Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virtumonde/Trojans/Backdoor [RESOLVED]


  • This topic is locked This topic is locked

#1
witchick

witchick

    Member

  • Member
  • PipPip
  • 13 posts
When I first scanned with Spybot, I found Virtumonde but then it said it healed it and did not appear when I rescanned.
Ad-aware only showed cookies which it cleared.

AVG detected trojans such as system32\vvqquqxe.dll, witchick\lsass.exe Backdoor.VB.BHG, ddcDvurq.dll.MGI
and more
I am sorry I do not have the logs for those but they appeared before I came looking for a site and now AVG does not detect anything anymore so the logs are pointless.
However, on this site I scanned with Malwarebytes and got this

Malwarebytes' Anti-Malware 1.11
Database version: 666

Scan type: Quick Scan
Objects scanned: 29453
Time elapsed: 22 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{baebd083-d541-4883-8e15-8915b15cb7de} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{c49a1a65-4627-4f28-abe9-e4fb2b558f05} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adslice.slice (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{43fc67b6-4c25-4afd-ae7a-9ef3e4587026} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\adslice.slice.1 (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c1a6d8b8-93c3-4186-9dd1-13983f9f1d9b} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3160f356-e8c3-4de2-a698-92eeeb3d3400} (Adware.RightOnAds) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dc_ads.ads (Adware.Fotomoto) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dc_ads.ads.1 (Adware.Fotomoto) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6fc3c36d-7635-4d43-ba62-0d9d2f2cd06e} (Adware.Fotomoto) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6fc3c36d-7635-4d43-ba62-0d9d2f2cd06e} (Adware.Fotomoto) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ee5a1465-1e73-4784-8f63-45983fdf0db8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ee5a1465-1e73-4784-8f63-45983fdf0db8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\superiorads (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\AdvRemoteDbg (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ee5a1465-1e73-4784-8f63-45983fdf0db8} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spa_start (Adware.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sprt_ads.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\superiorads-uninst.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Witchick\Local Settings\Temp\s14g.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Witchick\Local Settings\Temp\s1js (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Witchick\Local Settings\Temp\s3hc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Witchick\Local Settings\Temp\tmp264D.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Witchick\Local Settings\Temp\nsm1CD8.tmp\bann.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Witchick\Application Data\urlredir.cfg (Adware.RightOnAds) -> Quarantined and deleted successfully.

Then with Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:21:30, on 4/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\ACS.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\TOSHIBA\IVP\ISM\pinger.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Tvs\TvsTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Witchick\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE7
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {4A7234A3-70A8-4FF4-8080-12141DCEAC96} - C:\WINDOWS\system32\wvUmllLB.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [PINGER] C:\TOSHIBA\IVP\ISM\pinger.exe /run
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [Tvs] C:\Program Files\Toshiba\Tvs\TvsTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Witchick\lsass.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: + &Download Express: download this file - C:\Program Files\Download Express\Add_Url.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: ddcDvurq - ddcDvurq.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\ACS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: OwnershipProtocol - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Swupdtmr - Unknown owner - c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

--
End of file - 10521 bytes

Also, here is the uninstall list

Ad-Aware 2007
Adobe Acrobat 5.0
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
American McGee's Alice™
Apple Mobile Device Support
Apple Software Update
Atheros Client Utility
Atheros Wireless LAN MiniPCI card Driver
AVG 7.5
AVI MPEG Converter 3
AviSynth 2.5
Azureus
Bonjour
Browser Optimizer Dcads
CD/DVD Drive Acoustic Silencer
Compatibility Pack for the 2007 Office system
Diet Analysis Plus 7.0.1
EPSON Copy Utility
EPSON Photo Print
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN 5
Foxit PDF Editor
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Intel® Graphics Media Accelerator Driver for Mobile
Intel® PROSet/Wireless Software
iPod for Windows 2006-03-23
iTunes
J2SE Runtime Environment 5.0
LimeWire PRO 4.14.5
Malwarebytes' Anti-Malware
mCore
mDrWiFi
mEoU.msi
MetaProducts Download Express
mHelp
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
mIWA
mIWCA
mLogView
mMHouse
Mozilla Firefox (2.0.0.14)
MP3 To Ringtone Gold 5.50
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
mWlsSafe
mXML
mZConfig
Nero 7 Demo
Palmcorder USB Device Driver 2.00
PeerGuardian 2.0
QuickTime
Real Alternative 1.60 Lite
RiyazStudio
ScanToWeb
SD Secure Module
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Silkroad
Skype 2.5
SoundMAX
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Switch Sound File Converter
Synaptics Pointing Device Driver
TaalMala
Texas Instruments PCIxx21/x515 drivers.
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Software Upgrades
Toshiba Tbiosdrv Driver
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Total Video Converter 3.10
Touch and Launch
Trillian
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VideoLAN VLC media player 0.8.6d
Videora iPod Converter 3.07
Windows Live Messenger
Windows Live Sign-in Assistant
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB884018
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB889673
WinRAR archiver

I would also like to mention that when I tried to do one step, I think, downloading SUPERAntiSpyware, it downloaded but then to install it came up with the install wizard and then this message : Error 1327. Invalid Drive:I:\
And then with the Panda ActiveScan, it froze at 0% even after I enabled activeX. It said waiting to install components and just froze. I dont know if thats significant but..that happened.

Ok, I think that is all the information I needed to put!I hope it's ok and I pateintly await your help. Thank You!!

Reshma aka Witchick.
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O2 - BHO: (no name) - {4A7234A3-70A8-4FF4-8080-12141DCEAC96} - C:\WINDOWS\system32\wvUmllLB.dll (file missing)
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Witchick\lsass.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O20 - Winlogon Notify: ddcDvurq - ddcDvurq.dll (file missing)


Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
witchick

witchick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Here is the log after deleting the entries you said and running combofix

ComboFix 08-04-20.5 - Witchick 2008-04-21 22:33:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.156 [GMT 0:00]
Running from: C:\Documents and Settings\Witchick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Witchick\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\BLllmUvw.ini
C:\WINDOWS\system32\BLllmUvw.ini2
C:\WINDOWS\system32\dcads-remove.exe
C:\WINDOWS\system32\m3
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pskill.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-21 to 2008-04-21 )))))))))))))))))))))))))))))))
.

2008-04-21 22:39 . 2008-04-21 22:39 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-04-21 22:39 . 2008-04-21 22:39 <DIR> d-------- C:\WINDOWS\system32\restore
2008-04-21 22:39 . 2008-04-21 22:39 <DIR> d-------- C:\WINDOWS\system32\oobe
2008-04-21 22:39 . 2008-04-21 22:39 <DIR> d-------- C:\WINDOWS\srchasst
2008-04-21 22:39 . 2008-04-21 22:39 <DIR> d-------- C:\WINDOWS\msagent
2008-04-21 22:39 . 2008-04-21 22:39 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-04-21 13:56 . 2008-04-21 13:56 <DIR> d-------- C:\Program Files\Panda Security
2008-04-21 12:18 . 2008-04-21 12:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-21 12:18 . 2008-04-21 12:18 <DIR> d-------- C:\Documents and Settings\Witchick\Application Data\Malwarebytes
2008-04-21 12:18 . 2008-04-21 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-21 10:14 . 2008-04-21 22:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-21 10:14 . 2008-04-21 10:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-21 00:58 . 2008-04-21 10:21 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-20 10:07 . 2008-04-20 22:09 109,732 --a------ C:\WINDOWS\BM5f5dd279.xml
2008-04-19 21:00 . 2008-04-19 21:01 <DIR> d-------- C:\WINDOWS\system32\rt1
2008-04-19 20:59 . 2008-04-19 20:59 <DIR> d-------- C:\WINDOWS\system32\xcsDd18
2008-04-19 20:59 . 2008-04-19 21:00 <DIR> d-------- C:\Temp\berDrv11
2008-04-19 20:59 . 2008-04-21 22:33 <DIR> d-------- C:\Temp
2008-04-18 01:20 . 2008-04-18 01:22 <DIR> d-------- C:\Program Files\iTunes
2008-04-18 01:19 . 2008-04-18 01:19 <DIR> d-------- C:\Program Files\Bonjour
2008-04-18 01:16 . 2008-04-18 01:16 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-18 01:15 . 2008-04-18 01:15 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-18 01:15 . 2008-04-18 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 00:08 . 2008-04-14 00:08 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-04-14 00:08 . 2008-04-14 00:08 <DIR> d-------- C:\Documents and Settings\Witchick\Application Data\NCH Swift Sound
2008-04-14 00:08 . 2008-04-14 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-04-13 23:59 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-04-13 23:59 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-04-13 23:17 . 2008-04-13 23:17 <DIR> d-------- C:\Documents and Settings\Witchick\Application Data\AVS4YOU
2008-04-13 23:17 . 2008-04-13 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-04-13 23:16 . 2008-04-13 23:49 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-04-13 23:16 . 2008-04-13 23:49 <DIR> d-------- C:\Program Files\AVS4YOU
2008-04-13 23:16 . 2006-03-03 10:02 658,432 --a------ C:\WINDOWS\system32\cc3270mt.dll
2008-04-13 23:16 . 2002-01-05 15:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-04-13 23:16 . 2002-01-05 03:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-04-13 23:16 . 2003-05-21 13:50 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-13 22:59 . 2008-04-13 22:59 <DIR> d-------- C:\Converted
2008-04-13 22:54 . 2008-03-13 16:10 506,496 --a------ C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2008-04-13 22:54 . 2008-03-13 16:10 3,768 --a------ C:\WINDOWS\system32\drivers\MovRVDrv32.sys
2008-04-13 21:42 . 2008-04-13 21:53 <DIR> d-------- C:\Program Files\AnMing
2008-04-09 19:10 . 2008-04-09 19:10 268 --ah----- C:\sqmdata07.sqm
2008-04-09 19:10 . 2008-04-09 19:10 244 --ah----- C:\sqmnoopt07.sqm
2008-04-07 14:07 . 2008-04-17 01:04 <DIR> d-------- C:\Program Files\Diet Analysis Plus 7.0.1
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 23:29 . 2008-03-26 23:29 <DIR> d-------- C:\Program Files\Download Express
2008-03-26 23:29 . 2008-03-26 23:29 <DIR> d-------- C:\Documents and Settings\Witchick\Application Data\MetaProducts
2008-03-26 23:29 . 2008-03-26 23:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MetaProducts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-21 13:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-21 12:17 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-21 10:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 10:14 --------- d-----w C:\Documents and Settings\Witchick\Application Data\AVG7
2008-04-18 01:21 --------- d-----w C:\Program Files\iPod
2008-04-18 01:18 --------- d-----w C:\Program Files\QuickTime
2008-04-18 01:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-13 22:24 --------- d-----w C:\Documents and Settings\Witchick\Application Data\LimeWire
2008-04-13 22:06 --------- d-----w C:\Program Files\Total Video Converter
2008-04-10 01:29 --------- d-----w C:\Documents and Settings\Witchick\Application Data\Skype
2008-03-30 00:44 --------- d-----w C:\Program Files\Silkroad
2008-03-22 20:44 --------- d-----w C:\Program Files\DivX
2008-03-17 15:02 --------- d-----w C:\Program Files\Red Kawa
2008-03-17 15:02 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-12 23:48 --------- d-----w C:\Documents and Settings\Witchick\Application Data\Apple Computer
2008-03-12 23:34 740,864 ----a-w C:\Program Files\1033.MST
2008-03-12 23:34 33,976,320 ----a-w C:\Program Files\iPod for Windows 2006-03-23.msi
2008-03-12 23:33 4,632 ----a-w C:\Program Files\0x0409.ini
2008-03-11 10:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-11 10:24 --------- d-----w C:\Program Files\Lavasoft
2008-03-11 09:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-11 09:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-11 01:58 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-05 12:49 --------- d-----w C:\Program Files\MSECache
2008-02-21 23:08 56,532 ----a-w C:\Program Files\miracle elixir karaoke.pk2
2008-02-07 15:08 28,376 ----a-w C:\Documents and Settings\Witchick\Application Data\GDIPFONTCACHEV1.DAT
2008-01-24 23:18 182,387 ----a-w C:\WINDOWS\RiyazStudio Uninstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-10 14:16 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25 94208]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 08:31 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 08:27 126976]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27 860160]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31 356352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0\bin\jusched.exe" [2008-01-05 01:40 36972]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 15:28 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 15:26 688218]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2004-12-14 19:12 368640]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 14:37 88363 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2004-08-27 09:34 278528 C:\WINDOWS\system32\TPSMain.exe]
"PINGER"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 16:37 151552]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 14:03 1077301]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 15:03 135168]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2004-11-12 17:57 73728]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-21 10:50 579584]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-06 11:43 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 13:06 124928 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Witchick\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-08-10 16:15:41 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowHelp"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowMyPics"= 1 (0x1)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"C:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\EA GAMES\\American McGee's Alice\\Alice.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Documents and Settings\\Witchick\\Desktop\\sof\\SoF2MP.exe"=
"C:\\Program Files\\Diet Analysis Plus 7.0.1\\jre1.5.0_01\\bin\\javaw.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20465:UDP"= 20465:UDP:UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 Ca536av;4.0M MPEG4 DV Video Capture;C:\WINDOWS\system32\Drivers\Ca536av.sys []
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkemusb.sys [2001-08-08 18:52]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkeusbi.sys [2001-12-18 11:38]
S3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2008-03-13 16:10]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2008-03-13 16:10]
S3 USBCamera;4.0M MPEG4 DV Digital Camera;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 17:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3fb224e3-c358-11dc-bfed-0012f0a126ca}]
\Shell\Auto\command - D:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{453c4d42-db08-11dc-8001-0012f0a126ca}]
\Shell\Auto\command - D:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4857e976-ccec-11dc-bff4-0012f0a126ca}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d257e40-0c7f-11dd-801c-0012f0a126ca}]
\Shell\Auto\command - D:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6de04450-bb81-11dc-ac55-0012f0a126ca}]
\Shell\Auto\command - I:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 01:16:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-21 22:40:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-21 22:46:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-21 22:45:38

Pre-Run: 41,791,021,056 bytes free
Post-Run: 46,095,618,048 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

266 --- E O F --- 2008-04-12 22:49:30
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Do you know what C:\Program Files\miracle elixir karaoke.pk2 and C:\WINDOWS\RiyazStudio Uninstaller.exe are for? If not, delete them now.

Download the Flash Disinfector at http://www.techsuppo...Disinfector.exe and save it to your desktop. Double-click on it to run it and follow the on-screen instructions. See if it finds anything.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\Documents and Settings\Witchick\lsass.exe
C:\WINDOWS\BM5f5dd279.xml
Folder::
C:\WINDOWS\system32\rt1
C:\WINDOWS\system32\xcsDd18
C:\Temp\berDrv11

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Download VundoFix at http://www.atribune..../click.php?id=4 and save it to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files. Click Yes.
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer. Click OK.
- Post the contents of C:\vundofix.txt here.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears upon rebooting.


How is the computer running so far?
  • 0

#5
witchick

witchick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Hi!Yes I know what those two files are. The first is for a program I deleted so I deleted it also and the second is for a music program i use.
The computer is running good enough. I'm just worried about the warnings. AVG just popped up and said it detected a threat - Backdoor.VB..?

The flash disinfector did not find anything. Does it work on external harddrives as well because I think my external may have something!!
:)

And this is the combofix log

ComboFix 08-04-20.5 - Witchick 2008-04-22 18:33:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.176 [GMT 0:00]
Running from: C:\Documents and Settings\Witchick\Desktop\Removin virus n trojan stuff\ComboFix.exe
Command switches used :: C:\Documents and Settings\Witchick\Desktop\Removin virus n trojan stuff\CFScript.txt

FILE ::
C:\Documents and Settings\Witchick\lsass.exe
C:\WINDOWS\BM5f5dd279.xml
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\berDrv11
C:\Temp\berDrv11\fxpNbu.log
C:\WINDOWS\BM5f5dd279.xml
C:\WINDOWS\system32\rt1
C:\WINDOWS\system32\xcsDd18
C:\WINDOWS\system32\xcsDd18\xcsDd182328.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-22 08:53 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-21 22:39 . 2008-04-21 22:39 <DIR> d-------- C:\WINDOWS\system32\xircom
2008-04-21 22:39 . 2008-04-21 22:39 <DIR> d-------- C:\WINDOWS\system32\restore
2008-04-21 22:39 . 2008-04-21 22:39 <DIR> d-------- C:\WINDOWS\system32\oobe
2008-04-21 22:39 . 2008-04-21 22:39 <DIR> d-------- C:\WINDOWS\srchasst
2008-04-21 22:39 . 2008-04-21 22:39 <DIR> d-------- C:\WINDOWS\msagent
2008-04-21 22:39 . 2008-04-21 22:39 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-04-21 13:56 . 2008-04-21 13:56 <DIR> d-------- C:\Program Files\Panda Security
2008-04-21 12:18 . 2008-04-21 12:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-21 12:18 . 2008-04-21 12:18 <DIR> d-------- C:\Documents and Settings\Witchick\Application Data\Malwarebytes
2008-04-21 12:18 . 2008-04-21 12:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-21 10:14 . 2008-04-21 22:41 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-21 10:14 . 2008-04-21 10:14 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-21 00:58 . 2008-04-21 10:21 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-04-19 20:59 . 2008-04-22 18:33 <DIR> d-------- C:\Temp
2008-04-18 01:20 . 2008-04-18 01:22 <DIR> d-------- C:\Program Files\iTunes
2008-04-18 01:19 . 2008-04-18 01:19 <DIR> d-------- C:\Program Files\Bonjour
2008-04-18 01:16 . 2008-04-18 01:16 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-18 01:15 . 2008-04-18 01:15 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-04-18 01:15 . 2008-04-18 01:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-14 00:08 . 2008-04-14 00:08 <DIR> d-------- C:\Program Files\NCH Swift Sound
2008-04-14 00:08 . 2008-04-14 00:08 <DIR> d-------- C:\Documents and Settings\Witchick\Application Data\NCH Swift Sound
2008-04-14 00:08 . 2008-04-14 00:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-04-13 23:59 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-04-13 23:59 . 2001-08-17 22:36 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2008-04-13 23:17 . 2008-04-13 23:17 <DIR> d-------- C:\Documents and Settings\Witchick\Application Data\AVS4YOU
2008-04-13 23:17 . 2008-04-13 23:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-04-13 23:16 . 2008-04-13 23:49 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-04-13 23:16 . 2008-04-13 23:49 <DIR> d-------- C:\Program Files\AVS4YOU
2008-04-13 23:16 . 2006-03-03 10:02 658,432 --a------ C:\WINDOWS\system32\cc3270mt.dll
2008-04-13 23:16 . 2002-01-05 15:40 487,424 --a------ C:\WINDOWS\system32\msvcp70.dll
2008-04-13 23:16 . 2002-01-05 03:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-04-13 23:16 . 2003-05-21 13:50 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-04-13 22:59 . 2008-04-13 22:59 <DIR> d-------- C:\Converted
2008-04-13 22:54 . 2008-03-13 16:10 506,496 --a------ C:\WINDOWS\system32\drivers\SndTDriverV32.sys
2008-04-13 22:54 . 2008-03-13 16:10 3,768 --a------ C:\WINDOWS\system32\drivers\MovRVDrv32.sys
2008-04-13 21:42 . 2008-04-13 21:53 <DIR> d-------- C:\Program Files\AnMing
2008-04-09 19:10 . 2008-04-09 19:10 268 --ah----- C:\sqmdata07.sqm
2008-04-09 19:10 . 2008-04-09 19:10 244 --ah----- C:\sqmnoopt07.sqm
2008-04-07 14:07 . 2008-04-17 01:04 <DIR> d-------- C:\Program Files\Diet Analysis Plus 7.0.1
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-26 23:29 . 2008-03-26 23:29 <DIR> d-------- C:\Program Files\Download Express
2008-03-26 23:29 . 2008-03-26 23:29 <DIR> d-------- C:\Documents and Settings\Witchick\Application Data\MetaProducts
2008-03-26 23:29 . 2008-03-26 23:29 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\MetaProducts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-22 10:15 --------- d-----w C:\Documents and Settings\Witchick\Application Data\AVG7
2008-04-22 08:53 --------- d-----w C:\Program Files\Java
2008-04-21 13:41 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-21 12:17 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-04-21 10:33 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-18 01:21 --------- d-----w C:\Program Files\iPod
2008-04-18 01:18 --------- d-----w C:\Program Files\QuickTime
2008-04-18 01:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-13 22:24 --------- d-----w C:\Documents and Settings\Witchick\Application Data\LimeWire
2008-04-13 22:06 --------- d-----w C:\Program Files\Total Video Converter
2008-04-10 01:29 --------- d-----w C:\Documents and Settings\Witchick\Application Data\Skype
2008-03-30 00:44 --------- d-----w C:\Program Files\Silkroad
2008-03-22 20:44 --------- d-----w C:\Program Files\DivX
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-17 15:02 --------- d-----w C:\Program Files\Red Kawa
2008-03-17 15:02 --------- d-----w C:\Program Files\AviSynth 2.5
2008-03-12 23:48 --------- d-----w C:\Documents and Settings\Witchick\Application Data\Apple Computer
2008-03-12 23:34 740,864 ----a-w C:\Program Files\1033.MST
2008-03-12 23:34 33,976,320 ----a-w C:\Program Files\iPod for Windows 2006-03-23.msi
2008-03-12 23:33 4,632 ----a-w C:\Program Files\0x0409.ini
2008-03-11 10:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-11 10:24 --------- d-----w C:\Program Files\Lavasoft
2008-03-11 09:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-11 09:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-11 01:58 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-03-05 12:49 --------- d-----w C:\Program Files\MSECache
2008-03-01 18:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:19 147,968 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-15 05:44 161,792 ----a-w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-02-07 15:08 28,376 ----a-w C:\Documents and Settings\Witchick\Application Data\GDIPFONTCACHEV1.DAT
2008-01-29 12:02 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll
2008-01-24 23:18 182,387 ----a-w C:\WINDOWS\RiyazStudio Uninstaller.exe
.

((((((((((((((((((((((((((((( [email protected]_22.45.07.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-05 01:40:46 49,245 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 01:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-01-05 01:40:46 49,247 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 01:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-01-05 01:40:46 127,075 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 02:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-10 14:16 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 16:25 94208]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 08:31 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 08:27 126976]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 13:48 1388544]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-08-06 08:27 860160]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-15 11:27 385024]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2004-10-15 11:31 356352]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-14 15:28 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-14 15:26 688218]
"THotkey"="C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe" [2004-12-14 19:12 368640]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-28 14:37 88363 C:\WINDOWS\agrsmmsg.exe]
"TPSMain"="TPSMain.exe" [2004-08-27 09:34 278528 C:\WINDOWS\system32\TPSMain.exe]
"PINGER"="C:\TOSHIBA\IVP\ISM\pinger.exe" [2005-03-17 16:37 151552]
"PadTouch"="C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 14:03 1077301]
"SmoothView"="C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2004-09-15 15:03 135168]
"Tvs"="C:\Program Files\Toshiba\Tvs\TvsTray.exe" [2004-11-12 17:57 73728]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-21 10:50 579584]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-06 11:43 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2008-03-01 13:06 124928 C:\WINDOWS\system32\advpack.dll]

C:\Documents and Settings\Witchick\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-08-10 16:15:41 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"StartMenuFavorites"= 0 (0x0)
"Start_ShowHelp"= 0 (0x0)
"Start_ShowMyComputer"= 1 (0x1)
"Start_ShowMyDocs"= 1 (0x1)
"Start_ShowMyMusic"= 0 (0x0)
"Start_ShowMyPics"= 1 (0x1)
"Start_ShowRun"= 1 (0x1)
"Start_ShowSearch"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-10-15 11:27 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"C:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=
"C:\\Program Files\\Foxit Software\\PDF Editor\\PDFEdit.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\EA GAMES\\American McGee's Alice\\Alice.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Documents and Settings\\Witchick\\Desktop\\sof\\SoF2MP.exe"=
"C:\\Program Files\\Diet Analysis Plus 7.0.1\\jre1.5.0_01\\bin\\javaw.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"20465:UDP"= 20465:UDP:UDP
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S2 Ca536av;4.0M MPEG4 DV Video Capture;C:\WINDOWS\system32\Drivers\Ca536av.sys []
S2 MKEMUSB;Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkemusb.sys [2001-08-08 18:52]
S3 DCamUSBMke;USB Video Camera for Panasonic Digital Palmcorder;C:\WINDOWS\system32\Drivers\Mkeusbi.sys [2001-12-18 11:38]
S3 MovRVDrv32;MovRVDrv32;C:\WINDOWS\system32\DRIVERS\MovRVDrv32.sys [2008-03-13 16:10]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2008-03-13 16:10]
S3 USBCamera;4.0M MPEG4 DV Digital Camera;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 17:28]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{453c4d42-db08-11dc-8001-0012f0a126ca}]
\Shell\Auto\command - D:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4857e976-ccec-11dc-bff4-0012f0a126ca}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d257e40-0c7f-11dd-801c-0012f0a126ca}]
\Shell\Auto\command - D:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6de04450-bb81-11dc-ac55-0012f0a126ca}]
\Shell\Auto\command - I:\Start.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Start.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-18 01:16:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 18:36:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-22 18:37:14
ComboFix-quarantined-files.txt 2008-04-22 18:37:07
ComboFix2.txt 2008-04-21 22:46:01

Pre-Run: 45,969,928,192 bytes free
Post-Run: 45,965,275,136 bytes free

254 --- E O F --- 2008-04-12 22:49:30

Also, Vundo said it did not detect anything.

Thank you so much for all your help so far by the way. I just want my computer to be virus free!
:)
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I'm not sure if Flash Disinfector will work on external hard drives, but since they are USB external data storage also, give it a try.

Does AVG say where that infection is located?
  • 0

#7
witchick

witchick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Alright I'll try scanning the external!
Oh and the AVG said something like I:\Start.exe

So maybe it was in the external.
Is everything okay otherwise?Seems to be!
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yep, other than that, all is looking normal.

Make sure that problem is resolved. If you want, we can keep this topic open until you are happy with the results :)

Otherwise, go to Start->Run and copy/paste in combofix /u and hit OK to remove Combofix. You should be set to go.

Let us know what happened.
  • 0

#9
witchick

witchick

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
Yayy I think everything is fixed!
I scanned the external with flash disinfector and it came up with nothing
And I removed the combofix

If anything else comes up I'll just post again in a new thread
But for now I think everything is great and the comp is running fine!

Thank you so much for all your time and help!
I really appreciate it!
So you can go ahead and close the thread if you'd like!

:)
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. Glad the issue is now resolved.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.
  • 0

#11
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP