Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Virtumonde Detected [RESOLVED]


  • This topic is locked This topic is locked

#1
smcbkh

smcbkh

    New Member

  • Member
  • Pip
  • 6 posts
Hello,
My Spy Sweeper with Antivirus let me know that the virtumonde adware was on my laptop and I have since tried different things to remove the problem including using Vundofix, VirtumundoBeGone, and following the steps on the "You must read this before..." None of these things seemed to work as I am still getting popups (a lot of them are for Antivirus 2008, Vista Antivirus 2009), my laptop has really slowed down, and I was unable to update anything with Windows since the problem yesterday. The virus will not let me turn the automatic updates on for Windows and when I try to go to the update page it says that I am unable to use the page since the automatic updates feature is turned off. I am also unable to sign in to these forums on my laptop, so I am using a different computer. All in all, I really don't know what I am doing so any help would be greatly appreciated. Thanks in advance.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:49:39 PM, on 8/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\HotKey Utility\HKserv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://g.msn.com/1me10enus/2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Apoint] "C:\Program Files\Apoint\Apoint.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [SonyPowerCfg] "C:\Program Files\Sony\VAIO Power Management\SPMgr.exe"
O4 - HKLM\..\Run: [HKSERV.EXE] "C:\Program Files\Sony\HotKey Utility\HKserv.exe"
O4 - HKLM\..\Run: [VAIO Update 2] "C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] "C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe" /GUID NIS /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [VAIO Recovery] "C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - AppInit_DLLs: sogxmx.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: VAIO Entertainment Aggregation and Control Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzRs\VzRs.exe
O23 - Service: VAIO Entertainment File Import Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe
O23 - Service: VAIO Media Integrated Server (VAIOMediaPlatform-IntegratedServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\VMISrv.exe
O23 - Service: VAIO Media Integrated Server (HTTP) (VAIOMediaPlatform-IntegratedServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Integrated Server (UPnP) (VAIOMediaPlatform-IntegratedServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Gateway Server (VAIOMediaPlatform-Mobile-Gateway) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\VmGateway.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\vaio media integrated server\Platform\UPnPFramework.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8990 bytes

-------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.24
Database version: 1015
Windows 5.1.2600 Service Pack 2

4:39:50 PM 8/1/2008
mbam-log-8-1-2008 (16-39-50).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 77635
Time elapsed: 42 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\rqRLcDSl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xirxinnm.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3834ee3d-27a4-4b42-8063-c83cf9662196} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3834ee3d-27a4-4b42-8063-c83cf9662196} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\40252847 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrlcdsl -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\rqrlcdsl -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\rqRLcDSl.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lSDcLRqr.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\lSDcLRqr.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xirxinnm.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\mnnixrix.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{1C83D26D-BBBD-43D0-8754-E07CF513167A}\RP199\A0021268.exe (Trojan.Agent) -> Quarantined and deleted successfully.
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please print the below instructions or copy them to Notepad. Make sure to work through the fixes in the order mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O20 - AppInit_DLLs: sogxmx.dll

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

c:\windows\system32\sogxmx.dll

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.
  • 0

#3
smcbkh

smcbkh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
First step went okay, but when I tried to delete this file: c:\windows\system32\sogxmx.dll
it said,
"Cannot delete sogxmx: Access is denied.
Make sure the disk is not full or write-protected and that the file is not currently in use."
I did not move on after this.
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Proceed with Combofix...
  • 0

#5
smcbkh

smcbkh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I had to run the Combofix twice because my computer froze after the first time Combofix ran (while the log was being produced the first time), so I hope that didn't mess anything up. Here is the log from the second try:



ComboFix 08-08-01.05 - Brian Hashimoto 2008-08-03 13:13:28.2 - NTFSx86
Running from: C:\Documents and Settings\Brian Hashimoto\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM43161bdb.txt
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gxteewvf.ini
C:\WINDOWS\system32\lSDcLRqr.ini
C:\WINDOWS\system32\lSDcLRqr.ini2
.
---- Previous Run -------
.
C:\Documents and Settings\Brian Hashimoto\Application Data\macromedia\Flash Player\#SharedObjects\6XLKM9U2\interclick.com
C:\Documents and Settings\Brian Hashimoto\Application Data\macromedia\Flash Player\#SharedObjects\6XLKM9U2\interclick.com\ud.sol
C:\Documents and Settings\Brian Hashimoto\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Brian Hashimoto\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\VundoFix.txt
C:\WINDOWS\BM43161bdb.txt
C:\WINDOWS\BM43161bdb.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\lSDcLRqr.ini
C:\WINDOWS\system32\lSDcLRqr.ini2
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-08-03 13:18 . 2008-08-03 13:19 294 ---hsc--- C:\WINDOWS\system32\gxteewvf.ini
2008-08-03 13:18 . 2008-08-03 13:18 22 --a--c--- C:\WINDOWS\pskt.ini
2008-08-03 13:18 . 0 C:\WINDOWS\system32\gxteewvf.tmp
2008-08-03 13:11 . 2008-08-03 13:11 114,176 --a--c--- C:\WINDOWS\system32\inhghmhm.dll
2008-08-03 13:11 . 2008-08-03 13:11 114,176 --a--c--- C:\WINDOWS\system32\blbtcl.dll
2008-08-03 13:08 . 2008-08-03 13:08 83,456 --a--c--- C:\WINDOWS\system32\fvweetxg.dll
2008-08-03 13:06 . 2008-08-03 13:18 111,581 --a--c--- C:\WINDOWS\BM43161bdb.xml
2008-08-03 13:06 . 2008-08-03 13:06 91,648 --a--c--- C:\WINDOWS\system32\dqbrfamf.dll
2008-08-03 11:57 . 2008-08-03 11:59 <DIR> d----c--- C:\Documents and Settings\Brian Hashimoto\Application Data\U3
2008-08-02 15:31 . 2008-08-02 15:31 91,648 --a--c--- C:\WINDOWS\system32\yhjjynxq.dll
2008-08-01 15:07 . 2008-08-01 15:07 <DIR> d----c--- C:\Program Files\Trend Micro
2008-08-01 12:25 . 2008-08-01 12:25 114,176 -----c--- C:\WINDOWS\system32\sogxmx.dll
2008-08-01 12:06 . 2008-08-01 12:06 <DIR> d----c--- C:\Documents and Settings\Brian Hashimoto\Application Data\Malwarebytes
2008-08-01 12:06 . 2008-07-30 20:07 38,472 --a--c--- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 12:06 . 2008-07-30 20:07 17,144 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 12:05 . 2008-08-01 12:06 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 12:05 . 2008-08-01 12:05 <DIR> d----c--- C:\Program Files\Common Files\Download Manager
2008-08-01 12:05 . 2008-08-01 12:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 00:39 . 2008-08-01 00:39 <DIR> d----c--- C:\VundoFix Backups
2008-08-01 00:10 . 2008-08-01 00:10 <DIR> d----c--- C:\Documents and Settings\Brian Hashimoto\Application Data\Uniblue
2008-07-31 12:14 . 2008-07-31 12:15 314,880 -----c--- C:\WINDOWS\system32\rqRLcDSl.dll
2008-07-31 12:11 . 2008-07-31 12:11 <DIR> d----c--- C:\WINDOWS\system32\vn3
2008-07-31 12:11 . 2008-07-31 12:11 <DIR> d----c--- C:\WINDOWS\system32\sem
2008-07-31 12:11 . 2008-07-31 12:11 <DIR> d----c--- C:\WINDOWS\system32\fonts
2008-07-31 12:11 . 2008-08-01 14:40 <DIR> d----c--- C:\WINDOWS\system32\esr
2008-07-31 12:09 . 2008-07-31 12:09 <DIR> d----c--- C:\WINDOWS\system32\kBin19
2008-07-31 12:09 . 2008-07-31 12:11 <DIR> d----c--- C:\Temp\epr1
2008-07-31 12:09 . 2008-08-03 12:09 <DIR> d----c--- C:\Temp
2008-07-30 01:16 . 2008-07-30 01:16 <DIR> d----c--- C:\WINDOWS\system32\LogFiles
2008-07-30 01:16 . 2008-07-31 00:29 <DIR> d----c--- C:\WINDOWS\system32\drivers\UMDF
2008-07-08 00:53 . 2008-07-08 00:53 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-08 00:53 . 2008-07-08 00:53 37,027 --a--c--- C:\WINDOWS\atmoUn.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 19:20 --------- dc----w C:\Documents and Settings\Brian Hashimoto\Application Data\Azureus
2008-07-31 17:48 --------- dc----w C:\Documents and Settings\Brian Hashimoto\Application Data\AdobeUM
2008-07-30 21:13 --------- dc----w C:\Program Files\Common Files\Adobe
2008-07-03 06:58 --------- dc----w C:\Documents and Settings\Brian Hashimoto\Application Data\ZoomBrowser EX
2008-07-03 06:47 --------- dc----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-07-02 22:46 --------- dc----w C:\Program Files\Azureus
2008-06-21 22:58 --------- dc----w C:\Program Files\Viewpoint
2008-06-21 22:58 --------- dc----w C:\Program Files\AOD
2008-06-20 17:41 245,248 -c--a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 -c--a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 -c--a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 -c--a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 07:17 48,640 -c--a-w C:\WINDOWS\mmfs.dll
2008-06-19 07:17 2,560 -c--a-w C:\WINDOWS\Runservice.exe
2008-06-19 06:44 --------- dc----w C:\Program Files\Out of the Park Developments
2008-06-13 13:10 272,128 -c----w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:18 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c84e37aa-525d-4246-ac14-571444f15987}]
2008-08-03 13:11 114176 --a--c--- C:\WINDOWS\system32\blbtcl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAD4CCE7-395A-4187-BEB9-4560E8090989}]
2008-07-31 12:15 314880 -----c--- C:\WINDOWS\system32\rqRLcDSl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [BU]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [BU]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-11-07 18:21 114688]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-27 21:10 335872]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [2003-12-11 23:03 167936]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2004-02-12 23:01 98304]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 03:36 135168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [BU]
"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe" [BU]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 22:08 28672]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [BU]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29 40960]
"40252847"="C:\WINDOWS\system32\fvweetxg.dll" [2008-08-03 13:08 83456]
"BM43161bdb"="C:\WINDOWS\system32\dqbrfamf.dll" [2008-08-03 13:06 91648]
"Mouse Suite 98 Daemon"="ICO.EXE" [BU]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2008-06-19 00:17]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-03-12 18:32]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-03-12 17:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-08-03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2008-01-02 C:\WINDOWS\Tasks\Registration reminder 1.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2008-01-02 C:\WINDOWS\Tasks\Registration reminder 2.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2008-08-02 C:\WINDOWS\Tasks\wrSpySweeper_L789F8830DEB34F35868D06229E196D62.job
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]

2008-08-02 C:\WINDOWS\Tasks\wrSpySweeper_L789F8830DEB34F35868D06229E196D62.job
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]

2008-08-02 C:\WINDOWS\Tasks\wrSpySweeper_L789F8830DEB34F35868D06229E196D62.job
- C:\","D:\","E:\","F:\" []
.
- - - - ORPHANS REMOVED - - - -

Notify-qomljjj - qomljjj.dll


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.yahoo.com/
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.sony.com/vaiopeople
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 13:18:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\BM43161bdb.txt 73 bytes
C:\WINDOWS\system32\gxteewvf.ini 294 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\fvweetxg.dll
-> C:\WINDOWS\system32\dqbrfamf.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
.
**************************************************************************
.
Completion time: 2008-08-03 13:21:08 - machine was rebooted [Brian Hashimoto]
ComboFix-quarantined-files.txt 2008-08-03 20:21:02

Pre-Run: 8,620,900,352 bytes free
Post-Run: 8,615,944,192 bytes free

186 --- E O F --- 2008-07-31 08:13:54
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.


Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

http://www.geekstogo...ed-t206931.html
Collect::
C:\WINDOWS\system32\gxteewvf.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gxteewvf.tmp
C:\WINDOWS\system32\inhghmhm.dll
C:\WINDOWS\system32\blbtcl.dll
C:\WINDOWS\system32\fvweetxg.dll
C:\WINDOWS\BM43161bdb.xml
C:\WINDOWS\system32\dqbrfamf.dll
C:\WINDOWS\system32\yhjjynxq.dll
C:\WINDOWS\system32\sogxmx.dll
C:\WINDOWS\system32\rqRLcDSl.dll
DirLook::
C:\WINDOWS\system32\LogFiles
Folder::
C:\WINDOWS\system32\vn3
C:\WINDOWS\system32\sem
C:\WINDOWS\system32\fonts
C:\WINDOWS\system32\esr
C:\WINDOWS\system32\kBin19
C:\Temp\epr1
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c84e37aa-525d-4246-ac14-571444f15987}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAD4CCE7-395A-4187-BEB9-4560E8090989}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"40252847"=-
"BM43161bdb"=-

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

Combofix will tell you that it needs to submit some files online. Please allow it to do so.
  • 0

#7
smcbkh

smcbkh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
My computer is not connecting to the Internet and there is a .zip file on my desktop that I don't know what to do with.
This is the log that was posted.



ComboFix 08-08-01.05 - Brian Hashimoto 2008-08-03 16:35:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.95 [GMT -7:00]
Running from: C:\Documents and Settings\Brian Hashimoto\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brian Hashimoto\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\epr1
C:\Temp\epr1\K19i.log
C:\WINDOWS\BM43161bdb.txt
C:\WINDOWS\BM43161bdb.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\blbtcl.dll
C:\WINDOWS\system32\dqbrfamf.dll
C:\WINDOWS\system32\esr
C:\WINDOWS\system32\fonts
C:\WINDOWS\system32\fvweetxg.dll
C:\WINDOWS\system32\gxteewvf.ini
C:\WINDOWS\system32\inhghmhm.dll
C:\WINDOWS\system32\jmpmqijm.ini
C:\WINDOWS\system32\kBin19
C:\WINDOWS\system32\kBin19\kBin191065.exe
C:\WINDOWS\system32\lSDcLRqr.ini
C:\WINDOWS\system32\lSDcLRqr.ini2
C:\WINDOWS\system32\rqRLcDSl.dll
C:\WINDOWS\system32\sem
C:\WINDOWS\system32\sogxmx.dll
C:\WINDOWS\system32\vn3
C:\WINDOWS\system32\yhjjynxq.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-03 to 2008-08-03 )))))))))))))))))))))))))))))))
.

2008-08-03 16:32 . 2008-08-03 16:32 91,648 --a--c--- C:\WINDOWS\system32\aeaqbgtb.dll
2008-08-03 16:32 . 2008-08-03 16:32 83,456 --a--c--- C:\WINDOWS\system32\mjiqmpmj.dll
2008-08-03 11:57 . 2008-08-03 11:59 <DIR> d----c--- C:\Documents and Settings\Brian Hashimoto\Application Data\U3
2008-08-01 15:07 . 2008-08-01 15:07 <DIR> d----c--- C:\Program Files\Trend Micro
2008-08-01 12:06 . 2008-08-01 12:06 <DIR> d----c--- C:\Documents and Settings\Brian Hashimoto\Application Data\Malwarebytes
2008-08-01 12:06 . 2008-07-30 20:07 38,472 --a--c--- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 12:06 . 2008-07-30 20:07 17,144 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 12:05 . 2008-08-01 12:06 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 12:05 . 2008-08-01 12:05 <DIR> d----c--- C:\Program Files\Common Files\Download Manager
2008-08-01 12:05 . 2008-08-01 12:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 00:39 . 2008-08-01 00:39 <DIR> d----c--- C:\VundoFix Backups
2008-08-01 00:10 . 2008-08-01 00:10 <DIR> d----c--- C:\Documents and Settings\Brian Hashimoto\Application Data\Uniblue
2008-07-31 12:09 . 2008-08-03 16:35 <DIR> d----c--- C:\Temp
2008-07-30 01:16 . 2008-07-30 01:16 <DIR> d----c--- C:\WINDOWS\system32\LogFiles
2008-07-30 01:16 . 2008-07-31 00:29 <DIR> d----c--- C:\WINDOWS\system32\drivers\UMDF
2008-07-08 00:53 . 2008-07-08 00:53 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-07-08 00:53 . 2008-07-08 00:53 37,027 --a--c--- C:\WINDOWS\atmoUn.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 19:20 --------- dc----w C:\Documents and Settings\Brian Hashimoto\Application Data\Azureus
2008-07-31 17:48 --------- dc----w C:\Documents and Settings\Brian Hashimoto\Application Data\AdobeUM
2008-07-30 21:13 --------- dc----w C:\Program Files\Common Files\Adobe
2008-07-03 06:58 --------- dc----w C:\Documents and Settings\Brian Hashimoto\Application Data\ZoomBrowser EX
2008-07-03 06:47 --------- dc----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-07-02 22:46 --------- dc----w C:\Program Files\Azureus
2008-06-21 22:58 --------- dc----w C:\Program Files\Viewpoint
2008-06-21 22:58 --------- dc----w C:\Program Files\AOD
2008-06-20 10:45 360,320 -c--a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 -c--a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 -c--a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 07:17 48,640 -c--a-w C:\WINDOWS\mmfs.dll
2008-06-19 07:17 2,560 -c--a-w C:\WINDOWS\Runservice.exe
2008-06-19 06:44 --------- dc----w C:\Program Files\Out of the Park Developments
2008-06-13 13:10 272,128 -c----w C:\WINDOWS\system32\drivers\bthport.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\system32\LogFiles ----

2008-08-03 13:17 8192 --a--c--- C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [BU]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [BU]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-11-07 18:21 114688]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-27 21:10 335872]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [2003-12-11 23:03 167936]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2004-02-12 23:01 98304]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 03:36 135168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [BU]
"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe" [BU]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 22:08 28672]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [BU]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29 40960]
"Mouse Suite 98 Daemon"="ICO.EXE" [BU]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2008-06-19 00:17]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-03-12 18:32]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-03-12 17:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b89f680-618e-11dd-bce6-000e9b24880f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-08-03 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2008-01-02 C:\WINDOWS\Tasks\Registration reminder 1.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2008-01-02 C:\WINDOWS\Tasks\Registration reminder 2.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2008-08-02 C:\WINDOWS\Tasks\wrSpySweeper_L789F8830DEB34F35868D06229E196D62.job
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]

2008-08-02 C:\WINDOWS\Tasks\wrSpySweeper_L789F8830DEB34F35868D06229E196D62.job
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]

2008-08-02 C:\WINDOWS\Tasks\wrSpySweeper_L789F8830DEB34F35868D06229E196D62.job
- C:\","D:\","E:\","F:\" []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-03 16:39:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Apoint\ApntEx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sony\HotKey Utility\HKWnd.exe
.
**************************************************************************
.
Completion time: 2008-08-03 16:42:17 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-03 23:42:12
ComboFix2.txt 2008-08-03 20:21:09

Pre-Run: 8,607,883,264 bytes free
Post-Run: 8,597,569,536 bytes free

157 --- E O F --- 2008-07-31 08:13:54
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Why can't you go online? I don't recall you mentioning this as one of the problems....

Uninstall Viewpoint via the Add/Remove Programs panel.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\system32\aeaqbgtb.dll
C:\WINDOWS\system32\mjiqmpmj.dll

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.
  • 0

#9
smcbkh

smcbkh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Sorry, it was my fault. I guess I inadvertantly hit the switch for the wireless networking on my laptop and didn't notice it until my brother pointed it out to me. I am able to connect to the Internet just fine, but I still can't submit the .zip file when I tried to run ComboFix with the 1st CFScript.txt again. Sorry again.

Also, there was no Viewpoint listed under the Add/Remove Programs panel, so I did a search and deleted it that way. However, I don't know it that is sufficient or not.


ComboFix 08-08-01.05 - Brian Hashimoto 2008-08-04 22:26:54.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.165 [GMT -7:00]
Running from: C:\Documents and Settings\Brian Hashimoto\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Brian Hashimoto\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\aeaqbgtb.dll
C:\WINDOWS\system32\mjiqmpmj.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\aeaqbgtb.dll
C:\WINDOWS\system32\mjiqmpmj.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.

2008-08-03 11:57 . 2008-08-03 11:59 <DIR> d----c--- C:\Documents and Settings\Brian Hashimoto\Application Data\U3
2008-08-01 15:07 . 2008-08-01 15:07 <DIR> d----c--- C:\Program Files\Trend Micro
2008-08-01 12:06 . 2008-08-01 12:06 <DIR> d----c--- C:\Documents and Settings\Brian Hashimoto\Application Data\Malwarebytes
2008-08-01 12:06 . 2008-07-30 20:07 38,472 --a--c--- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-01 12:06 . 2008-07-30 20:07 17,144 --a--c--- C:\WINDOWS\system32\drivers\mbam.sys
2008-08-01 12:05 . 2008-08-01 12:06 <DIR> d----c--- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-01 12:05 . 2008-08-01 12:05 <DIR> d----c--- C:\Program Files\Common Files\Download Manager
2008-08-01 12:05 . 2008-08-01 12:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-01 00:39 . 2008-08-01 00:39 <DIR> d----c--- C:\VundoFix Backups
2008-08-01 00:10 . 2008-08-01 00:10 <DIR> d----c--- C:\Documents and Settings\Brian Hashimoto\Application Data\Uniblue
2008-07-31 12:09 . 2008-08-03 16:35 <DIR> d----c--- C:\Temp
2008-07-30 01:16 . 2008-07-30 01:16 <DIR> d----c--- C:\WINDOWS\system32\LogFiles
2008-07-30 01:16 . 2008-07-31 00:29 <DIR> d----c--- C:\WINDOWS\system32\drivers\UMDF
2008-07-08 00:53 . 2008-07-08 00:53 37,027 --a--c--- C:\WINDOWS\atmoUn.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-31 19:20 --------- dc----w C:\Documents and Settings\Brian Hashimoto\Application Data\Azureus
2008-07-31 17:48 --------- dc----w C:\Documents and Settings\Brian Hashimoto\Application Data\AdobeUM
2008-07-30 21:13 --------- dc----w C:\Program Files\Common Files\Adobe
2008-07-03 06:58 --------- dc----w C:\Documents and Settings\Brian Hashimoto\Application Data\ZoomBrowser EX
2008-07-03 06:47 --------- dc----w C:\Documents and Settings\All Users\Application Data\ZoomBrowser
2008-07-02 22:46 --------- dc----w C:\Program Files\Azureus
2008-06-21 22:58 --------- dc----w C:\Program Files\AOD
2008-06-20 17:41 245,248 -c--a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 -c--a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 -c--a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 -c--a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 07:17 48,640 -c--a-w C:\WINDOWS\mmfs.dll
2008-06-19 07:17 2,560 -c--a-w C:\WINDOWS\Runservice.exe
2008-06-19 06:44 --------- dc----w C:\Program Files\Out of the Park Developments
2008-06-13 13:10 272,128 -c----w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 05:18 1,287,680 -c--a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [BU]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [BU]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-11-07 18:21 114688]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-04-27 21:10 335872]
"SonyPowerCfg"="C:\Program Files\Sony\VAIO Power Management\SPMgr.exe" [2003-12-11 23:03 167936]
"HKSERV.EXE"="C:\Program Files\Sony\HotKey Utility\HKserv.exe" [2004-02-12 23:01 98304]
"VAIO Update 2"="C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe" [2004-01-17 03:36 135168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [BU]
"IS CfgWiz"="C:\Program Files\Common Files\Symantec Shared\cfgwiz.exe" [BU]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-19 22:08 28672]
"URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [BU]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 11:29 40960]
"Mouse Suite 98 Daemon"="ICO.EXE" [BU]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 03:38:16 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 01:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.dvsd"= C:\PROGRA~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2008-06-19 00:17]
R2 VAIO Entertainment File Import Service;VAIO Entertainment File Import Service;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VzCdb\VzFw.exe [2004-03-12 18:32]
S3 VAIO Entertainment UPnP Client Adapter;VAIO Entertainment UPnP Client Adapter;C:\Program Files\Common Files\Sony Shared\VAIO Entertainment\VCSW\VCSW.exe [2004-03-12 17:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b89f680-618e-11dd-bce6-000e9b24880f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-08-04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 12:20]

2008-01-02 C:\WINDOWS\Tasks\Registration reminder 1.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2008-01-02 C:\WINDOWS\Tasks\Registration reminder 2.job
- C:\WINDOWS\System32\OOBE\oobebaln.exe [2004-08-04 00:56]

2008-08-02 C:\WINDOWS\Tasks\wrSpySweeper_L789F8830DEB34F35868D06229E196D62.job
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]

2008-08-02 C:\WINDOWS\Tasks\wrSpySweeper_L789F8830DEB34F35868D06229E196D62.job
- C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe [2008-01-04 20:56]

2008-08-02 C:\WINDOWS\Tasks\wrSpySweeper_L789F8830DEB34F35868D06229E196D62.job
- C:\","D:\","E:\","F:\" []
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 22:28:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-08-04 22:29:19
ComboFix-quarantined-files.txt 2008-08-05 05:29:06
ComboFix2.txt 2008-08-04 00:08:09
ComboFix3.txt 2008-08-03 23:58:03
ComboFix4.txt 2008-08-03 23:53:15
ComboFix5.txt 2008-08-05 05:26:19

Pre-Run: 8,520,183,808 bytes free
Post-Run: 8,506,290,176 bytes free

125 --- E O F --- 2008-07-31 08:13:54
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No worries :)

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#11
smcbkh

smcbkh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you very much. Everything is working great.
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP