Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Possible Vitormonde (maybe others) - problem is random [RESOLVED]


  • This topic is locked This topic is locked

#1
mohater

mohater

    Member

  • Member
  • PipPip
  • 30 posts
Well I've tried fixing this myself to no avail.

I have the free copy of spy sweeper provided by The Google Pack, and Spybot. Both keep finding a Virtomonde app running. I followed the guide on removing it here:
http://www.geekstogo...rib-t91765.html

Both apps didn't find anything listed there didn't find anything.

I also created the system restore and the disk clean up per the read this before posting thread
http://www.geekstogo...-Log-t2852.html



Here's the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:05 AM, on 4/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {00270834-D9B5-4AFA-B392-801F51BBCB69} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6F7E03C1-FA73-41DF-8717-3DF7FCE681D1} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {864B0B49-93F3-4E13-B66B-4EB5451ACFF3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O2 - BHO: (no name) - {CA320147-CDAA-4642-B456-7F8D4AA8CBE0} - C:\WINDOWS\system32\khfCuSii.dll (file missing)
O2 - BHO: (no name) - {E626FC96-866A-478E-9B54-490921B6B84F} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (file missing)
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (file missing)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {897D73F0-5DDB-41C3-873A-1069F049D4E1} (VS_Mk2Web Control) - http://70.224.119.118/VS_Mk2Web.cab
O20 - Winlogon Notify: yayvSiJB - yayvSiJB.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 6720 bytes

Edited by mohater, 09 April 2008 - 04:56 AM.

  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Uninstall the following via the Add/Remove Panel (Start->Settings->Control Panel->Add/Remove Programs) if found:

JavaCore

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {00270834-D9B5-4AFA-B392-801F51BBCB69} - (no file)
O2 - BHO: (no name) - {6F7E03C1-FA73-41DF-8717-3DF7FCE681D1} - (no file)
O2 - BHO: (no name) - {864B0B49-93F3-4E13-B66B-4EB5451ACFF3} - (no file)
O2 - BHO: (no name) - {CA320147-CDAA-4642-B456-7F8D4AA8CBE0} - C:\WINDOWS\system32\khfCuSii.dll (file missing)
O2 - BHO: (no name) - {E626FC96-866A-478E-9B54-490921B6B84F} - (no file)
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O20 - Winlogon Notify: yayvSiJB - yayvSiJB.dll (file missing)


Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\Program Files\JavaCore\

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
mohater

mohater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Hi,
Thanks for the response. Here is the final report from combofix:

ComboFix 08-04-13.3 - Owner 2008-04-14 6:53:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2112 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\ymbols~1
C:\Program Files\CPV
C:\WINDOWS\BM57cbd942.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\hokewxin.ini
C:\WINDOWS\system32\iiSuCfhk.ini
C:\WINDOWS\system32\iiSuCfhk.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mxyrgjpi.ini
C:\WINDOWS\system32\qoMeETJY.dll
C:\WINDOWS\system32\qYIiQXbc.ini
C:\WINDOWS\system32\qYIiQXbc.ini2
C:\WINDOWS\system32\uuEKknpo.ini
C:\WINDOWS\system32\uuEKknpo.ini2
C:\WINDOWS\system32\vDdddfii.ini
C:\WINDOWS\system32\vDdddfii.ini2
C:\WINDOWS\system32\xdxnxyvx.ini
C:\WINDOWS\system32\Xxxycccf.ini
C:\WINDOWS\system32\Xxxycccf.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PortProxy


((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-09 06:32 . 2008-04-09 06:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 06:28 . 2008-04-09 06:28 <DIR> d-------- C:\VundoFix Backups
2008-04-03 21:31 . 2008-04-03 21:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-03 21:31 . 2008-04-04 08:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-03 19:19 . 2008-04-05 18:06 3,333,660 --a------ C:\WINDOWS\system32\scolmpdain.xml
2008-04-03 07:04 . 2008-04-03 07:04 25,600 --a------ C:\WINDOWS\system32\system-dll.exe
2008-04-03 07:04 . 2008-04-03 07:04 25,600 -r-hs---- C:\WINDOWS\system-dll.exe
2008-03-26 20:07 . 2008-03-26 20:07 <DIR> d-------- C:\Program Files\7-Zip
2008-03-25 23:23 . 2008-03-25 23:23 8,272 --a------ C:\WINDOWS\ssl2008.exe
2008-03-25 23:06 . 2008-03-25 23:06 8,272 --a------ C:\ssl2008.exe
2008-03-25 23:05 . 2008-03-25 23:05 37,376 --a------ C:\WINDOWS\17PHolmes1509.exe.tmp
2008-03-23 23:44 . 2008-04-03 07:04 25,722 --a------ C:\WINDOWS\images.zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 10:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 08:01 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-14 02:26 --------- d-----w C:\Program Files\Warcraft III
2008-04-14 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-11 21:26 --------- d-----w C:\Program Files\Trillian
2008-04-06 14:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2008-04-06 12:24 --------- d-----w C:\Program Files\mIRC
2008-03-30 23:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-03-27 22:09 --------- d-----w C:\Program Files\BeClean
2008-03-27 22:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-27 16:52 10 ----a-w C:\Program Files\.autoreg
2008-03-06 17:10 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-06 00:58 --------- d-----w C:\Program Files\Java
2008-03-05 12:53 --------- d-----w C:\Program Files\AvantGo Connect
2008-03-05 12:52 --------- d-----w C:\Program Files\Microsoft Windows Small Business Server
2008-03-03 18:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-25 01:34 --------- d-----w C:\Program Files\Real
2008-02-25 01:34 --------- d-----w C:\Program Files\Common Files\xing shared
2008-02-25 01:33 --------- d-----w C:\Program Files\Common Files\Real
2008-02-24 18:10 --------- d-----w C:\Program Files\mp3DirectCut
2008-02-24 17:51 --------- d-----w C:\Program Files\Pro Imaging Powertoys
2008-02-24 17:51 --------- d-----w C:\Program Files\Common Files\Nikon
2008-02-24 17:42 --------- d-----w C:\Program Files\Pixmantec
2008-02-24 17:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\Pixmantec
2008-02-15 02:01 --------- d-----w C:\Program Files\iTunes
2008-02-15 02:01 --------- d-----w C:\Program Files\iPod
2008-02-09 13:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-02-09 13:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe
2007-10-26 02:42 1,099,308 ----a-w C:\Documents and Settings\Owner\Application Data\Install.dat
2007-09-12 22:28 203,264 --sha-w C:\WINDOWS\system32\mscd.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 06:32 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 07:53 171464]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 13:55 1103240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-03 06:32:03 125624]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^findfast.exe]
path=C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
backup=C:\WINDOWS\pss\findfast.exeStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
backup=C:\WINDOWS\pss\autorun.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN]
--a------ 2008-04-03 07:04 25600 C:\WINDOWS\system32\system-dll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
C:\Program Files\nvcoi\nvcoi.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
C:\WINDOWS\system32\printer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\rayiou.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
C:\WINDOWS\system32\spoolvs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Warcraft III\\WAR3.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"\\\\Iomega-00d2b9\\nethdd\\1\\mIRC 6.3 Ita Eng\\mIRC 6.3 Ita Eng\\mIRC - English.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\JDLightning\Windows\JDLightning.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d10853d-d710-11dc-9c02-000d56f02c1b}]
\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5abfbf39-1d3c-11dc-9b9a-000d56f02c1b}]
\Shell\AutoRun\command - K:\JDLightning\Windows\JDLightning.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D48g43BC-4266-43f0-B6ED-9D38C4202C7E}]
C:\WINDOWS\system32\mscd.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-04-07 15:36:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 06:56:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
.
**************************************************************************
.
Completion time: 2008-04-14 6:58:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-14 10:57:57

Pre-Run: 45,530,853,376 bytes free
Post-Run: 45,476,818,944 bytes free
.
2008-04-14 01:38:31 --- E O F ---


  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Listed below is C:\WINDOWS\images.zip and C:\Program Files\.autoreg (highlighted in red for your convenience :) Unless you know what those files are for, they will be marked for deletion. If you know what they are for, remove the lines below for them or they will be deleted.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\system32\scolmpdain.xml
C:\WINDOWS\system-dll.exe
C:\WINDOWS\ssl2008.exe
C:\ssl2008.exe
C:\WINDOWS\17PHolmes1509.exe.tmp
C:\WINDOWS\images.zip
C:\Program Files\.autoreg

C:\WINDOWS\system32\mscd.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\WINDOWS\pss\findfast.exe
C:\WINDOWS\pss\autorun.exe
C:\WINDOWS\system32\spoolvs.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\rayiou.exe
C:\WINDOWS\system32\printer.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\WINDOWS\system32\system-dll.exe

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^findfast.exe]
[-HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^autorun.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSN]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvcoi]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Printer]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SfKg6w]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spoolsv]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D48g43BC-4266-43f0-B6ED-9D38C4202C7E}]

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Download SmitfraudFix at http://siri.urz.free...mitfraudFix.zip and extract the content (a folder named SmitfraudFix) to your desktop.

Open the SmitfraudFix folder. Double-click on smitfraudfix.cmd and select option #1 - Search by typing 1 and press Enter. A text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply.

IMPORTANT: Do NOT run option #2 or any other option until you are directed to do so!

NOTE: process.exe is detected by some antivirus programs as a Risk Tool. It is not a virus. If you get this detected, ignore it.


How is it running so far?
  • 0

#5
mohater

mohater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
The problem was sporadic before, never really consistent. Sometimes pop ups, sometimes browser hijacks. I tried to self troubleshoot by going through the registry, startup, and objects in IE. Apparently I got rid of some things (the file missing in the hijack this report), but it was still on and off.

Seems to be all gone now. See how it goes.

Log report from Combofix:

ComboFix 08-04-13.3 - Owner 2008-04-14 16:16:08.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2070 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\.autoreg
C:\Program Files\nvcoi\nvcoi.exe
C:\ssl2008.exe
C:\WINDOWS\17PHolmes1509.exe.tmp
C:\WINDOWS\images.zip
C:\WINDOWS\pss\autorun.exe
C:\WINDOWS\pss\findfast.exe
C:\WINDOWS\ssl2008.exe
C:\WINDOWS\system-dll.exe
C:\WINDOWS\system32\mscd.exe
C:\WINDOWS\system32\printer.exe
C:\WINDOWS\system32\scolmpdain.xml
C:\WINDOWS\system32\spoolvs.exe
C:\WINDOWS\system32\system-dll.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\install.dat
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
C:\Program Files\.autoreg
C:\ssl2008.exe
C:\WINDOWS\17PHolmes1509.exe.tmp
C:\WINDOWS\b104.exe
C:\WINDOWS\images.zip
C:\WINDOWS\ssl2008.exe
C:\WINDOWS\system-dll.exe
C:\WINDOWS\system32\mscd.exe
C:\WINDOWS\system32\scolmpdain.xml
C:\WINDOWS\system32\system-dll.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-14 to 2008-04-14 )))))))))))))))))))))))))))))))
.

2008-04-09 06:32 . 2008-04-09 06:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 06:28 . 2008-04-09 06:28 <DIR> d-------- C:\VundoFix Backups
2008-04-03 21:31 . 2008-04-03 21:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-03 21:31 . 2008-04-04 08:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 20:07 . 2008-03-26 20:07 <DIR> d-------- C:\Program Files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-14 10:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 08:01 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-14 02:26 --------- d-----w C:\Program Files\Warcraft III
2008-04-14 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-11 21:26 --------- d-----w C:\Program Files\Trillian
2008-04-06 14:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2008-04-06 12:24 --------- d-----w C:\Program Files\mIRC
2008-03-30 23:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-03-27 22:09 --------- d-----w C:\Program Files\BeClean
2008-03-27 22:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-06 22:27 445,440 --sha-w C:\WINDOWS\system32\msdp.dll
2008-03-06 17:10 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-06 00:58 --------- d-----w C:\Program Files\Java
2008-03-05 12:53 --------- d-----w C:\Program Files\AvantGo Connect
2008-03-05 12:52 --------- d-----w C:\Program Files\Microsoft Windows Small Business Server
2008-03-03 18:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-25 01:34 --------- d-----w C:\Program Files\Real
2008-02-25 01:34 --------- d-----w C:\Program Files\Common Files\xing shared
2008-02-25 01:33 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-25 01:33 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-25 01:33 --------- d-----w C:\Program Files\Common Files\Real
2008-02-24 18:10 --------- d-----w C:\Program Files\mp3DirectCut
2008-02-24 17:51 --------- d-----w C:\Program Files\Pro Imaging Powertoys
2008-02-24 17:51 --------- d-----w C:\Program Files\Common Files\Nikon
2008-02-24 17:42 --------- d-----w C:\Program Files\Pixmantec
2008-02-24 17:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\Pixmantec
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-15 02:01 --------- d-----w C:\Program Files\iTunes
2008-02-15 02:01 --------- d-----w C:\Program Files\iPod
2008-02-09 13:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-02-09 13:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 06:32 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 07:53 171464]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 13:55 1103240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-03 06:32:03 125624]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Warcraft III\\WAR3.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"\\\\Iomega-00d2b9\\nethdd\\1\\mIRC 6.3 Ita Eng\\mIRC 6.3 Ita Eng\\mIRC - English.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\JDLightning\Windows\JDLightning.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d10853d-d710-11dc-9c02-000d56f02c1b}]
\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5abfbf39-1d3c-11dc-9b9a-000d56f02c1b}]
\Shell\AutoRun\command - K:\JDLightning\Windows\JDLightning.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 15:36:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 16:17:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-14 16:17:32
ComboFix-quarantined-files.txt 2008-04-14 20:17:25
ComboFix2.txt 2008-04-14 10:58:01

Pre-Run: 45,810,618,368 bytes free
Post-Run: 45,799,206,912 bytes free
.
2008-04-14 01:38:31 --- E O F ---


Log report from Smitfraudfix:

SmitFraudFix v2.314

Scan done at 16:31:23.87, Mon 04/14/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel® PRO/1000 MT Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 192.168.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2BBAE445-3033-4853-8998-1C11F24E0754}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2BBAE445-3033-4853-8998-1C11F24E0754}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2BBAE445-3033-4853-8998-1C11F24E0754}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{2BBAE445-3033-4853-8998-1C11F24E0754}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Many thanks.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\WINDOWS\system32\msdp.dll

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Post that log in your next reply.

How is it running so far?
  • 0

#7
mohater

mohater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Done

Combofix report:

ComboFix 08-04-13.3 - Owner 2008-04-14 22:10:36.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2005 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\msdp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\msdp.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-15 to 2008-04-15 )))))))))))))))))))))))))))))))
.

2008-04-14 16:31 . 2008-04-14 16:31 488 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-09 06:32 . 2008-04-09 06:32 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-09 06:28 . 2008-04-09 06:28 <DIR> d-------- C:\VundoFix Backups
2008-04-03 21:31 . 2008-04-03 21:31 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-03 21:31 . 2008-04-04 08:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-26 20:07 . 2008-03-26 20:07 <DIR> d-------- C:\Program Files\7-Zip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 02:08 --------- d-----w C:\Program Files\Warcraft III
2008-04-14 10:46 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 08:01 --------- d-----w C:\Program Files\Spyware Doctor
2008-04-14 01:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-04-11 21:26 --------- d-----w C:\Program Files\Trillian
2008-04-06 14:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\mIRC
2008-04-06 12:24 --------- d-----w C:\Program Files\mIRC
2008-03-30 23:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\gtk-2.0
2008-03-27 22:09 --------- d-----w C:\Program Files\BeClean
2008-03-27 22:04 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-06 17:10 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-03-06 00:58 --------- d-----w C:\Program Files\Java
2008-03-05 12:53 --------- d-----w C:\Program Files\AvantGo Connect
2008-03-05 12:52 --------- d-----w C:\Program Files\Microsoft Windows Small Business Server
2008-03-03 18:02 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-25 01:34 --------- d-----w C:\Program Files\Real
2008-02-25 01:34 --------- d-----w C:\Program Files\Common Files\xing shared
2008-02-25 01:33 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-02-25 01:33 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-02-25 01:33 --------- d-----w C:\Program Files\Common Files\Real
2008-02-24 18:10 --------- d-----w C:\Program Files\mp3DirectCut
2008-02-24 17:51 --------- d-----w C:\Program Files\Pro Imaging Powertoys
2008-02-24 17:51 --------- d-----w C:\Program Files\Common Files\Nikon
2008-02-24 17:42 --------- d-----w C:\Program Files\Pixmantec
2008-02-24 17:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\Pixmantec
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-15 02:01 --------- d-----w C:\Program Files\iTunes
2008-02-15 02:01 --------- d-----w C:\Program Files\iPod
2008-02-09 13:12 2,829 ----a-w C:\WINDOWS\War3Unin.pif
2008-02-09 13:12 139,264 ----a-w C:\WINDOWS\War3Unin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 06:32 68856]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-11-17 07:53 171464]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"ISTray"="C:\Program Files\Spyware Doctor\pctsTray.exe" [2008-02-01 13:55 1103240]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-08-03 06:32:03 125624]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-02-01 00:13 385024 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"W32Time"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"MDM"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\javaw.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Warcraft III\\WAR3.EXE"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"\\\\Iomega-00d2b9\\nethdd\\1\\mIRC 6.3 Ita Eng\\mIRC 6.3 Ita Eng\\mIRC - English.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\JDLightning\Windows\JDLightning.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d10853d-d710-11dc-9c02-000d56f02c1b}]
\Shell\AutoRun\command - F:\wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5abfbf39-1d3c-11dc-9b9a-000d56f02c1b}]
\Shell\AutoRun\command - K:\JDLightning\Windows\JDLightning.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-14 15:36:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-14 22:11:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-14 22:11:50
ComboFix-quarantined-files.txt 2008-04-15 02:11:42
ComboFix2.txt 2008-04-14 20:17:33
ComboFix3.txt 2008-04-14 10:58:01

Pre-Run: 45,789,872,128 bytes free
Post-Run: 45,778,255,872 bytes free
.
2008-04-14 01:38:31 --- E O F ---


  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Curious what this file has. Open up this file in notepad -> C:\WINDOWS\system32\tmp.reg....do NOT double click on it. Right click and choose Edit. Post the contents of that file here.

How is the computer running so far?

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
mohater

mohater

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
The oddities *appear* to be gone.

Looks like it has to do with spybot.

C:\WINDOWS\system32\tmp.reg

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ISTray"="\"C:\\Program Files\\Spyware Doctor\\pctsTray.exe\""


Thanks for all the help.

Edited by mohater, 14 April 2008 - 08:45 PM.

  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Looks good. Good job :)
  • 0

#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP