deckard results you asked for (the machine's name is SHIRLEY WILLIAMS - it came from a county auction and I believe she was a JP). I will go find the S&D log and attach to another post.

Damn - the Deckard is too long, so I'm attaching IT as well.
pos
Aw, hell! As I was typing that, S&D popped up a notice about ZQest.K8L and it caught my kepresses... no telling what happened then... also pls excuse typos, it's a notebook and I usually have a "real" keyboard... plus that (*&#$@ ZQest (or something) keeps running and stealing keypresses and moving the cursor

Well - no go on the attachment. It's about 36K and the "Manage attachments" refused it. I'll zip it and attach that................

Thanks for responding!
 
That's a mess alright. When did you acquire the computer? Do you have any of the install or recovery disks?

I'm asking because this computer only has SP1 and is dead meat if you can't get SP2. From the error logs:
Event Record #/Type3307 / Error
Event Submitted/Written: 01/11/2008 01:10:07 PM
Event ID/Source: 1010 / Windows Product Activation
Event Description:
The Windows license was restored due to a system error. You might need to reactivate your Windows product.
................
It looks like you got the KAV scan on this one? Did you save the log?
 
You've got a remote control program installed. Did you install that?
 
Hello, Leo? Where did you go?

I think maybe your idea to reformat and reinstall is probably a good one since the software on here isn't yours and you don't have anything important on it - that is going to be your easiest bet because this infection is really messy.

You are still going to need to validate windows to get SP2 installed which is really needed here but not until after you either get it cleaned up or reinstalled.

IF you want to try this tool, we can see what how it does but this computer has been infected quite a while (at least a month) and maybe done some damage we can't see in these.

Download ComboFix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
 
CalamityJane said:
Hello, Leo? Where did you go?

I think maybe your idea to reformat and reinstall is probably a good one since the software on here isn't yours and you don't have anything important on it - that is going to be your easiest bet because this infection is really messy.

You are still going to need to validate windows to get SP2 installed which is really needed here but not until after you either get it cleaned up or reinstalled.

IF you want to try this tool, we can see what how it does but this computer has been infected quite a while (at least a month) and maybe done some damage we can't see in these.

Download ComboFix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Click to expand...

I had to take my favorite wife to lunch... when I rebooted this computer, it started popping up S&D messages about virtumonde.ddc and asking about registry changes on a couple of others so fast I couldn't get anything done for the next 15 minutes...

If I do have to burn this down, I am very doubtful about installing Windows again. Most of my computers are various flavors of Linux, and I have yet to see even a hint of all this viruspam BS on those. My XP Pro box has had its share of spyspam, but (I think you said you looked at the HJT log for it) nothing bothersome.

Anyway, I will go ahead with the combofix and see if we can make anything GOOD happen.

Jane, thanks again!
 
Okay - here's combofix.txt and hjt log, as you requested.





ComboFix 08-01-15.4 - SHIRLEY WILLIAMS 2008-01-15 14:54:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.92 [GMT -6:00]
Running from: C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\install.dat
C:\Program Files\Common Files\mcroso~1
C:\Program Files\mcroso~1
C:\Program Files\MSN Gaming Zone\lavu.dll
C:\Program Files\MSN Gaming Zone\lavu441.dll
C:\Program Files\MSN Gaming Zone\profsy.html
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1187063402.old
C:\Program Files\WinBudget\bin\crapmatrix.dllcrap
C:\Program Files\Windows Media Player\hokesotu4444.dll
C:\Program Files\Windows Media Player\hokesotu83122.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\WINDOWS\horrible\tvyxx.ini
C:\WINDOWS\horrible\tvyxx.ini2
C:\WINDOWS\system32\aimsmx.dll
C:\WINDOWS\system32\aosmx.dll
C:\WINDOWS\system32\cavnfmkr.dll
C:\WINDOWS\system32\cbxyyww.dll
C:\WINDOWS\system32\dcuwemai.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\gobptxco.dll
C:\WINDOWS\system32\gtalsmx.dll
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\ipv6monk.dll
C:\WINDOWS\system32\mssdvoql.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtsmt.dll
C:\WINDOWS\system32\pfxzmtsmtspm.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\SYSTEM32\rkmfnvac.ini
C:\WINDOWS\system32\rsvp32_2.dll
C:\WINDOWS\system32\rsvp32_2.dll3f2tjw
C:\WINDOWS\system32\rsvp32_2.dllewfwe334f
C:\WINDOWS\system32\rsvp32_2.dllewfweff
C:\WINDOWS\system32\sfxzmtforum.dll
C:\WINDOWS\system32\sfxzmtsmt.dll
C:\WINDOWS\system32\sfxzmtsmtspm.dll
C:\WINDOWS\system32\sfxzmtwbmail.dll
C:\WINDOWS\SYSTEM32\tvyxx.ini
C:\WINDOWS\SYSTEM32\tvyxx.ini2
C:\WINDOWS\system32\xxyvt.dll
C:\WINDOWS\system32\ymsgsmx.dll
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FAD
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 14:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 14:17 . 2008-01-15 14:17 15,663 --a------ C:\WINDOWS\BMa345ea2a.xml
2008-01-15 14:17 . 2008-01-15 14:17 22 --a------ C:\WINDOWS\pskt.ini
2008-01-15 13:01 . 2008-01-15 13:01 10,949 --a------ C:\deck.zip
2008-01-15 12:30 . 2008-01-15 12:30 <DIR> d-------- C:\Deckard
2008-01-11 16:19 . 2008-01-11 16:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-11 16:19 . 2008-01-11 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 13:10 . 2008-01-15 12:18 2,184 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-01-11 12:26 . 2008-01-15 14:58 <DIR> d-------- C:\WINDOWS\horrible
2008-01-11 12:14 . 2005-05-28 06:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-01-04 18:18 . 2008-01-15 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2008-01-04 18:18 . 2008-01-15 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot
2008-01-03 13:41 . 2008-01-03 13:41 <DIR> d-------- C:\Documents and Settings\SHIRLEY WILLIAMS\windowscrap
2007-12-17 17:45 . 2007-12-17 17:46 <DIR> d-------- C:\Program Files\WinPcap
2007-12-17 16:31 . 2007-12-17 17:46 <DIR> d-------- C:\Program Files\Wireshark
2007-12-16 14:31 . 2007-12-16 14:31 <DIR> d-------- C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 18:18 --------- d-----w C:\Program Files\LogMeIn
2007-12-16 21:51 --------- d-----w C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\AVG7
2007-12-16 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 17:55 --------- d-----w C:\Program Files\Apophysis 2.0
2007-12-03 21:23 --------- d-----w C:\Program Files\DBF Viewer 2000
2007-02-28 00:09 47,992 ----a-w C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02012421-489E-444E-BE90-5334553E729B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{093725DF-43BD-4D73-BFC3-015648EBC06F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18034704-9EFB-4839-9959-565B4FADE80D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{297B7695-14FC-4F79-B9CD-372FA4E50E1E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3cba2671-44ea-4f46-8418-6ee56620909d}]
C:\WINDOWS\System32\nvpqsmo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89F5EC1A-C524-4D56-A67F-0A3FB5C8CF54}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A505F7C-4637-4C91-92C0-8CDABC4908AD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84DE7AC-2968-79EC-1486-00E2970227EA}]
C:\WINDOWS\System32\mpum.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF50EE5C-27CC-4403-9E23-CE08E01482C9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5EEA2B3-CFF1-45A4-858C-0FE06C5D2A35}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F00B9FB6-B92A-4328-82F9-85CE971ED9FA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F74096E3-9F6E-4C7E-A5A3-F50B243B2D97}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:00 13312]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"WebBuying"="C:\Program Files\Web Buying\v1.8.6\webbuying.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-06-30 19:56 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-06-30 20:00 65536]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 10:38 892928]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 13:03 63048]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 05:00 145408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2005-06-25 21:47 74286]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-08-01 19:52:17]
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-10-10 09:07:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-27 14:27 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2005-06-25 21:46 343599 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
--a------ 2005-06-25 21:46 228404 C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-02-24 18:34 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-29 05:00 13312 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2002-07-17 10:18 28672 C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-01-24 08:05 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-01-24 08:17 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\bak\qttask.exe

R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\System32\DRIVERS\EAPPkt.sys [2005-04-01 10:43]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 13:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\System32\drivers\LMIRfsDriver.sys [2007-04-05 10:55]
R2 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-06-28 18:01]
R3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\System32\drivers\A311.sys [2003-02-04 22:04]
R3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\System32\drivers\A310.sys [2003-02-04 22:04]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\System32\Drivers\usbscan.sys [2002-08-29 01:48]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\System32\drivers\lccfltr.sys [2003-11-07 03:50]
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\System32\DRIVERS\rtl8180.sys [2003-09-30 20:54]
S3 Ndisusb;GeneLink Network Driver;C:\WINDOWS\System32\DRIVERS\genelan.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS [2004-03-23 20:12]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\System32\DRIVERS\CamDrL21.sys [2002-12-10 04:53]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\wg111v2.sys [2006-03-27 16:53]
S3 USBHSB;GeneLink USB Driver;C:\WINDOWS\System32\Drivers\glkusb.sys [2001-07-10 02:05]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 15:10:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 15:12:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 21:12:38






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:19 PM, on 1/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\LVComS.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://co.brewster.tx.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3cba2671-44ea-4f46-8418-6ee56620909d} - C:\WINDOWS\System32\nvpqsmo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C84DE7AC-2968-79EC-1486-00E2970227EA} - C:\WINDOWS\System32\mpum.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZCxdm565YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.amaena.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.hardintech.com/inc/kaxRemote.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4A43124-5643-4FFD-9FBF-74BB08C30948}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6512 bytes
 
I may have to call you "Lucky Leo" as that seems to have made a serious dent in the malware. It needs a bit more cleanup so give me a few minutes to pour through all these logs to put together some next steps.

I'll be back in a bit. Were you able to get the online KAV scan done on this? If so were there infected files found?

I'm asking because some variants of Vundo will infect programs files and it isn't always clear on these logs which ones if that is the case
 
Go to the Control Panel and in Add/Remove programs find this one and remove it.
Java 2 Runtime Environment, SE v1.4.2

That is an old version of Sun Java that is vulnerable to malware exploit (And Vundo loves to use that one)
If you need a new version that is safe to use, go here to get the newest version:
http://www.java.com/en/download/manual.jsp
(You can do that later after the machine is cleaned up)
.........................

Open HijackThis and choose to do a *system scan only*
When it finishes, checkmark these entries in the list, then press the *fix checked* button

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {3cba2671-44ea-4f46-8418-6ee56620909d} - C:\WINDOWS\System32\nvpqsmo.dll (file missing)

O2 - BHO: (no name) - {C84DE7AC-2968-79EC-1486-00E2970227EA} - C:\WINDOWS\System32\mpum.dll (file missing)

O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)

O8 - Extra context menu item: &Search - ?p=ZCxdm565YYUS

O15 - Trusted Zone: *.amaena.com

Once you have pressed the *fix checked* button you can go ahead and close HijackThis
....................
Do these steps next:

Make a copy of this instruction to have handy as these next steps need to be done with all browsers and any open windows closed.

1. Close any open browsers.

2. Open notepad and copy/paste the text you see in the the bluebox of the quotebox below into it (but not the word: quote)

File::
C:\WINDOWS\BMa345ea2a.xml
C:\WINDOWS\pskt.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02012421-489E-444E-BE90-5334553E729B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{093725DF-43BD-4D73-BFC3-015648EBC06F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18034704-9EFB-4839-9959-565B4FADE80D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{297B7695-14FC-4F79-B9CD-372FA4E50E1E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89F5EC1A-C524-4D56-A67F-0A3FB5C8CF54}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A505F7C-4637-4C91-92C0-8CDABC4908AD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF50EE5C-27CC-4403-9E23-CE08E01482C9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5EEA2B3-CFF1-45A4-858C-0FE06C5D2A35}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F00B9FB6-B92A-4328-82F9-85CE971ED9FA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F74096E3-9F6E-4C7E-A5A3-F50B243B2D97}]
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.[/list]


Reminder:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Color me stoopid - I checked several times and have seen no responses. This morning I noticed that the little green light (on the thread messages) was dark and said I was offline... looked at ipconfig and found some totally bizarre ip address and realized this computer was not online, ran release/renew and got no change, and finally after two or three reboots it actually dhcp'ed itself into a connection and now it sees the net again.

Combofix seems to have repaired at least the more horrible aspects of virtumonde... is there anything else really nasty in sight on the log?

I'll be gone for a few hours now, as I have grand jury duty in about fifteen minutes and the DA says he's got a full slate for us...
 
Ahhhh NOW I see your responses, Jane... 's funny, but they didn't show up when I first got reconnected, but only after I posted the preceding... I've GOT to run to get to Court, but as soon as that's over, I'll get right back on this...

THANKS!!!
 
Looks pretty good so far - I still have all icons on the desktop highlighted, tho' - hmmmm...




*******************************************************************
ComboFix 08-01-15.4 - SHIRLEY WILLIAMS 2008-01-17 14:12:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.FILE
C:\WINDOWS\BMa345ea2a.xml
C:\WINDOWS\pskt.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMa345ea2a.xml
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-15 15:20 . 2008-01-15 15:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-15 14:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 13:01 . 2008-01-15 13:01 10,949 --a------ C:\deck.zip
2008-01-15 12:30 . 2008-01-15 12:30 <DIR> d-------- C:\Deckard
2008-01-11 16:19 . 2008-01-11 16:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-11 16:19 . 2008-01-11 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 13:10 . 2008-01-15 12:18 2,184 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-01-11 12:26 . 2008-01-15 14:58 <DIR> d-------- C:\WINDOWS\horrible
2008-01-11 12:14 . 2005-05-28 06:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-01-04 18:18 . 2008-01-17 09:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2008-01-04 18:18 . 2008-01-15 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot
2008-01-03 13:41 . 2008-01-03 13:41 <DIR> d-------- C:\Documents and Settings\SHIRLEY WILLIAMS\windowscrap
2007-12-17 17:45 . 2007-12-17 17:46 <DIR> d-------- C:\Program Files\WinPcap
2007-12-17 16:31 . 2007-12-17 17:46 <DIR> d-------- C:\Program Files\Wireshark

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 20:03 --------- d-----w C:\Program Files\Java
2008-01-17 06:00 --------- d-----w C:\Program Files\LogMeIn
2007-12-16 21:51 --------- d-----w C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\AVG7
2007-12-16 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-16 20:31 --------- d-----w C:\Program Files\Enigma Software Group
2007-12-07 17:55 --------- d-----w C:\Program Files\Apophysis 2.0
2007-12-03 21:23 --------- d-----w C:\Program Files\DBF Viewer 2000
2007-11-27 20:27 87,352 ----a-w C:\WINDOWS\SYSTEM32\LMIinit.dll
2007-11-27 20:27 83,288 ----a-w C:\WINDOWS\SYSTEM32\LMIRfsClientNP.dll
2007-11-27 20:27 23,736 ----a-w C:\WINDOWS\SYSTEM32\lmimirr.dll
2007-11-27 20:27 21,496 ----a-w C:\WINDOWS\SYSTEM32\LMIport.dll
2007-11-27 20:27 10,040 ----a-w C:\WINDOWS\SYSTEM32\lmimirr2.dll
2007-02-28 00:09 47,992 ----a-w C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-01-15_15.12.11.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-15 20:54:13 765,952 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 20:12:04 765,952 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-15 20:54:13 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 20:12:04 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-15 20:54:13 765,952 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-17 20:12:04 765,952 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-15 20:54:13 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 20:12:04 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-15 20:54:14 3,465,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 20:12:05 3,465,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-15 20:54:14 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 20:12:05 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-15 20:54:37 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
+ 2008-01-17 20:12:21 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:00 13312]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-06-30 19:56 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-06-30 20:00 65536]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 10:38 892928]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 13:03 63048]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 05:00 145408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2005-06-25 21:47 74286]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-08-01 19:52:17]
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-10-10 09:07:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-27 14:27 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2005-06-25 21:46 343599 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
--a------ 2005-06-25 21:46 228404 C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-02-24 18:34 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-29 05:00 13312 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2002-07-17 10:18 28672 C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-01-24 08:05 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-01-24 08:17 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\bak\qttask.exe

R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\System32\DRIVERS\EAPPkt.sys [2005-04-01 10:43]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 13:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\System32\drivers\LMIRfsDriver.sys [2007-04-05 10:55]
R2 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-06-28 18:01]
R3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\System32\drivers\A311.sys [2003-02-04 22:04]
R3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\System32\drivers\A310.sys [2003-02-04 22:04]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\System32\Drivers\usbscan.sys [2002-08-29 01:48]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\System32\drivers\lccfltr.sys [2003-11-07 03:50]
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\System32\DRIVERS\rtl8180.sys [2003-09-30 20:54]
S3 Ndisusb;GeneLink Network Driver;C:\WINDOWS\System32\DRIVERS\genelan.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS [2004-03-23 20:12]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\System32\DRIVERS\CamDrL21.sys [2002-12-10 04:53]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\wg111v2.sys [2006-03-27 16:53]
S3 USBHSB;GeneLink USB Driver;C:\WINDOWS\System32\Drivers\glkusb.sys [2001-07-10 02:05]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 14:15:48
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 14:17:17
ComboFix-quarantined-files.txt 2008-01-17 20:16:56
ComboFix2.txt 2008-01-15 21:12:57








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:03 PM, on 1/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://co.brewster.tx.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.hardintech.com/inc/kaxRemote.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4A43124-5643-4FFD-9FBF-74BB08C30948}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5263 bytes
 
It's 15:45 here, and I just started KAV online scan on the (hopefully formerly) infected computer.

If my previous experience is any guide, it'll be 3 or 4 hours before I can do anything else on that computer.
 
Welllll... that wasn't so bad - only an hour. Here's the KASV log. I haven't done anything with any of the reported problems. I know VNC stuff isn't a virus (okay, I don't KNOW, but I'm pretty sure...) and there's some other stuff that I'm certain about.

Ooops, the *&#$ thing's 37K - attached as a zip file.
 
Okay - I'm looking at a black bubble, saying I'm NOT online. I'm not sure if this is indicating a problem with this computer or it's just some sort of standard thing with the forum. I've brought up a couple of other windows in IE just to be really sure I'm seeing the world. Thought I'd post a message here and see if that would green the bubble... does it?
 
Hi Leo,

Welcome back! Yes, you posted ok. Maybe it's that you need to make sure you have logged into your account when trying to post? Any way, it did take. I've got your logs here and going over them now. Give me a few minutes to review them.
 
You must log in or register to reply here.
Back
Top