Virtumonde & Smithfraud Infection

W

WillCz

New member
I'm having trouble removing these two spyware/malware infections. The virtumonde pops up in several forms. The smithfraud occurs occasionally.

Thanks for your help.
Will

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:41 PM, on 1/18/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla\mozilla.exe
C:\Temp\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://192.168.0.1:8080/proxyconfig.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [WRPCAgent] C:\Program Files\WinSoftMagic\WinRemotePC\WRPCAgent.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145198951889
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C7A678-F726-4B82-BB90-422E9D18CD91}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: ifmeug.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 3867 bytes
 
Hi WillCz

Rename HijackThis.exe to WillCz.exe and post back a fresh HijackThis log, please :)
 
New log

Thanks for your help

Will



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:37:12 AM, on 1/23/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Temp\WillCz.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://192.168.0.1:8080/proxyconfig.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
O2 - BHO: (no name) - {11F0AB29-5195-4D8D-B0D1-9ECFC298F635} - (no file)
O2 - BHO: (no name) - {3A403D61-793F-4C5B-AB6A-FB17732DAE7A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\fcccyXQG.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: {0676b0e9-6c7b-2a89-db94-3fd4a0689b59} - {95b9860a-4df3-49bd-98a2-b7c69e0b6760} - C:\WINDOWS\System32\vyaecn.dll
O2 - BHO: (no name) - {BC63A7F0-1C61-4ED5-9AE0-B8EDDE13EFEC} - C:\WINDOWS\System32\ljJdDUkk.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKLM\..\Run: [d85e00dd] rundll32.exe "C:\WINDOWS\System32\rqpmjsnw.dll",b
O4 - HKCU\..\Run: [WRPCAgent] C:\Program Files\WinSoftMagic\WinRemotePC\WRPCAgent.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145198951889
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C7A678-F726-4B82-BB90-422E9D18CD91}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: ifmeug.dll vyaecn.dll
O20 - Winlogon Notify: fcccyXQG - C:\WINDOWS\SYSTEM32\fcccyXQG.dll
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4747 bytes
 
We will begin with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
Combofix & HijackThis logs

Here are the requested logs.

Thanks
Will


ComboFix 09-01-21.04 - Will 2009-01-23 22:40:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.767.248 [GMT -6:00]
Running from: c:\documents and settings\Will\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Will\Application Data\inst.exe
c:\windows\system32\agdmmais.dll
c:\windows\system32\aghrjteg.dll
c:\windows\system32\axhqwqws.dll
c:\windows\system32\berobg.dll
c:\windows\system32\cgpadm.dll
c:\windows\system32\cpntexdb.dll
c:\windows\system32\erehqxra.dll
c:\windows\system32\fcccyXQG.dll
c:\windows\system32\feppkwga.dll
c:\windows\system32\gbgogxcb.dll
c:\windows\system32\gipaclvg.dll
c:\windows\system32\gmpgof.dll
c:\windows\system32\gyqsijmu.dll
c:\windows\system32\htmfpr.dll
c:\windows\System32\ifmeug.dll
c:\windows\system32\itgixuap.dll
c:\windows\system32\iwxzqd.dll
c:\windows\system32\jdgvzg.dll
c:\windows\system32\jejbmnic.dll
c:\windows\system32\jpufdvga.dll
c:\windows\system32\jrilmwcl.dll
c:\windows\system32\kkUDdJjl.ini
c:\windows\system32\kkUDdJjl.ini2
c:\windows\system32\kwkkov.dll
c:\windows\system32\lfuxjf.dll
c:\windows\system32\ljJdDUkk.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\miqtay.dll
c:\windows\system32\nejyiysm.dll
c:\windows\system32\nlyiugng.dll
c:\windows\system32\nmipsplb.dll
c:\windows\system32\oakaubem.dll
c:\windows\system32\ohdqig.dll
c:\windows\system32\pacmys.dll
c:\windows\system32\pdgqds.dll
c:\windows\system32\rpphkmbb.dll
c:\windows\System32\rqpmjsnw.dll
c:\windows\system32\sgyptdir.dll
c:\windows\system32\tpxosxby.dll
c:\windows\system32\tvdblayd.dll
c:\windows\system32\tzjozv.dll
c:\windows\system32\vyaecn.dll
c:\windows\system32\wegero.dll
c:\windows\system32\wnsjmpqr.ini
c:\windows\system32\xtddlm.dll
c:\windows\system32\xyhnre.dll
c:\windows\system32\yctjpx.dll
c:\windows\system32\ypgyimdn.dll
c:\windows\system32\zmebhr.dll

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((( Files Created from 2008-12-24 to 2009-01-24 )))))))))))))))))))))))))))))))
.

2009-01-23 22:36 . 2009-01-23 22:36 3,048,418 --a------ c:\temp\ComboFix.exe
2009-01-23 07:36 . 2009-01-18 13:18 401,720 --a------ c:\temp\WillCz.exe
2009-01-18 17:29 . 2009-01-18 17:29 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-18 17:29 . 2009-01-18 17:29 1,409 --a------ c:\windows\QTFont.for
2009-01-18 13:28 . 2009-01-18 13:29 <DIR> d-------- c:\program files\ERUNT
2009-01-18 13:18 . 2009-01-18 13:18 401,720 --a------ c:\temp\HiJackThis.exe
2009-01-18 13:17 . 2009-01-18 13:17 791,393 --a------ c:\temp\erunt-setup.exe
2009-01-16 16:03 . 2009-01-16 16:05 15,083,520 --a------ c:\temp\spybotsd160.exe
2009-01-04 22:40 . 2009-01-04 18:13 988,373 --a------ C:\T Czerwinski 5th Grade.jpg
2009-01-04 22:40 . 2009-01-04 18:14 574,336 --a------ C:\T Czerwinski Kdg.jpg
2009-01-04 22:38 . 2009-01-04 18:09 805,781 --a------ C:\T Czerwinski Baby Pic.jpg
2009-01-03 03:53 . 2009-01-03 03:53 <DIR> d-------- c:\temp\PCPilot
2009-01-03 03:42 . 2009-01-03 03:42 <DIR> d-------- c:\temp\pebbles
2009-01-03 03:41 . 2009-01-03 03:41 1,635,230 --a------ c:\temp\pebbles1.zip
2009-01-03 03:39 . 2009-01-03 03:39 361,856 --a------ c:\temp\PCPilot.zip
2009-01-03 03:35 . 2009-01-03 03:36 1,635,230 --a------ c:\temp\pebbles.zip
2008-12-30 00:58 . 2008-12-30 00:58 <DIR> d-------- c:\temp\ccsetup215
2008-12-30 00:58 . 2008-12-30 00:58 914,095 --a------ c:\temp\ccsetup215.zip
2008-12-29 11:59 . 2009-01-23 22:49 <DIR> d-------- c:\program files\PC Tools AntiVirus
2008-12-29 11:59 . 2008-12-29 11:59 <DIR> d-------- c:\program files\Common Files\PC Tools
2008-12-29 11:59 . 2008-12-29 11:59 <DIR> d-------- c:\documents and settings\Will\Application Data\PC Tools
2008-12-29 11:59 . 2009-01-23 22:48 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-29 11:59 . 2008-12-29 11:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2008-12-29 11:59 . 2007-12-06 16:51 28,568 --a------ c:\windows\system32\drivers\AVHook.sys
2008-12-29 11:59 . 2007-12-06 16:51 21,912 --a------ c:\windows\system32\drivers\AVRec.sys
2008-12-29 11:59 . 2008-02-12 11:44 21,904 --a------ c:\windows\system32\drivers\AVFilter.sys
2008-12-29 11:52 . 2008-12-29 11:57 23,222,552 --a------ c:\temp\avinstall.exe
2008-12-29 11:49 . 2008-12-29 11:59 2,016,364 --a------ c:\temp\setupeng.exe
2008-12-29 11:33 . 2008-12-29 11:44 54,157,776 --a------ c:\temp\avg_free_stf_en_8_176a1400.exe
2008-12-29 01:05 . 2008-12-29 01:05 <DIR> d-------- c:\program files\Sophos
2008-12-29 01:04 . 2008-12-29 01:04 1,181,383 --a------ c:\temp\sarsfx.exe
2008-12-29 00:42 . 2008-12-29 00:50 38,305,544 --a------ c:\temp\20081228-003-i32.exe
2008-12-28 22:23 . 2008-12-28 22:24 202,071 --a------ c:\temp\RipIt4Me.zip
2008-12-27 00:51 . 2008-12-27 00:51 <DIR> d-------- c:\temp\ImagoMPEG-Muxer
2008-12-27 00:50 . 2008-12-27 00:50 194,930 --a------ c:\temp\ImagoMPEG-Muxer.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-24 03:39 --------- d-----w c:\program files\Eudora
2009-01-18 23:40 --------- d-----w c:\program files\XNews
2009-01-17 16:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-16 22:08 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-15 22:26 --------- d-----w c:\documents and settings\Will\Application Data\SuperNZB
2009-01-14 13:31 --------- d-----w c:\documents and settings\Will\Application Data\Vso
2009-01-14 07:12 --------- d-----w c:\program files\FreeCommander
2008-12-29 06:29 --------- d-----w c:\documents and settings\Will\Application Data\Orbit
2008-12-22 20:29 --------- d-----w c:\documents and settings\Will\Application Data\OpenOffice.org2
2008-12-20 06:51 --------- d-----w c:\program files\All Media Fixer
2008-12-06 04:05 2,128,384 ----a-w c:\windows\Internet Logs\xDB1C.tmp
2008-12-06 04:05 1,864,704 ----a-w c:\windows\Internet Logs\xDB1B.tmp
2008-12-02 16:23 --------- d-----w c:\program files\Real Alternative
2008-12-02 16:20 --------- d-----w c:\program files\RealPlayer
2008-12-02 16:20 --------- d-----w c:\program files\Common Files\Real
2008-11-30 22:42 --------- d-----w c:\program files\Corel
2008-11-30 22:42 --------- d-----w c:\program files\Common Files\Corel
2008-11-30 22:42 --------- d-----w c:\documents and settings\Will\Application Data\Corel
2008-11-30 22:25 --------- d-----w c:\program files\Jasc Software Inc
2008-08-31 00:40 47,360 ----a-w c:\documents and settings\Will\Application Data\pcouffin.sys
2006-05-03 09:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r c:\windows\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WRPCAgent"="c:\program files\WinSoftMagic\WinRemotePC\WRPCAgent.exe" [2008-05-16 113152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2005-12-10 7311360]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2005-12-10 86016]
"Zone Labs Client"="c:\program files\ZoneAlarm\zlclient.exe" [2004-06-16 697624]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2008-09-25 1370000]
"nwiz"="nwiz.exe" [2005-12-10 c:\windows\system32\nwiz.exe]
"Tweak UI"="TWEAKUI.CPL" [2000-06-18 c:\windows\system32\TWEAKUI.CPL]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
TV Remote Control.lnk - c:\program files\Terminator\TV7131 Utilities\P3XRCtl.exe [2008-08-01 57344]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\program files\Eudora\EuShlExt.dll" [2005-11-14 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"aux"= ctwdm32.dll
"msacm.divxa32"= DivXa32.acm
"msacm.g723"= g723.acm
"vidc.I263"= I263_32.drv
"VIDC.MJPG"= pvmjpg21.dll
"VIDC.PVW2"= pvwv220.dll
"VIDC.PIMJ"= pvljpg20.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2002-08-29 03:41 1511453 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV Agent]
--a------ 2001-12-08 14:31 75384 c:\progra~1\NORTON~2\Navapw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2005-11-10 12:03 36975 c:\program files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Themes"=2 (0x2)
"Messenger"=2 (0x2)
"wuauserv"=2 (0x2)
"Speed Disk service"=2 (0x2)
"navapsvc"=3 (0x3)
"SBService"=2 (0x2)
"gusvc"=3 (0x3)
"WRPCAgentSrv"=2 (0x2)
"WinRPC10"=3 (0x3)
"NProtectService"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

R0 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [2007-02-17 140800]
R0 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [2007-02-17 5504]
R3 Cap713x;Philips Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [2008-08-01 271104]
R3 radmrdd;radmrdd;c:\windows\system32\drivers\radmrdd.sys [2008-06-30 3328]
R4 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2006-08-14 14976]
S3 3xHybrid;3xHybrid service;c:\windows\system32\drivers\3xHybrid.sys [2007-01-29 670592]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\System32\1132.tmp --> c:\windows\System32\1132.tmp [?]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2007-06-02 56960]
S4 NProtectService;Norton Unerase Protection;c:\program files\Norton Utilities\NPROTECT.EXE [2006-08-07 135168]
S4 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2007-06-02 45440]
S4 WinRPC10;WinRemotePC Server;c:\program files\WinSoftMagic\WinRemotePC\WRPCServer.exe [2008-06-30 408576]
S4 WRPCAgentSrv;WinRemotePC Agent Helper;c:\program files\WinSoftMagic\WinRemotePC\WRPCServer.exe [2008-06-30 408576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ALG
*NewlyCreated* - IPNAT
.
Contents of the 'Scheduled Tasks' folder

2009-01-24 c:\windows\Tasks\nsldnoji.job
- c:\windows\System32\rqRlJyWo.dll []

2006-08-07 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2001-11-14 16:38]
.
- - - - ORPHANS REMOVED - - - -

BHO-{11F0AB29-5195-4D8D-B0D1-9ECFC298F635} - (no file)
BHO-{3A403D61-793F-4C5B-AB6A-FB17732DAE7A} - (no file)
BHO-{95b9860a-4df3-49bd-98a2-b7c69e0b6760} - c:\windows\System32\vyaecn.dll
BHO-{BC63A7F0-1C61-4ED5-9AE0-B8EDDE13EFEC} - c:\windows\System32\ljJdDUkk.dll
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-WinampAgent - c:\program files\Winamp\Winampa.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 192.168.0.1:8080
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: {39C7A678-F726-4B82-BB90-422E9D18CD91} = 192.168.0.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Will\Application Data\Mozilla\Firefox\Profiles\ojxrw5l9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mozilla.org/start/
FF - prefs.js: network.proxy.ftp - 192.168.0.1
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 192.168.0.1
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 192.168.0.1
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 192.168.0.1
FF - prefs.js: network.proxy.socks_port - 1080
FF - prefs.js: network.proxy.ssl - 192.168.0.1
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 22:49:09
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WinRPC10]
"ImagePath"="c:\program files\WinSoftMagic\WinRemotePC\WRPCServer.exe /startedbyscm:14801308-40E2C9B6-WinRPC10"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\WRPCAgentSrv]
"ImagePath"="c:\program files\WinSoftMagic\WinRemotePC\WRPCServer.exe /startedbyscm:7DA1B81C-40E33B56-WRPCAgentSrv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\System32\1132.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(572)
c:\windows\System32\ODBC32.dll

- - - - - - - > 'lsass.exe'(628)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\windows\System32\dssenh.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\devldr32.exe
.
**************************************************************************
.
Completion time: 2009-01-23 22:52:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-24 04:52:25

Pre-Run: 2,939,629,568 bytes free
Post-Run: 2,870,910,976 bytes free

283


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:01 PM, on 1/23/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Temp\WillCz.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://192.168.0.1:8080/proxyconfig.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:8080
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [PCTAVApp] "C:\Program Files\PC Tools AntiVirus\PCTAV.exe" /MONITORSCAN
O4 - HKCU\..\Run: [WRPCAgent] C:\Program Files\WinSoftMagic\WinRemotePC\WRPCAgent.exe
O4 - Global Startup: TV Remote Control.lnk = C:\Program Files\Terminator\TV7131 Utilities\P3XRCtl.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145198951889
O17 - HKLM\System\CCS\Services\Tcpip\..\{39C7A678-F726-4B82-BB90-422E9D18CD91}: NameServer = 192.168.0.1
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools AntiVirus Engine (PCTAVSvc) - PC Tools Research Pty Ltd - C:\Program Files\PC Tools AntiVirus\PCTAVSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 4404 bytes
 
Recovery Console

Combofix could not download the recovery console through the proxy server. I expect I can work around this if needed.

Will
 
Recovery Console

From what I have read the recovery console can be run from the original XP cd if I have a bootable cd, which I do. I can dig up the disk if needed but it might take a while. Spybot now shows my computer clean even after a reboot. Can we proceed without my actually installing the recovery console, knowing, if needed, I can dig out the disk if I actually do need it.

Thanks
Will
 
You don't need CD for recovery console installation :)

See under "If you use Windows XP and do not have the Windows CD".
 
Due to the lack of feedback this Topic is closed.

If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send a private message (pm). A valid, working link to the closed topic is required.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top