Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virtumonde


  • Please log in to reply

#1
herb81

herb81

    New Member

  • Member
  • Pip
  • 8 posts
I ran into Virtumonde and i ran Combofix here is my log. can somebody help me what to do next. please.




ComboFix 08-07-29.1 - Owner 2008-07-29 23:12:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.407 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WinXP_EN_HOM_BF.EXE
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Herbert Magombe\Application Data\macromedia\Flash Player\#SharedObjects\HRFSNHCE\interclick.com
C:\Documents and Settings\Herbert Magombe\Application Data\macromedia\Flash Player\#SharedObjects\HRFSNHCE\interclick.com\ud.sol
C:\Documents and Settings\Herbert Magombe\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Herbert Magombe\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\BM57247bb3.txt
C:\WINDOWS\BM57247bb3.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\hosts
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\dcIilnnn.ini
C:\WINDOWS\system32\dcIilnnn.ini2
C:\WINDOWS\system32\FeddKkkj.ini
C:\WINDOWS\system32\FeddKkkj.ini2
C:\WINDOWS\system32\hjknmnnn.ini
C:\WINDOWS\system32\hjknmnnn.ini2
C:\WINDOWS\system32\hoveqseg.ini
C:\WINDOWS\system32\hqdwqogw.ini
C:\WINDOWS\system32\iahpflxt.ini
C:\WINDOWS\system32\igtumswj.ini
C:\WINDOWS\system32\ihradkww.ini
C:\WINDOWS\system32\jSAJlnpo.ini
C:\WINDOWS\system32\jSAJlnpo.ini2
C:\WINDOWS\system32\khfDwVOH.dll
C:\WINDOWS\system32\khfFXpnm.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nnnliIcd.dll
C:\WINDOWS\system32\opnlJASj.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rajvwkld.ini
C:\WINDOWS\system32\rbvostvg.ini
C:\WINDOWS\system32\vhsjiabb.ini
L:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-06-28 to 2008-07-30 )))))))))))))))))))))))))))))))
.

2008-07-29 21:40 . 2008-07-29 21:40 83,456 --a------ C:\WINDOWS\system32\wgoqwdqh.dll
2008-07-29 21:38 . 2008-07-29 21:38 105,472 --a------ C:\WINDOWS\system32\vpuctlou.dll
2008-07-29 21:38 . 2008-07-29 21:38 105,472 --a------ C:\WINDOWS\system32\egsyql.dll
2008-07-29 21:38 . 2008-07-29 21:38 91,648 --a------ C:\WINDOWS\system32\bnqqjgrh.dll
2008-07-29 21:33 . 2008-07-29 21:33 83,456 --a------ C:\WINDOWS\system32\gvtsovbr.dll
2008-07-29 21:30 . 2008-07-29 21:30 105,472 --a------ C:\WINDOWS\system32\xgpvsbwu.dll
2008-07-29 21:30 . 2008-07-29 21:30 105,472 --a------ C:\WINDOWS\system32\bwrecx.dll
2008-07-29 21:28 . 2008-07-29 21:28 91,648 --a------ C:\WINDOWS\system32\vrsdvnen.dll
2008-07-29 21:27 . 2008-07-29 21:27 314,880 --a------ C:\WINDOWS\system32\geBtSKCt.dll
2008-07-29 19:59 . 2008-07-29 19:59 83,456 --a------ C:\WINDOWS\system32\bbaijshv.dll
2008-07-29 19:56 . 2008-07-29 19:56 105,472 --a------ C:\WINDOWS\system32\nlruvu.dll
2008-07-29 19:56 . 2008-07-29 19:56 105,472 --a------ C:\WINDOWS\system32\jnchiwed.dll
2008-07-29 19:54 . 2008-07-29 19:54 91,648 --a------ C:\WINDOWS\system32\erdocybo.dll
2008-07-29 19:53 . 2008-07-29 19:53 314,880 --a------ C:\WINDOWS\system32\jkkKddeF.dll
2008-07-29 18:44 . 2008-07-29 18:45 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-28 23:52 . 2008-07-29 07:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-28 23:32 . 2008-07-28 23:32 105,472 --a------ C:\WINDOWS\system32\ymdhfuhl.dll
2008-07-28 23:32 . 2008-07-28 23:32 105,472 --a------ C:\WINDOWS\system32\nyvhwr.dll
2008-07-28 23:28 . 2008-07-28 23:29 83,456 --a------ C:\WINDOWS\system32\dlkwvjar.dll
2008-07-28 23:23 . 2008-07-28 23:23 91,648 --a------ C:\WINDOWS\system32\odutbuta.dll
2008-07-28 23:22 . 2008-07-28 23:22 314,880 --a------ C:\WINDOWS\system32\nnnmnkjh.dll
2008-07-28 19:54 . 2008-07-28 19:54 83,456 --a------ C:\WINDOWS\system32\jwsmutgi.dll
2008-07-28 19:52 . 2008-07-28 19:52 105,472 --a------ C:\WINDOWS\system32\rtjcebib.dll
2008-07-28 19:52 . 2008-07-28 19:52 105,472 --a------ C:\WINDOWS\system32\rnpxea.dll
2008-07-28 19:52 . 2008-07-28 19:52 91,648 --a------ C:\WINDOWS\system32\pokmmyil.dll
2008-07-28 19:39 . 2008-07-28 19:39 113,880 --a------ C:\WINDOWS\system32\qgjyoknt.exe
2008-07-28 19:36 . 2008-07-28 19:36 105,472 --a------ C:\WINDOWS\system32\jnrhxb.dll
2008-07-28 19:36 . 2008-07-28 19:36 105,472 --a------ C:\WINDOWS\system32\fibwgvjt.dll
2008-07-28 19:33 . 2008-07-28 19:33 83,456 --a------ C:\WINDOWS\system32\wwkdarhi.dll
2008-07-28 19:30 . 2008-07-28 19:30 91,648 --a------ C:\WINDOWS\system32\uadljbvl.dll
2008-07-27 23:57 . 2008-07-29 22:45 303 --a------ C:\WINDOWS\wininit.ini
2008-07-27 21:21 . 2008-07-27 23:24 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-07-27 21:21 . 2005-05-12 14:00 14,396,416 --a------ C:\WINDOWS\RTHDCPL.EXE
2008-07-27 21:21 . 2008-07-27 21:21 294,912 --a------ C:\WINDOWS\HideWin.exe
2008-07-27 21:21 . 2005-05-12 14:00 262,144 --a------ C:\WINDOWS\system32\RTSndMgr.Cpl
2008-07-27 21:21 . 2005-05-12 14:00 40,960 --a------ C:\WINDOWS\system32\ChCfg.exe
2008-07-27 21:20 . 2008-07-27 21:20 <DIR> d-------- C:\cabs
2008-07-27 21:20 . 2005-05-12 14:00 487,424 --------- C:\WINDOWS\RtlExUpd.dll
2008-07-27 20:48 . 2008-07-27 20:48 105,472 --a------ C:\WINDOWS\system32\netrwrxy.dll
2008-07-27 20:48 . 2008-07-27 20:48 105,472 --a------ C:\WINDOWS\system32\kujcxh.dll
2008-07-27 20:48 . 2008-07-27 20:48 91,648 --a------ C:\WINDOWS\system32\gxhxmelh.dll
2008-07-27 20:48 . 2008-07-27 20:48 83,456 --a------ C:\WINDOWS\system32\txlfphai.dll
2008-07-27 14:40 . 2008-07-27 14:43 <DIR> d-------- C:\WINDOWS\system32\kBin19
2008-07-27 14:40 . 2008-07-27 14:40 <DIR> d-------- C:\Temp\epr1
2008-07-08 21:10 . 2008-07-17 20:01 <DIR> d-------- C:\Documents and Settings\Herbert Magombe\Application Data\U3
2008-06-30 15:45 . 2008-06-30 15:45 0 --a------ C:\Application Data\wklnhst.dat
2008-06-20 12:41 . 2008-06-20 12:41 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 05:44 . 2008-06-20 05:44 138,368 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-11 12:06 . 2008-06-13 08:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys
2008-06-11 12:06 . 2008-06-13 08:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-07 21:33 . 2008-06-07 21:33 268 --ah----- C:\sqmdata02.sqm
2008-06-07 21:33 . 2008-06-07 21:33 244 --ah----- C:\sqmnoopt02.sqm
2008-06-06 20:25 . 2008-06-06 20:25 268 --ah----- C:\sqmdata01.sqm
2008-06-06 20:25 . 2008-06-06 20:25 244 --ah----- C:\sqmnoopt01.sqm
2008-06-06 20:18 . 2008-06-06 20:18 <DIR> d-------- C:\Program Files\MSECache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-30 00:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-29 12:43 --------- d-----w C:\Program Files\Google
2008-07-29 00:09 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-28 05:00 --------- d-----w C:\Documents and Settings\Herbert Magombe\Application Data\Yahoo!
2008-07-28 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-28 04:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-28 02:21 --------- d-----w C:\Program Files\Realtek
2008-07-28 02:15 --------- d-----w C:\Program Files\BigFix
2008-06-27 03:26 --------- d-----w C:\Program Files\CMATP44
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-04 03:03 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-04 03:03 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-04 03:03 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-04 03:03 --------- d-----w C:\Program Files\Symantec
2007-11-07 14:56 0 ----a-w C:\Documents and Settings\Ted Stewart\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-12 18:49 68856]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB7520"="command" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-11 17:18 135168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22 26248]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18 49152]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 21:41 185896]
"5417482f"="C:\DOCUME~1\HERBER~1\LOCALS~1\Temp\cabepxvp.dll" [2008-07-29 20:48 83456]
"BM57247bb3"="C:\WINDOWS\system32\bnqqjgrh.dll" [2008-07-29 21:38 91648]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-05-12 14:00 90112 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-12 14:00 2805248 C:\WINDOWS\ALCWZRD.EXE]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a--c--- 2004-05-17 20:30 543232 C:\WINDOWS\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-17 17:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a--c--- 2003-09-19 11:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

S3 MN710-51;Microsoft® Wireless USB 2.0 Adapter;C:\WINDOWS\system32\DRIVERS\MN710-51.sys [2004-01-07 19:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5366560-fdc2-11db-b15c-834cd9b8cd43}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-03-01 C:\WINDOWS\Tasks\Disk Cleanup.job
- C:\WINDOWS\system32\cleanmgr.exe [2004-08-04 07:00]

2008-07-30 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-07-05 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2006-09-07 01:38]
.
- - - - ORPHANS REMOVED - - - -

BHO-{42BFABD3-B070-4053-9485-30D7E000D3D3} - (no file)
BHO-{6CBB4252-CE26-420C-B9B4-C8758CDD8E34} - (no file)
HKCU-Run-ccleaner - C:\Program Files\CCleaner\ccleaner.exe
MSConfigStartUp-AOL Spyware Protection - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
MSConfigStartUp-mmtask - c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.rwandajb2008.blogspot.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &AOL Toolbar search - C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-29 23:28:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\DOCUME~1\HERBER~1\LOCALS~1\Temp\cabepxvp.dll
-> C:\WINDOWS\system32\bnqqjgrh.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-07-29 23:32:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-30 04:32:47

Pre-Run: 186,796,769,280 bytes free
Post-Run: 187,003,281,408 bytes free

WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

274 --- E O F --- 2008-07-09 08:02:59
  • 0

Advertisements


#2
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Welcome to the site

I will be handling your log to help you get cleaned up.

Combofix is written for trained Security experts for this and similar forums.
It is not a standard Anti-Virus. And should not be downloaded without specific instructions to do so. Do not remove Combofix, we will need it later and removing it changes system setting.

I want you to show hidden files. There are instructions HERE to help you do this.
You should have Administrator rights to perform the fixes. Some of the instructions I give may need to be printed or saved for reference during the fix. Some of the fix will be done in Safe Mode so you will be unable to access this thread at that time.
Please dont use any of the tools without specific instructions. Some of them are dangerous (and could leave your computer in worse condition that it is when infected) if used incorrectly.
These instructions should be read first, then followed. If you do not understand something, don't be afraid to ask, or see if I'm on chat. :)


The Instructions for the Malware Removal forum HERE instruct you to download Hijack This to your desktop. Start at step five and post a Hijack This log in a reply to this topic.

:)

Edited by sarahw, 30 July 2008 - 01:20 AM.

  • 0

#3
herb81

herb81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Virtumonde.dll virtumonde.prx

Thanks Sarah

. So when I go through the the procedure for showing hidden files, what do I do with it. Do I post here? Next, apart from that procedure, another procedure you want me to do is install hijack this and post the log here right? I did not remove combofix. When installing combofix, i followed the instructions from this site. I'm not letting anybody touch the computer. Thanks for you help.

OK now here is a hijack this log file



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:20 PM, on 7/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rwandajb2008.blogspot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {42BFABD3-B070-4053-9485-30D7E000D3D3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6CBB4252-CE26-420C-B9B4-C8758CDD8E34} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5749] command /c del "C:\WINDOWS\system32\khfDwVOH.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC45] cmd /c del "C:\WINDOWS\system32\khfDwVOH.dll"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB7520] command /c del "C:\WINDOWS\system32\khfDwVOH.dll"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1178552251234
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9418 bytes

Edited by herb81, 30 July 2008 - 07:17 PM.

  • 0

#4
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
1.
We need to backup the registry before we continue.
Registry edits can be potentially dangerous; we can revert to the backup if needed.
Go to Start » Run » type: regedit » OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File » Export
    • Make sure in that window there is a tick next to "All" under Export Branch.
      Leave the "Save As Type" as "Registration Files".
      Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click save and then go to File » Exit.


2.
Launch Notepad, and copy/paste everything in the codebox below into the new document, including the word REGEDIT4. Go up to "File Save As" and click the drop-down box to change the "Save As Type" to "All Files" and save it to your desktop as fixme.reg

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB7520"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM57247bb3"=-
"5417482f"=-

Locate fixme.reg on your Desktop. It should look like this --> Posted Image
Double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?" Answer Yes and wait for a message to appear similar to Merged Successfully.


3.
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\wgoqwdqh.dll
    C:\WINDOWS\system32\vpuctlou.dll
    C:\WINDOWS\system32\egsyql.dll
    C:\WINDOWS\system32\bnqqjgrh.dll
    C:\WINDOWS\system32\gvtsovbr.dll
    C:\WINDOWS\system32\xgpvsbwu.dll
    C:\WINDOWS\system32\bwrecx.dll
    C:\WINDOWS\system32\vrsdvnen.dll
    C:\WINDOWS\system32\geBtSKCt.dll
    C:\WINDOWS\system32\bbaijshv.dll
    C:\WINDOWS\system32\nlruvu.dll
    C:\WINDOWS\system32\jnchiwed.dll
    C:\WINDOWS\system32\erdocybo.dll
    C:\WINDOWS\system32\jkkKddeF.dll
    C:\WINDOWS\system32\ymdhfuhl.dll
    C:\WINDOWS\system32\nyvhwr.dll
    C:\WINDOWS\system32\dlkwvjar.dll
    C:\WINDOWS\system32\odutbuta.dll
    C:\WINDOWS\system32\nnnmnkjh.dll
    C:\WINDOWS\system32\jwsmutgi.dll
    C:\WINDOWS\system32\rtjcebib.dll
    C:\WINDOWS\system32\rnpxea.dll
    C:\WINDOWS\system32\pokmmyil.dll
    C:\WINDOWS\system32\qgjyoknt.exe
    C:\WINDOWS\system32\jnrhxb.dll
    C:\WINDOWS\system32\fibwgvjt.dll
    c:\WINDOWS\system32\wwkdarhi.dll
    C:\WINDOWS\system32\uadljbvl.dll
    C:\WINDOWS\RtlExUpd.dll
    C:\WINDOWS\system32\netrwrxy.dll
    C:\WINDOWS\system32\kujcxh.dll
    C:\WINDOWS\system32\gxhxmelh.dll
    C:\WINDOWS\system32\txlfphai.dll
    C:\WINDOWS\system32\kBin19
    C:\sqmdata02.sqm
    C:\sqmnoopt02.sqm
    C:\sqmdata01.sqm
    C:\sqmnoopt01.sqm
    C:\WINDOWS\system32\bnqqjgrh.dll
    C:\DOCUME~1\HERBER~1\LOCALS~1\Temp\cabepxvp.dll
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


4.
Click HERE and run an online scan with Kaspersky WebScanner
  • Click on Kaspersky Online Scanner
  • You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
  • Scan Options:
    Scan Archives
    Scan Mail Bases
[*]Click OK
[*]Now under select a target to scan:Select My Computer
[*]This will program will start and scan your system.
[*]The scan will take a while so be patient and let it run.
[*]Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
[*]Save the file to your desktop.
[*]Copy and paste that information into your next post.
[/list]
  • 0

#5
herb81

herb81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
thanks sarahw.

here are the two logs

First OTMoveit2 log

File/Folder C:\WINDOWS\system32\wgoqwdqh.dll not found.
File/Folder C:\WINDOWS\system32\vpuctlou.dll not found.
File/Folder C:\WINDOWS\system32\egsyql.dll not found.
File/Folder C:\WINDOWS\system32\bnqqjgrh.dll not found.
File/Folder C:\WINDOWS\system32\gvtsovbr.dll not found.
File/Folder C:\WINDOWS\system32\xgpvsbwu.dll not found.
File/Folder C:\WINDOWS\system32\bwrecx.dll not found.
File/Folder C:\WINDOWS\system32\vrsdvnen.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\geBtSKCt.dll
C:\WINDOWS\system32\geBtSKCt.dll NOT unregistered.
C:\WINDOWS\system32\geBtSKCt.dll moved successfully.
File/Folder C:\WINDOWS\system32\bbaijshv.dll not found.
File/Folder C:\WINDOWS\system32\nlruvu.dll not found.
File/Folder C:\WINDOWS\system32\jnchiwed.dll not found.
File/Folder C:\WINDOWS\system32\erdocybo.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\jkkKddeF.dll
C:\WINDOWS\system32\jkkKddeF.dll NOT unregistered.
C:\WINDOWS\system32\jkkKddeF.dll moved successfully.
File/Folder C:\WINDOWS\system32\ymdhfuhl.dll not found.
File/Folder C:\WINDOWS\system32\nyvhwr.dll not found.
File/Folder C:\WINDOWS\system32\dlkwvjar.dll not found.
File/Folder C:\WINDOWS\system32\odutbuta.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\nnnmnkjh.dll
C:\WINDOWS\system32\nnnmnkjh.dll NOT unregistered.
C:\WINDOWS\system32\nnnmnkjh.dll moved successfully.
File/Folder C:\WINDOWS\system32\jwsmutgi.dll not found.
File/Folder C:\WINDOWS\system32\rtjcebib.dll not found.
File/Folder C:\WINDOWS\system32\rnpxea.dll not found.
File/Folder C:\WINDOWS\system32\pokmmyil.dll not found.
C:\WINDOWS\system32\qgjyoknt.exe moved successfully.
File/Folder C:\WINDOWS\system32\jnrhxb.dll not found.
File/Folder C:\WINDOWS\system32\fibwgvjt.dll not found.
File/Folder c:\WINDOWS\system32\wwkdarhi.dll not found.
File/Folder C:\WINDOWS\system32\uadljbvl.dll not found.
File/Folder C:\WINDOWS\RtlExUpd.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\netrwrxy.dll
C:\WINDOWS\system32\netrwrxy.dll NOT unregistered.
C:\WINDOWS\system32\netrwrxy.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\kujcxh.dll
C:\WINDOWS\system32\kujcxh.dll NOT unregistered.
C:\WINDOWS\system32\kujcxh.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\gxhxmelh.dll
C:\WINDOWS\system32\gxhxmelh.dll NOT unregistered.
C:\WINDOWS\system32\gxhxmelh.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\txlfphai.dll
C:\WINDOWS\system32\txlfphai.dll NOT unregistered.
C:\WINDOWS\system32\txlfphai.dll moved successfully.
C:\WINDOWS\system32\kBin19 moved successfully.
C:\sqmdata02.sqm moved successfully.
C:\sqmnoopt02.sqm moved successfully.
C:\sqmdata01.sqm moved successfully.
C:\sqmnoopt01.sqm moved successfully.
File/Folder C:\WINDOWS\system32\bnqqjgrh.dll not found.
File/Folder C:\DOCUME~1\HERBER~1\LOCALS~1\Temp\cabepxvp.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08032008_205343


second log is Kaspersky Online Scanner log


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, August 4, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, August 04, 2008 04:58:57
Records in database: 1050986
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan statistics:
Files scanned: 60738
Threat name: 3
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:05:16


File name / Threat name / Threats count
C:\_OTMoveIt\MovedFiles\08032008_205343\WINDOWS\system32\gxhxmelh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aerg 1
C:\_OTMoveIt\MovedFiles\08032008_205343\WINDOWS\system32\kujcxh.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzj 1
C:\_OTMoveIt\MovedFiles\08032008_205343\WINDOWS\system32\netrwrxy.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.bzj 1
C:\_OTMoveIt\MovedFiles\08032008_205343\WINDOWS\system32\txlfphai.dll Infected: Trojan.Win32.Monder.bvd 1

The selected area was scanned.
  • 0

#6
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan (Full scan is optional. According to the program's creator Quick Scan will do just fine.).
Click Scan.
When the scan is complete, click OK, then Show Results to view the results.

If Malware is found...
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad.
Please save it to your desktop.

NOTE: Logs can be retrieved at a later date from the Malwarebytes' Anti-Malware main screen:

Launch Malwarebytes' Anti-Malware.
Click the Logs tab.
Double-click log-mm.dd.yyyy [xxxxxx].txt.

In your next reply post the Malwarebytes' Anti-Malware log.
  • 0

#7
herb81

herb81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
thanks for the help. here is the malwarebytes log





Malwarebytes' Anti-Malware 1.24
Database version: 1028
Windows 5.1.2600 Service Pack 3

11:34:59 PM 8/5/2008
mbam-log-8-5-2008 (23-34-59).txt

Scan type: Full Scan (C:\|)
Objects scanned: 106331
Time elapsed: 28 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MS Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\IProxyProvider (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\BM57247bb3.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM57247bb3.txt (Trojan.Vundo) -> Quarantined and deleted succe
  • 0

#8
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Hi,
Please run Combofix and post the log in a reply.
  • 0

#9
herb81

herb81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
here is combofix log


ComboFix 08-07-29.1 - Owner 2008-08-07 21:03:42.2 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-07-08 to 2008-08-08 )))))))))))))))))))))))))))))))
.

2008-08-05 22:57 . 2008-08-05 22:57 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-05 22:57 . 2008-08-05 22:57 <DIR> d-------- C:\Documents and Settings\Herbert Magombe\Application Data\Malwarebytes
2008-08-05 22:57 . 2008-08-05 22:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-05 22:57 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-05 22:57 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-03 21:11 . 2008-08-03 21:11 <DIR> d-------- C:\Program Files\Sun
2008-08-03 21:10 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-03 20:53 . 2008-08-03 20:53 <DIR> d-------- C:\_OTMoveIt
2008-08-03 20:41 . 2008-08-03 20:42 98,504,596 --a------ C:\RegBackup.reg
2008-07-31 20:58 . 2008-08-03 20:01 <DIR> d-------- C:\Program Files\RegistryFix6
2008-07-31 19:58 . 2008-07-31 19:58 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-07-31 19:58 . 2008-07-31 19:58 <DIR> d-------- C:\WINDOWS\system32\en
2008-07-31 19:58 . 2008-07-31 19:58 <DIR> d-------- C:\WINDOWS\system32\bits
2008-07-31 19:58 . 2008-07-31 19:58 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-31 19:56 . 2008-07-31 19:59 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-07-31 19:49 . 2008-07-31 19:49 <DIR> d-------- C:\WINDOWS\EHome
2008-07-31 19:41 . 2008-04-13 19:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-07-31 19:40 . 2008-04-13 19:11 1,888,992 --------- C:\WINDOWS\system32\ati3duag.dll
2008-07-31 07:18 . 2008-07-31 20:52 <DIR> d-------- C:\Application Data\AdobeUM
2008-07-30 19:08 . 2008-07-30 19:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-29 18:44 . 2008-07-29 18:45 <DIR> d-------- C:\Program Files\Windows Defender
2008-07-28 23:52 . 2008-08-07 06:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-27 23:57 . 2008-07-29 22:45 303 --a------ C:\WINDOWS\wininit.ini
2008-07-27 21:20 . 2008-07-27 21:20 <DIR> d-------- C:\cabs
2008-07-27 14:40 . 2008-07-27 14:40 <DIR> d-------- C:\Temp\epr1
2008-07-08 21:10 . 2008-07-17 20:01 <DIR> d-------- C:\Documents and Settings\Herbert Magombe\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 23:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-04 23:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-04 02:10 --------- d-----w C:\Program Files\Java
2008-08-01 01:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-07-31 03:04 --------- d-----w C:\Program Files\CMATP44
2008-07-31 03:02 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-30 22:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 22:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 22:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-29 12:43 --------- d-----w C:\Program Files\Google
2008-07-29 00:09 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-28 05:00 --------- d-----w C:\Documents and Settings\Herbert Magombe\Application Data\Yahoo!
2008-07-28 04:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-28 04:30 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-28 02:15 --------- d-----w C:\Program Files\BigFix
2008-06-30 20:45 0 ----a-w C:\Application Data\wklnhst.dat
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-04 03:03 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-05-10 03:30 71,168 ----a-w C:\WINDOWS\system32\LxrJD31s.exe
2008-05-10 03:30 61,440 ----a-w C:\WINDOWS\system32\LxrJD20Sat.dll
2008-05-10 03:30 249,856 ----a-w C:\WINDOWS\system32\LxrJD31.dll
2008-05-10 03:30 163,840 ----a-w C:\WINDOWS\system32\LxrJD31c.exe
2008-05-10 03:30 146,432 ----a-w C:\WINDOWS\system32\LxrJD31p.exe
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2007-11-07 14:56 0 ----a-w C:\Documents and Settings\Ted Stewart\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-13 19:12 15360]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 09:42 2156368]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-12 18:49 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunKistEM"="C:\Program Files\Digital Media Reader\shwiconem.exe" [2004-03-11 17:18 135168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59 115816]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22 26248]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 11:18 49152]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-15 21:41 185896]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 11:40:44 282624]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=C:\WINDOWS\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 19:12 1695232 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 13:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a--c--- 2004-05-17 20:30 543232 C:\WINDOWS\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2004-03-17 17:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a--c--- 2003-09-19 11:09 36864 C:\WINDOWS\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

S3 MN710-51;Microsoft® Wireless USB 2.0 Adapter;C:\WINDOWS\system32\DRIVERS\MN710-51.sys [2004-01-07 19:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5366560-fdc2-11db-b15c-834cd9b8cd43}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-03-01 C:\WINDOWS\Tasks\Disk Cleanup.job
- C:\WINDOWS\system32\cleanmgr.exe [2008-04-13 19:12]

2008-08-08 C:\WINDOWS\Tasks\MP Scheduled Scan.job
- C:\Program Files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2008-07-05 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Owner.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2006-09-07 01:38]
.
- - - - ORPHANS REMOVED - - - -

BHO-{42BFABD3-B070-4053-9485-30D7E000D3D3} - (no file)
BHO-{6CBB4252-CE26-420C-B9B4-C8758CDD8E34} - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.rwandajb2008.blogspot.com/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R1 -: HKCU-Internet Settings,ProxyOverride = *.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: &AOL Toolbar search
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-07 21:06:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-07 21:08:11
ComboFix-quarantined-files.txt 2008-08-08 02:07:42
ComboFix2.txt 2008-07-30 04:32:59

Pre-Run: 185,057,906,688 bytes free
Post-Run: 185,227,481,088 bytes free

177 --- E O F --- 2008-08-06 09:41:53
  • 0

#10
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
1.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK


  • Posted Image

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


2.
Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
    Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    Downloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.


3.
Open Control Panel, then Add/Remove Programs. Uninstall all versions of Java except for the latest version: Version 6 Update 7.
Old versions of Java are exploitable and should be removed to prevent further infection.


4.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


5.
Tell me how the computer is running.
  • 0

Advertisements


#11
herb81

herb81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks, it is processing faster than before. however i have this rundll problem popping up
This message comes up on my desktop



Error loading C:\DOCUME~1\HERBER~1\LOCALS~1\Temp\lamhcuay.dll

The specified module could not be found


I tried to print the screen and paste it here, seems the file is huge.
  • 0

#12
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post

  • 0

#13
herb81

herb81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is the log


StartupList report, 8/13/2008, 8:23:41 PM
StartupList version: 1.52.2
Started from : C:\Program Files\Trend Micro\HijackThis\HijackThis.EXE
Detected: Windows XP SP3 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16705)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SunKistEM = C:\Program Files\Digital Media Reader\shwiconem.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
osCheck = "C:\Program Files\Norton AntiVirus\osCheck.exe"
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Symantec PIF AlertEng = "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
High Definition Audio Property Page Shortcut = HDAShCut.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
swg = C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

SpybotDeletingB7520 = command /c del "C:\WINDOWS\system32\khfDwVOH.dll"

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - (no file) - {02478D38-C3F9-4EFB-9B51-7695ECA05670}
(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll - {3049C3E9-B461-4BC5-8870-4C09146192CA}
(no name) - (no file) - {42BFABD3-B070-4053-9485-30D7E000D3D3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - (no file) - {6CBB4252-CE26-420C-B9B4-C8758CDD8E34}
(no name) - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Disk Cleanup.job
MP Scheduled Scan.job
Norton AntiVirus - Run Full System Scan - Owner.job

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macr...director/sw.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\LegitCheckControl.DLL
CODEBASE = http://download.micr...heckControl.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.micros...ontent/opuc.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.micros...b?1178552251234

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.ma...t/ultrashim.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9e.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 8,265 bytes
Report generated in 0.047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#14
sarahw

sarahw

    Malware Staff

  • Member
  • PipPipPipPipPip
  • 2,781 posts
Click HERE to download Regsearch.
Download and extract the contents of the zip file.
Double-click the icon for RegSearch.exe to launch the program.
In the top box, enter lamhcuay.dll and click "OK".
After completion Notepad will be opened with all the found instances of the string.
The resulting file is saved in the same location as RegSearch.exe.
  • 0

#15
herb81

herb81

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
here is what the notepad brings. what should i do then.



Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 8/15/2008 6:58:48 PM for strings:
; 'lamhcuay.dll '
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


; End Of The Log...
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP