Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo trojan [RESOLVED]


  • This topic is locked This topic is locked

#1
funda

funda

    New Member

  • Member
  • Pip
  • 6 posts
I inadvertantly installed a version of the vundo trojan and it's messing up my IE. It has random pop up windows and it kills my IE after about 5 minutes of being opened up. I ran an updated malwarebytes scan and it came up with nothing.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:27 AM, on 6/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\msconf.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {0BB8F5A8-12EE-497B-ABF4-19FD97D9A2F3} - C:\WINDOWS\system32\xxyaayVM.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {75891192-bb4a-0e4b-dd84-5570c9fbf7b9} - {9b7fbf9c-0755-48dd-b4e0-a4bb29119857} - C:\WINDOWS\system32\oonbmodd.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DRam prosessor] msconf.exe
O4 - HKLM\..\RunServices: [DRam prosessor] msconf.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.co.../sysreqlab3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1210556266165
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1210808453171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: oonbmodd.dll
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 5305 bytes
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Also, please disable your Bitdefender, because it may lock the files that Combofix want to delete.
  • 0

#3
funda

funda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I ran a few of the programs that your site suggests while I was waiting for a response. I ran vundofix, vundobegone, combofix and hijackthis. Here are their results in the order I listed.

Beginning removal...

VundoFix V7.0.6

Scan started at 12:06:05 AM 6/25/2008

Listing files found while scanning....

C:\Windows\system32\bmcgexrv.dll
C:\Windows\system32\dqkstfxb.dll

Beginning removal...

Attempting to delete C:\Windows\system32\bmcgexrv.dll
C:\Windows\system32\bmcgexrv.dll Has been deleted!

Attempting to delete C:\Windows\system32\dqkstfxb.dll
C:\Windows\system32\dqkstfxb.dll Has been deleted!

Performing Repairs to the registry.
Done!



[06/25/2008, 0:29:00] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[06/25/2008, 0:29:03] - Detected System Information:
[06/25/2008, 0:29:03] - Windows Version: 5.1.2600, Service Pack 3
[06/25/2008, 0:29:03] - Current Username: Administrator (Admin)
[06/25/2008, 0:29:03] - Windows is in SAFE mode with Networking.
[06/25/2008, 0:29:03] - Searching for Browser Helper Objects:
[06/25/2008, 0:29:03] - BHO 1: {643D4A43-DF84-4E77-91EE-E698815E00D0} ()
[06/25/2008, 0:29:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/25/2008, 0:29:03] - Checking for HKLM\...\Winlogon\Notify\bmcgexrv
[06/25/2008, 0:29:03] - Key not found: HKLM\...\Winlogon\Notify\bmcgexrv, continuing.
[06/25/2008, 0:29:03] - BHO 2: {6a2620cc-8e2c-4f7e-9b26-1569004c929e} ()
[06/25/2008, 0:29:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/25/2008, 0:29:03] - Checking for HKLM\...\Winlogon\Notify\mapimqlh
[06/25/2008, 0:29:03] - Key not found: HKLM\...\Winlogon\Notify\mapimqlh, continuing.
[06/25/2008, 0:29:03] - BHO 3: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[06/25/2008, 0:29:03] - BHO 4: {AF4D91BA-5285-480E-ACE2-ECFDC1452D53} ()
[06/25/2008, 0:29:03] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/25/2008, 0:29:03] - Checking for HKLM\...\Winlogon\Notify\xxyaayVM
[06/25/2008, 0:29:03] - Key not found: HKLM\...\Winlogon\Notify\xxyaayVM, continuing.
[06/25/2008, 0:29:03] - Finished Searching Browser Helper Objects
[06/25/2008, 0:29:03] - Finishing up...
[06/25/2008, 0:29:03] - Nothing found! Exiting...
  • 0

#4
funda

funda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here's the combofix log and hijack this log.

ComboFix 08-06-20.4 - Administrator 2008-06-25 0:30:40.4 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1803 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\BM53ed1bb3.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\akopsqpa.ini
C:\WINDOWS\system32\iuqitjln.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msconf.exe
C:\WINDOWS\system32\MVyaayxx.ini
C:\WINDOWS\system32\MVyaayxx.ini2
C:\WINDOWS\system32\xxyaayVM.dll

----- BITS: Possible infected sites -----

hxxp://launcher.patcher.ncsoft.com
.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-25 00:06 . 2008-06-25 00:26 <DIR> d-------- C:\VundoFix Backups
2008-06-24 23:41 . 2008-06-24 23:41 <DIR> d-------- C:\Documents and Settings\D\Application Data\BitDefender
2008-06-24 20:25 . 2008-06-24 20:25 81,920 --a------ C:\WINDOWS\system32\apqspoka.dll
2008-06-24 20:22 . 2008-06-24 20:22 99,840 --a------ C:\WINDOWS\system32\mapimqlh.dll
2008-06-24 20:13 . 2008-06-24 20:13 91,136 --a------ C:\WINDOWS\system32\hgdggjfj.dll
2008-06-24 11:54 . 2008-06-24 11:54 <DIR> d-------- C:\Program Files\Plustech Inc
2008-06-24 11:54 . 2008-06-24 11:54 <DIR> d-------- C:\IP Changer v2.0 + Serial [App][www.zonatorrent.com]
2008-06-24 11:54 . 2000-05-22 00:00 1,066,176 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-24 11:54 . 2000-12-06 00:00 209,608 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2008-06-24 11:54 . 2001-04-18 11:32 205,848 --a------ C:\WINDOWS\system32\Threed32.ocx
2008-06-24 11:54 . 2000-12-06 00:00 109,248 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-06-24 11:54 . 2001-08-27 15:12 19,490 --a------ C:\WINDOWS\system32\IPCFLT.VXD
2008-06-24 11:38 . 2008-06-24 11:53 4,372,882 --a------ C:\IP Changer v2.0 + Serial [App][www.zonatorrent.com].rar
2008-06-23 23:28 . 2008-06-23 23:45 <DIR> d-------- C:\Program Files\Setup Files
2008-06-23 20:15 . 2008-06-23 20:15 105,984 --a------ C:\WINDOWS\system32\oonbmodd.dll
2008-06-23 20:12 . 2008-06-23 20:12 91,136 --a------ C:\WINDOWS\system32\kkyyykgm.dll
2008-06-23 20:12 . 2008-06-23 20:12 81,408 --a------ C:\WINDOWS\system32\nljtiqui.dll
2008-06-23 20:08 . 2008-06-23 22:58 <DIR> d-------- C:\Program Files\Hide IP NG
2008-06-22 18:44 . 2008-06-23 22:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Hide IP NG
2008-06-22 18:40 . 2008-06-22 18:40 32 --a------ C:\WINDOWS\go
2008-06-18 11:34 . 2008-06-18 11:34 273 --a------ C:\WINDOWS\vtmb.ini
2008-06-14 22:32 . 2008-06-14 22:32 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-14 22:32 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-14 20:03 . 2008-06-14 20:03 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-06-14 18:18 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-14 18:18 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-08 15:57 . 2008-06-08 15:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-08 15:54 . 2008-06-08 15:54 <DIR> d-------- C:\Program Files\NCSoft
2008-06-08 15:53 . 2008-06-08 15:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2008-06-05 20:40 . 2008-06-05 20:42 <DIR> d-------- C:\Monopoly Here & Now Special Edition-BigFish Games-PreCracked-HIVBABY
2008-06-05 20:23 . 2008-06-05 20:23 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-06-05 20:23 . 2008-06-05 20:23 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-05 20:21 . 2008-06-05 20:21 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-05 20:17 . 2008-06-05 20:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DAEMON Tools
2008-06-05 20:17 . 2008-06-05 20:17 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-05 19:45 . 2008-06-05 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-06-05 19:44 . 2008-06-05 19:44 <DIR> d-------- C:\Program Files\AOL Games
2008-06-02 19:11 . 2008-06-23 21:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-02 19:10 . 2008-06-03 09:11 <DIR> d-------- C:\Program Files\DAP
2008-06-02 19:10 . 2008-06-02 19:10 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-06-02 19:10 . 2008-06-02 19:10 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-06-02 19:10 . 2008-06-02 19:10 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-05-29 22:27 . 2008-05-29 22:27 <DIR> d-------- C:\Program Files\Ventrilo
2008-05-29 22:27 . 2008-05-29 22:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-29 22:27 . 2008-05-29 22:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ventrilo
2008-05-29 02:00 . 2008-06-14 22:57 <DIR> d-------- C:\Program Files\HeroStats
2008-05-28 19:35 . 2008-05-28 20:56 <DIR> d-------- C:\Program Files\CityBinder
2008-05-28 19:29 . 2008-05-28 19:29 286,720 --------- C:\WINDOWS\Setup1.exe
2008-05-28 19:29 . 2008-05-28 19:29 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-05-28 18:52 . 2008-05-29 02:00 <DIR> d-------- C:\binds

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 04:36 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-06-24 18:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-24 03:42 --------- d-----w C:\Program Files\MSI
2008-06-24 00:20 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 21:48 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 21:47 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-18 15:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-28 22:38 3,148 ----a-w C:\Documents and Settings\Administrator\Application Data\LMLayout.dat
2008-05-28 22:38 268 ----a-w C:\Documents and Settings\Administrator\Application Data\LMCPaper.dat
2008-05-22 19:02 --------- d-----w C:\Program Files\Trend Micro
2008-05-21 18:37 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-14 20:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-13 23:32 77,824 ----a-w C:\WINDOWS\system32\xcomm.dll
2008-05-13 22:52 85,520 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-05-13 22:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2008-05-13 22:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Bitdefender
2008-05-13 22:48 --------- d-----w C:\Program Files\BitDefender
2008-05-13 22:41 --------- d-----w C:\Program Files\VideoLAN
2008-05-12 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-12 23:57 --------- d-----w C:\Program Files\Yahoo!
2008-05-12 22:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-12 22:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-12 22:30 --------- d-----w C:\Program Files\Windows Live
2008-05-12 22:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-12 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-12 16:04 --------- d-----w C:\Program Files\Common Files\BitDefender
2008-05-12 13:57 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2008-05-12 13:56 --------- d-----w C:\Program Files\Stardock
2008-05-12 13:56 --------- d-----w C:\Program Files\Common Files\Stardock
2008-05-12 13:04 --------- d-----w C:\Program Files\uTorrent
2008-05-12 11:42 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-12 02:31 --------- d-----w C:\Program Files\VIA Technologies, Inc
2008-05-12 02:28 --------- d-----w C:\Program Files\VIA
2008-05-12 02:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-12 02:24 --------- d-----w C:\Program Files\DIFX
2008-05-12 02:08 --------- d-----w C:\Program Files\AWS
2008-05-12 02:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\WeatherBug
2008-05-12 01:39 --------- d-----w C:\Program Files\Xvid
2008-05-12 01:24 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-12 01:24 --------- d-----w C:\Program Files\NETGEAR
2008-05-12 01:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-05-12 01:11 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-30 21:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{643D4A43-DF84-4E77-91EE-E698815E00D0}]
C:\WINDOWS\system32\bmcgexrv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6a2620cc-8e2c-4f7e-9b26-1569004c929e}]
2008-06-24 20:22 99840 --a------ C:\WINDOWS\system32\mapimqlh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 10:55 1347584]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 05:39 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-23 21:31 360448]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [2008-05-11 21:24:40 884838]
PC Alert 4.lnk - C:\Program Files\MSI\PC Alert 4\PCAlert4.exe [2008-05-11 22:33:00 552960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=oonbmodd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\LMpdpsrv.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17:39]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-05-13 18:52]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\DNINDIS5.SYS [2003-07-24 12:10]
R3 PCAlertDriver;PCAlertDriver;C:\Program Files\MSI\PC Alert 4\NTGLM7X.sys [2006-12-26 14:08]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-05-29 18:00]
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 11:58]
S3 Vsp;Vsp;C:\WINDOWS\system32\drivers\Vsp.sys [2003-05-27 16:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c66e07a-2146-11dd-ae68-000fb597ed4b}]
\Shell\AutoRun\command - F:\setup.exe

*Newly Created Service* - PCALERTDRIVER
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 00:36:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-25 0:39:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 04:38:56

Pre-Run: 47,534,944,256 bytes free
Post-Run: 47,930,531,840 bytes free

244


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:02 AM, on 6/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {643D4A43-DF84-4E77-91EE-E698815E00D0} - C:\WINDOWS\system32\bmcgexrv.dll (file missing)
O2 - BHO: {e929c400-9651-62b9-e7f4-c2e8cc0262a6} - {6a2620cc-8e2c-4f7e-9b26-1569004c929e} - C:\WINDOWS\system32\mapimqlh.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.co.../sysreqlab3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1210556266165
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1210808453171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: oonbmodd.dll
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 5202 bytes
  • 0

#5
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

It's a good idea that you don't perform any other things in between, because it makes it confusing...

Please disable your bitdefender again, this to make sure it doesn't interfere with the fileremoval since Bitdefender locks files, so other tools won't be able to delete them.

Also, I see you're not afraid of visiting cracksites and other illegal sites, because I see you have been using cracks/serials here.
If you visit cracksites, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :)
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

Don't forget to change your passwords afterwards, once we are done with this thread, because they are known. Don't change them now, because as long as the malware is still present, it will gather the changed passwords as well.


* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\apqspoka.dll
C:\WINDOWS\system32\mapimqlh.dll
C:\WINDOWS\system32\hgdggjfj.dll
C:\IP Changer v2.0 + Serial [App][www.zonatorrent.com].rar
C:\WINDOWS\system32\oonbmodd.dll
C:\WINDOWS\system32\kkyyykgm.dll
C:\WINDOWS\system32\nljtiqui.dll
Folder::
C:\IP Changer v2.0 + Serial [App][www.zonatorrent.com]
C:\VundoFix Backups
DirLook::
C:\Program Files\Setup Files
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{643D4A43-DF84-4E77-91EE-E698815E00D0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6a2620cc-8e2c-4f7e-9b26-1569004c929e}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#6
funda

funda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here's the results of the combofix script and the hijackthis log.

ComboFix 08-06-20.4 - Administrator 2008-06-25 11:32:54.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1688 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\IP Changer v2.0 + Serial [App][www.zonatorrent.com]
C:\IP Changer v2.0 + Serial [App][www.zonatorrent.com]\IP Changer v2.0 + Serial [App][www.zonatorrent.com]\IPChanger20Eng.exe
C:\IP Changer v2.0 + Serial [App][www.zonatorrent.com]\IP Changer v2.0 + Serial [App][www.zonatorrent.com]\leer serial.txt
C:\IP Changer v2.0 + Serial [App][www.zonatorrent.com]\IP Changer v2.0 + Serial [App][www.zonatorrent.com]\ZONATORRENT.COM [ La mejor web para descargar desde bit torrent... juegos, divx, xxx, videoconsolas, appz, musica...] -.url
C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\bmcgexrv.dll.bad
C:\VundoFix Backups\dqkstfxb.dll.bad

.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-24 23:41 . 2008-06-24 23:41 <DIR> d-------- C:\Documents and Settings\D\Application Data\BitDefender
2008-06-24 20:25 . 2008-06-24 20:25 81,920 --a------ C:\WINDOWS\system32\apqspoka.dll
2008-06-24 20:22 . 2008-06-24 20:22 99,840 --a------ C:\WINDOWS\system32\mapimqlh.dll
2008-06-24 20:13 . 2008-06-24 20:13 91,136 --a------ C:\WINDOWS\system32\hgdggjfj.dll
2008-06-24 11:54 . 2008-06-24 11:54 <DIR> d-------- C:\Program Files\Plustech Inc
2008-06-24 11:54 . 2000-05-22 00:00 1,066,176 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-24 11:54 . 2000-12-06 00:00 209,608 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2008-06-24 11:54 . 2001-04-18 11:32 205,848 --a------ C:\WINDOWS\system32\Threed32.ocx
2008-06-24 11:54 . 2000-12-06 00:00 109,248 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-06-24 11:54 . 2001-08-27 15:12 19,490 --a------ C:\WINDOWS\system32\IPCFLT.VXD
2008-06-24 11:38 . 2008-06-24 11:53 4,372,882 --a------ C:\IP Changer v2.0 + Serial [App][www.zonatorrent.com].rar
2008-06-23 23:28 . 2008-06-23 23:45 <DIR> d-------- C:\Program Files\Setup Files
2008-06-23 20:15 . 2008-06-23 20:15 105,984 --a------ C:\WINDOWS\system32\oonbmodd.dll
2008-06-23 20:12 . 2008-06-23 20:12 91,136 --a------ C:\WINDOWS\system32\kkyyykgm.dll
2008-06-23 20:12 . 2008-06-23 20:12 81,408 --a------ C:\WINDOWS\system32\nljtiqui.dll
2008-06-23 20:08 . 2008-06-23 22:58 <DIR> d-------- C:\Program Files\Hide IP NG
2008-06-22 18:44 . 2008-06-23 22:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Hide IP NG
2008-06-22 18:40 . 2008-06-22 18:40 32 --a------ C:\WINDOWS\go
2008-06-18 11:34 . 2008-06-18 11:34 273 --a------ C:\WINDOWS\vtmb.ini
2008-06-14 22:32 . 2008-06-14 22:32 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-14 22:32 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-14 20:03 . 2008-06-14 20:03 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-06-14 18:18 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-14 18:18 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-08 15:57 . 2008-06-08 15:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-08 15:54 . 2008-06-08 15:54 <DIR> d-------- C:\Program Files\NCSoft
2008-06-08 15:53 . 2008-06-08 15:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2008-06-05 20:40 . 2008-06-05 20:42 <DIR> d-------- C:\Monopoly Here & Now Special Edition-BigFish Games-PreCracked-HIVBABY
2008-06-05 20:23 . 2008-06-05 20:23 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-06-05 20:23 . 2008-06-05 20:23 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-05 20:21 . 2008-06-05 20:21 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-05 20:17 . 2008-06-05 20:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DAEMON Tools
2008-06-05 20:17 . 2008-06-05 20:17 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-05 19:45 . 2008-06-05 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-06-05 19:44 . 2008-06-05 19:44 <DIR> d-------- C:\Program Files\AOL Games
2008-06-02 19:11 . 2008-06-23 21:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-02 19:10 . 2008-06-03 09:11 <DIR> d-------- C:\Program Files\DAP
2008-06-02 19:10 . 2008-06-02 19:10 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-06-02 19:10 . 2008-06-02 19:10 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-06-02 19:10 . 2008-06-02 19:10 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-05-29 22:27 . 2008-05-29 22:27 <DIR> d-------- C:\Program Files\Ventrilo
2008-05-29 22:27 . 2008-05-29 22:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-29 22:27 . 2008-05-29 22:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ventrilo
2008-05-29 02:00 . 2008-06-14 22:57 <DIR> d-------- C:\Program Files\HeroStats
2008-05-28 19:35 . 2008-05-28 20:56 <DIR> d-------- C:\Program Files\CityBinder
2008-05-28 19:29 . 2008-05-28 19:29 286,720 --------- C:\WINDOWS\Setup1.exe
2008-05-28 19:29 . 2008-05-28 19:29 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-05-28 18:52 . 2008-05-29 02:00 <DIR> d-------- C:\binds

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 15:32 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-06-24 18:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-24 03:42 --------- d-----w C:\Program Files\MSI
2008-06-24 00:20 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 21:48 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 21:47 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-18 15:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-28 22:38 3,148 ----a-w C:\Documents and Settings\Administrator\Application Data\LMLayout.dat
2008-05-28 22:38 268 ----a-w C:\Documents and Settings\Administrator\Application Data\LMCPaper.dat
2008-05-22 19:02 --------- d-----w C:\Program Files\Trend Micro
2008-05-21 18:37 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-14 20:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-13 23:32 77,824 ----a-w C:\WINDOWS\system32\xcomm.dll
2008-05-13 22:52 85,520 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-05-13 22:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2008-05-13 22:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Bitdefender
2008-05-13 22:48 --------- d-----w C:\Program Files\BitDefender
2008-05-13 22:41 --------- d-----w C:\Program Files\VideoLAN
2008-05-12 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-12 23:57 --------- d-----w C:\Program Files\Yahoo!
2008-05-12 22:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-12 22:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-12 22:30 --------- d-----w C:\Program Files\Windows Live
2008-05-12 22:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-12 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-12 16:04 --------- d-----w C:\Program Files\Common Files\BitDefender
2008-05-12 13:57 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2008-05-12 13:56 --------- d-----w C:\Program Files\Stardock
2008-05-12 13:56 --------- d-----w C:\Program Files\Common Files\Stardock
2008-05-12 13:04 --------- d-----w C:\Program Files\uTorrent
2008-05-12 11:42 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-12 02:31 --------- d-----w C:\Program Files\VIA Technologies, Inc
2008-05-12 02:28 --------- d-----w C:\Program Files\VIA
2008-05-12 02:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-12 02:24 --------- d-----w C:\Program Files\DIFX
2008-05-12 02:08 --------- d-----w C:\Program Files\AWS
2008-05-12 02:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\WeatherBug
2008-05-12 01:39 --------- d-----w C:\Program Files\Xvid
2008-05-12 01:24 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-12 01:24 --------- d-----w C:\Program Files\NETGEAR
2008-05-12 01:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-05-12 01:11 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-30 21:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\Setup Files ----

2008-06-23 23:45 891637 --------- C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\cache\VIALanDriversv3.68.0.453.exe
2008-06-23 23:41 4298079 --a------ C:\Program Files\Setup Files\Live Update 3 v3.91\LIVEUPDATE3V3.91.EXE
2007-08-06 15:00 126 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\MSISetup.ini
2007-04-27 12:39 65458 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\netvt.cat
2007-04-17 15:17 61802 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\FETNDIS.inf
2007-04-17 14:58 1915 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\WIN.txt
2007-04-17 11:58 42496 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\FETND5BV.sys
2007-04-17 11:58 40960 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\FETND5AV.sys
2006-11-22 10:38 5610 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\winsetup.txt
2006-11-21 19:01 253952 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\WinSetup.exe
2006-11-21 19:01 245760 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\WinUinst.exe
2006-11-07 17:54 13312 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\winsetup\VETUP64.DLL
2006-10-27 16:26 69632 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\vuins32.dll
2006-10-27 16:19 57376 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\vuins16.dll
2005-11-17 15:46 337320 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\difxapi.dll
2005-07-28 17:51 12672 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\WINNDI.DLL
2005-07-01 18:14 25920 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\winsetup\VETUP16.DLL
2005-04-18 17:50 32768 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\winsetup\VETUP32.DLL
2004-11-04 11:58 10240 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\winsetup\ntsim2A.sys
2004-11-04 11:57 8320 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\winsetup\ntsim2.sys
2004-09-14 10:18 18513 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\winsetup\NTSetup.inf
2003-08-26 09:55 133120 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\SetupDrv.exe
2003-04-03 11:17 209408 --a------ C:\Program Files\Setup Files\VIA Lan Drivers v3.68.0.453\MSISetup.exe


((((((((((((((((((((((((((((( [email protected]_ 0.38.43.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 04:35:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-25 15:16:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 10:55 1347584]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 05:39 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-23 21:31 360448]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [2008-05-11 21:24:40 884838]
PC Alert 4.lnk - C:\Program Files\MSI\PC Alert 4\PCAlert4.exe [2008-05-11 22:33:00 552960]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\LMpdpsrv.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17:39]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-05-13 18:52]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\DNINDIS5.SYS [2003-07-24 12:10]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-05-29 18:00]
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 11:58]
S3 Vsp;Vsp;C:\WINDOWS\system32\drivers\Vsp.sys [2003-05-27 16:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c66e07a-2146-11dd-ae68-000fb597ed4b}]
\Shell\AutoRun\command - F:\setup.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 11:34:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\oonbmodd.dll

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\WINDOWS\system32\oonbmodd.dll
.
Completion time: 2008-06-25 11:35:40
ComboFix-quarantined-files.txt 2008-06-25 15:35:25

Pre-Run: 47,915,991,040 bytes free
Post-Run: 47,902,691,328 bytes free

255


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:22 AM, on 6/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.co.../sysreqlab3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1210556266165
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1210808453171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 4761 bytes
  • 0

#7
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

You didn't include File:: on top in your previous script, that's why it failed to delete some files.
Please make sure you copy and paste exactly what's in the quotebox...

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\apqspoka.dll
C:\WINDOWS\system32\mapimqlh.dll
C:\WINDOWS\system32\hgdggjfj.dll
C:\IP Changer v2.0 + Serial [App][www.zonatorrent.com].rar
C:\WINDOWS\system32\oonbmodd.dll
C:\WINDOWS\system32\kkyyykgm.dll
C:\WINDOWS\system32\nljtiqui.dll


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#8
funda

funda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Here's the results for the new logs.

ComboFix 08-06-20.4 - Administrator 2008-06-25 12:17:34.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1659 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\IP Changer v2.0 + Serial [App][www.zonatorrent.com].rar
C:\WINDOWS\system32\apqspoka.dll
C:\WINDOWS\system32\hgdggjfj.dll
C:\WINDOWS\system32\kkyyykgm.dll
C:\WINDOWS\system32\mapimqlh.dll
C:\WINDOWS\system32\nljtiqui.dll
C:\WINDOWS\system32\oonbmodd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\IP Changer v2.0 + Serial [App][www.zonatorrent.com].rar
C:\WINDOWS\system32\apqspoka.dll
C:\WINDOWS\system32\hgdggjfj.dll
C:\WINDOWS\system32\kkyyykgm.dll
C:\WINDOWS\system32\mapimqlh.dll
C:\WINDOWS\system32\nljtiqui.dll
C:\WINDOWS\system32\oonbmodd.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2008-06-24 23:41 . 2008-06-24 23:41 <DIR> d-------- C:\Documents and Settings\D\Application Data\BitDefender
2008-06-24 11:54 . 2000-05-22 00:00 1,066,176 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-06-24 11:54 . 2000-12-06 00:00 209,608 --a------ C:\WINDOWS\system32\TABCTL32.OCX
2008-06-24 11:54 . 2001-04-18 11:32 205,848 --a------ C:\WINDOWS\system32\Threed32.ocx
2008-06-24 11:54 . 2000-12-06 00:00 109,248 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-06-23 23:28 . 2008-06-23 23:45 <DIR> d-------- C:\Program Files\Setup Files
2008-06-23 20:08 . 2008-06-23 22:58 <DIR> d-------- C:\Program Files\Hide IP NG
2008-06-22 18:44 . 2008-06-23 22:58 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Hide IP NG
2008-06-22 18:40 . 2008-06-22 18:40 32 --a------ C:\WINDOWS\go
2008-06-18 11:34 . 2008-06-18 11:34 273 --a------ C:\WINDOWS\vtmb.ini
2008-06-14 22:32 . 2008-06-14 22:32 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-06-14 22:32 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-06-14 20:03 . 2008-06-14 20:03 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-06-14 18:18 . 2008-06-13 07:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-14 18:18 . 2008-05-08 10:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-08 15:57 . 2008-06-08 15:57 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS
2008-06-08 15:54 . 2008-06-08 15:54 <DIR> d-------- C:\Program Files\NCSoft
2008-06-08 15:53 . 2008-06-08 15:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\GetRightToGo
2008-06-05 20:40 . 2008-06-05 20:42 <DIR> d-------- C:\Monopoly Here & Now Special Edition-BigFish Games-PreCracked-HIVBABY
2008-06-05 20:23 . 2008-06-05 20:23 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\SecuROM
2008-06-05 20:23 . 2008-06-05 20:23 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-06-05 20:21 . 2008-06-05 20:21 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-06-05 20:17 . 2008-06-05 20:17 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\DAEMON Tools
2008-06-05 20:17 . 2008-06-05 20:17 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-06-05 19:45 . 2008-06-05 19:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia
2008-06-05 19:44 . 2008-06-05 19:44 <DIR> d-------- C:\Program Files\AOL Games
2008-06-02 19:11 . 2008-06-23 21:42 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-02 19:10 . 2008-06-03 09:11 <DIR> d-------- C:\Program Files\DAP
2008-06-02 19:10 . 2008-06-02 19:10 479,298 --a------ C:\WINDOWS\system32\wbocx.ocx
2008-06-02 19:10 . 2008-06-02 19:10 172,032 --a------ C:\WINDOWS\system32\AniGIF.ocx
2008-06-02 19:10 . 2008-06-02 19:10 50,688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2008-05-29 22:27 . 2008-05-29 22:27 <DIR> d-------- C:\Program Files\Ventrilo
2008-05-29 22:27 . 2008-05-29 22:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-29 22:27 . 2008-05-29 22:27 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ventrilo
2008-05-29 02:00 . 2008-06-14 22:57 <DIR> d-------- C:\Program Files\HeroStats
2008-05-28 19:35 . 2008-05-28 20:56 <DIR> d-------- C:\Program Files\CityBinder
2008-05-28 19:29 . 2008-05-28 19:29 286,720 --------- C:\WINDOWS\Setup1.exe
2008-05-28 19:29 . 2008-05-28 19:29 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-05-28 18:52 . 2008-05-29 02:00 <DIR> d-------- C:\binds

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 16:17 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-06-24 18:12 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-06-24 03:42 --------- d-----w C:\Program Files\MSI
2008-06-24 00:20 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-06-19 21:48 34,296 ----a-w C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-19 21:47 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-06-18 15:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-28 22:38 3,148 ----a-w C:\Documents and Settings\Administrator\Application Data\LMLayout.dat
2008-05-28 22:38 268 ----a-w C:\Documents and Settings\Administrator\Application Data\LMCPaper.dat
2008-05-22 19:02 --------- d-----w C:\Program Files\Trend Micro
2008-05-21 18:37 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-14 20:00 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-13 23:32 77,824 ----a-w C:\WINDOWS\system32\xcomm.dll
2008-05-13 22:52 85,520 ----a-w C:\WINDOWS\system32\drivers\bdfndisf.sys
2008-05-13 22:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2008-05-13 22:49 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Bitdefender
2008-05-13 22:48 --------- d-----w C:\Program Files\BitDefender
2008-05-13 22:41 --------- d-----w C:\Program Files\VideoLAN
2008-05-12 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-05-12 23:57 --------- d-----w C:\Program Files\Yahoo!
2008-05-12 22:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-12 22:52 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-05-12 22:30 --------- d-----w C:\Program Files\Windows Live
2008-05-12 22:29 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-05-12 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-12 16:04 --------- d-----w C:\Program Files\Common Files\BitDefender
2008-05-12 13:57 163,712 ----a-w C:\WINDOWS\system32\drivers\vidstub.sys
2008-05-12 13:56 --------- d-----w C:\Program Files\Stardock
2008-05-12 13:56 --------- d-----w C:\Program Files\Common Files\Stardock
2008-05-12 13:04 --------- d-----w C:\Program Files\uTorrent
2008-05-12 11:42 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-05-12 02:31 --------- d-----w C:\Program Files\VIA Technologies, Inc
2008-05-12 02:28 --------- d-----w C:\Program Files\VIA
2008-05-12 02:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-12 02:24 --------- d-----w C:\Program Files\DIFX
2008-05-12 02:08 --------- d-----w C:\Program Files\AWS
2008-05-12 02:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\WeatherBug
2008-05-12 01:39 --------- d-----w C:\Program Files\Xvid
2008-05-12 01:24 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-12 01:24 --------- d-----w C:\Program Files\NETGEAR
2008-05-12 01:24 --------- d-----w C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-05-12 01:11 --------- d-----w C:\Program Files\microsoft frontpage
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-30 21:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-04-14 09:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 09:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 09:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31 2,023,936 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2008-04-13 17:39 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2008-04-13 17:39 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2008-04-13 17:37 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2008-04-13 17:37 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2008-04-13 17:27 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2008-04-13 17:26 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2008-04-13 17:26 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2008-04-13 17:24 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2008-04-13 17:21 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2008-04-13 17:09 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2008-04-13 17:03 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2008-04-13 17:03 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2008-04-13 16:48 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2008-04-13 16:45 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2008-04-13 16:23 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2008-04-13 16:22 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2008-04-13 15:39 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
.

((((((((((((((((((((((((((((( [email protected]_ 0.38.43.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-25 04:35:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-25 16:22:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 10:55 1347584]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 05:39 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"BootSkin Startup Jobs"="C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 16:21 270336]
"BDAgent"="C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe" [2008-06-23 21:31 360448]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
NETGEAR WPN111 Smart Wizard.lnk - C:\Program Files\NETGEAR\WPN111\wpn111.exe [2008-05-11 21:24:40 884838]
PC Alert 4.lnk - C:\Program Files\MSI\PC Alert 4\PCAlert4.exe [2008-05-11 22:33:00 552960]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\LMpdpsrv.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2006-10-18 17:39]
R3 Bdfndisf;BitDefender Firewall NDIS Filter Service;C:\WINDOWS\system32\DRIVERS\bdfndisf.sys [2008-05-13 18:52]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\DNINDIS5.SYS [2003-07-24 12:10]
R3 PCAlertDriver;PCAlertDriver;C:\Program Files\MSI\PC Alert 4\NTGLM7X.sys [2006-12-26 14:08]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;C:\WINDOWS\system32\DRIVERS\WPN111.sys [2005-05-29 18:00]
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-04-17 11:58]
S3 Vsp;Vsp;C:\WINDOWS\system32\drivers\Vsp.sys [2003-05-27 16:45]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5c66e07a-2146-11dd-ae68-000fb597ed4b}]
\Shell\AutoRun\command - F:\setup.exe

*Newly Created Service* - PCALERTDRIVER
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 12:23:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bdfsfltr]
"ImagePath"=hex:73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,44,00,52,\
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-25 12:25:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 16:25:31
ComboFix2.txt 2008-06-25 15:35:40

Pre-Run: 47,898,673,152 bytes free
Post-Run: 47,893,073,920 bytes free

237


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:25:55 PM, on 6/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NETGEAR\WPN111\wpn111.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Global Startup: NETGEAR WPN111 Smart Wizard.lnk = ?
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://dev.srtest.co.../sysreqlab3.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1210556266165
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1210808453171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe

--
End of file - 4885 bytes
  • 0

#9
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#10
funda

funda

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Seems to be running good now. Thanks for your help :)
  • 0

#11
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#12
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP