Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Vundo.CJ/CI - Windows32/Heur - BHO.GPT & Pop-Ups


  • Please log in to reply

#1
itgl72

itgl72

    New Member

  • Member
  • Pip
  • 2 posts
I'm getting a combination of different bad things on this PC lately. Vundo.CJ/CI - Windows32/Heur - BHO.GPT & Pop-Ups on my browser.

I tried to read the list of what to do before hand, and think I have done them but none the less I am still at a loss here.

My browser seems to just pop up NEW windows.

After logging into windows I get error boxes poping up saying:

THE SPECIFIC MODULE COULD NOT BE FOUND

c:\windows\system32\topapope.dll
c:\windows\system32\puvizuda.dll

(The above seem to be random file names than when it first started)

Here are sine if the warnings I am getting....

AVG Threat detected!
C:\windows\system32\suwidusu.dll
Threat Name: Trojan horse BHO.GPT
Detected on Open

Also found a Trojan Horse Vundo.BZ in the C:\system_volume_information\_restore(long number)\A0168627.dll

AVG Threat Detected!
C:\windows\system32\bakivige.dll
Threat Name: Trojan horse Vundo.CJ
Detected on Open



Spybot Search & Destroy
Finds Virtumonde.prx
Autorun Settings:
HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CPM27116F56
IN REGISTRY:

VALUE: CPM27116f56
VALUE DATA: Rundll32.exe "c:\windows\system32\topapope.dll",a

HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wohohubake
IN REGISTRY:

VALUE: wohohubake
VALUE DATA: Rundll32.exe "C:\WINDOWS\system32\puvizuda.dll",s


VundoFix.exe DID NOT FIND anything on its scan.







Here is my hijackthislog:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:15 PM, on 2008-12-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\nHancer\nHancerService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\Gaming Software\LWEMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\nHancer\nHancer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.c...hp?hl=en&tab=wn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {ca330dbe-a907-4c49-9475-46d9042dc8a2} - C:\WINDOWS\system32\zeraseba.dll (file missing)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Start WingMan Profiler] C:\Program Files\Logitech\Gaming Software\LWEMon.exe /noui
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [wohohubake] Rundll32.exe "C:\WINDOWS\system32\lepujeji.dll",s
O4 - HKLM\..\Run: [24225cca] rundll32.exe "C:\WINDOWS\system32\madujeri.dll",b
O4 - HKLM\..\Run: [CPM27116f56] Rundll32.exe "C:\WINDOWS\system32\dotewawa.dll",a
O4 - HKCU\..\Run: [nHancer] "C:\Program Files\nHancer\nHancer.exe" /tray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O15 - Trusted Zone: www.gamls.com
O15 - Trusted Zone: http://atl.rexplorer.net
O15 - Trusted Zone: *.rexplorer.net
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.giga...bject/Dldrv.ocx
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2564B8E6-7D84-11D4-A689-30475BC10000} - http://www.toolkitcm...tkweb/tkweb.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://support.rexpl...l//iftwclix.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/b...lineScanner.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...erInstaller.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.su...ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F375116A-793C-11D2-BFE1-444553540001} (First American Res MapActiveX Control) - http://realist2.firs...r/mapviewer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BE7FCAD-85A0-4A39-AFB9-3EDC672EB886}: NameServer = 68.87.68.162,68.87.74.162
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dotewawa.dll (file missing)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\dotewawa.dll (file missing)
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: nHancer Support (nHancer) - KSE - Korndörfer Software Engineering - C:\Program Files\nHancer\nHancerService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9023 bytes
  • 0

Advertisements


#2
itgl72

itgl72

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
While waiting, I ran Malwarebytes' Anti-Malware, and Combofix.

Below are the logs for each, if it helps...








Malwarebytes' Anti-Malware 1.31
Database version: 1500
Windows 5.1.2600 Service Pack 2

2008-12-15 1:11:39 AM
mbam-log-2008-12-15 (01-11-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 357794
Time elapsed: 54 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 5
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ca330dbe-a907-4c49-9475-46d9042dc8a2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ca330dbe-a907-4c49-9475-46d9042dc8a2} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wohohubake (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\24225cca (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm27116f56 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lepujeji.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.















COMBOFIX LOG



ComboFix 08-12-15.01 - BURNER 2008-12-15 17:24:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1552 [GMT -5:00]
Running from: c:\documents and settings\BURNER\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\irejudam.ini
c:\windows\system32\ojeboziy.ini
c:\windows\system32\tmp17.tmp
c:\windows\system32\tmp87.tmp
c:\windows\system32\tmp88.tmp
c:\windows\system32\usudiwus.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-15 to 2008-12-15 )))))))))))))))))))))))))))))))
.

2008-12-15 17:28 . 2008-12-15 17:28 <DIR> d-------- c:\windows\LastGood
2008-12-14 12:30 . 2008-12-14 14:39 <DIR> d-------- c:\program files\EsetOnlineScanner
2008-12-11 15:46 . 2008-12-11 15:50 <DIR> d-------- c:\program files\rfactor2
2008-12-11 15:11 . 2008-12-11 15:11 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-11 15:11 . 2008-12-11 15:11 <DIR> d-------- c:\documents and settings\BURNER\Application Data\Malwarebytes
2008-12-11 15:11 . 2008-12-11 15:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-11 15:11 . 2008-12-03 19:58 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-11 15:11 . 2008-12-03 19:58 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-11 15:09 . 2008-12-11 15:10 <DIR> d-------- c:\program files\ERUNT
2008-12-11 13:41 . 2008-12-11 13:41 <DIR> d-------- C:\nazi_zombie_FRUmansion
2008-12-11 13:12 . 2008-12-11 13:12 43,457,096 --a------ C:\nazi_zombie_FRUmansion.rar
2008-12-09 15:59 . 2008-12-09 15:59 <DIR> d-------- C:\VundoFix Backups
2008-12-05 16:04 . 2008-12-09 16:37 327 --a------ c:\windows\wininit.ini
2008-12-05 15:35 . 2008-12-05 15:38 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-05 15:35 . 2008-12-05 16:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-05 14:57 . 2008-12-05 14:57 <DIR> d-------- c:\program files\Trend Micro
2008-12-03 17:51 . 2008-12-03 17:51 <DIR> d-------- c:\program files\AGEIA Technologies
2008-12-03 17:50 . 2008-12-03 17:50 <DIR> d-------- c:\windows\nview
2008-12-03 17:50 . 2008-11-12 13:45 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-03 17:50 . 2008-11-12 14:54 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-03 17:50 . 2008-12-15 18:54 201,519 --a------ c:\windows\system32\nvapps.xml
2008-12-03 17:50 . 2008-11-12 14:54 18,537 --a------ c:\windows\system32\nvdisp.nvu
2008-12-03 17:32 . 2008-12-03 17:32 <DIR> d-------- c:\documents and settings\Administrator
2008-12-03 17:23 . 2008-12-03 17:23 <DIR> d-------- c:\windows\RaidTool
2008-12-03 17:23 . 2008-12-03 17:23 <DIR> d-------- C:\RaidTool
2008-12-03 17:23 . 2007-11-19 11:28 1,966,080 --a------ c:\windows\system32\xRaidSetup.exe
2008-12-03 17:23 . 2008-03-19 10:54 151,552 --a------ c:\windows\system32\xRaidAPI.dll
2008-12-03 17:19 . 2008-12-03 17:19 <DIR> d-------- c:\program files\Marvell
2008-12-03 17:12 . 2008-12-03 17:12 <DIR> d-------- C:\Intel
2008-12-03 17:12 . 2007-07-26 16:15 53,248 --a------ c:\windows\system32\CSVer.dll
2008-12-03 14:18 . 2008-12-03 14:21 5,318 --a------ c:\windows\system32\huadio.tmp
2008-12-03 10:06 . 2008-12-03 10:06 <DIR> d-------- c:\program files\Belarc
2008-12-03 10:06 . 2008-02-27 12:49 3,840 --a------ c:\windows\system32\drivers\BANTExt.sys
2008-11-28 15:42 . 2008-11-28 15:48 0 --a------ C:\FileOut.Cns
2008-11-28 15:42 . 2008-11-28 15:48 0 --a------ C:\FileIn.Cns

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-15 23:54 --------- d-----w c:\program files\Steam
2008-12-15 03:48 139,280 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-15 02:12 --------- d-----w c:\documents and settings\BURNER\Application Data\Free Download Manager
2008-12-11 19:35 --------- d-----w c:\documents and settings\BURNER\Application Data\FileZilla
2008-12-03 23:48 --------- d-----w c:\documents and settings\BURNER\Application Data\Autosim Analyzer
2008-12-03 22:53 --------- d-----w c:\documents and settings\All Users\Application Data\nHancer
2008-12-03 22:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-03 22:45 --------- d-----w c:\program files\DriverCleanerDotNET
2008-12-03 19:00 --------- d-----w c:\documents and settings\BURNER\Application Data\uTorrent
2008-12-02 18:32 --------- d-----w c:\program files\Electronic Arts
2008-12-01 22:23 --------- d-----w c:\program files\rFactor
2008-12-01 02:09 --------- d-----w c:\documents and settings\BURNER\Application Data\Red Alert 3
2008-11-26 21:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-12 19:54 6,188,320 ----a-w c:\windows\system32\drivers\nv4_mini.sys
2008-11-11 18:53 --------- d-----w c:\program files\Activision
2008-11-11 16:24 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 16:11 22,328 ----a-w c:\documents and settings\BURNER\Application Data\PnkBstrK.sys
2008-11-10 04:43 --------- d-----w c:\program files\ARCA Remax
2008-11-03 20:15 --------- d-----w c:\documents and settings\BURNER\Application Data\Publish Providers
2008-11-02 20:07 --------- d-----w c:\program files\ARCA Evolution
2008-11-01 23:21 --------- d-----w c:\program files\GameSpy
2008-11-01 20:07 --------- d-----w c:\program files\ZD Soft
2008-11-01 19:59 --------- d-----w c:\program files\Score4
2008-11-01 19:59 --------- d-----w c:\program files\GPLForever
2008-11-01 19:54 --------- d-----w c:\documents and settings\All Users\Application Data\Codemasters
2008-10-29 02:36 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-10-29 02:36 286,720 ------w c:\windows\Setup1.exe
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-17 20:39 --------- d-----w c:\program files\ffdshow
2008-04-28 00:15 0 ---h--w c:\documents and settings\All Users\Application Data\PKP_DLds.DAT
2004-08-10 03:30 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nHancer"="c:\program files\nHancer\nHancer.exe" [2007-10-31 1519616]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-11-08 1410296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-04-27 282624]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2008-04-04 88584]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-11-12 86016]
"nwiz"="nwiz.exe" [2008-11-12 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= dvacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-03-12 12:49 153136 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBB36X Configure]
-r------- 2006-07-12 04:58 356352 c:\windows\system32\JMRaidTool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-02-17 06:15 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-17 06:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2007-04-27 10:25 257088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-09 17:53 153136 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-27 08:41 282624 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2004-06-28 20:29 32768 c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2006-12-12 20:33 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-12-12 20:33 16270848 c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-12-12 20:33 2879488 c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\GIGABYTE\\@BIOS\\GWF32.EXE"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\EA GAMES\\Command & Conquer The First Decade\\Command & Conquer™ Generals Zero Hour\\generals.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\GameSpy Arcade\\Aphex.exe"=
"c:\\Program Files\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\javaw.exe"=
"c:\\Program Files\\UltraVnc\\vncviewer.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\GIGABYTE\\ET5\\update.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DropBox\\DropBox\\DropBox.exe"=
"c:\\Program Files\\ARCA Remax\\ARCA.exe"=
"c:\\Program Files\\Ubisoft\\IL-2 Sturmovik 1946\\il2fb.exe"=
"\\\\192.168.1.50\\d$\\IL2DedicatedServer\\il2server.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver2.exe"=
"c:\\Program Files\\rFactor\\rFactor.exe"=
"c:\\Program Files\\rFactor\\rFactor Dedicated.exe"=
"c:\\Program Files\\SimTools\\SimAdapter\\SimAdapter.exe"=
"c:\\Program Files\\SimTools\\SimView\\SimView.exe"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.exe"=
"c:\\Program Files\\GameSpy\\Comrade\\Comrade.exe"=
"c:\\Program Files\\ARCA Evolution\\ARCA.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Electronic Arts\\Red Alert 3\\Data\\ra3_1.4.game"=
"c:\\Program Files\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-06-27 97928]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-06-27 231704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-07-04 24652]
R3 bcgame;Nostromo HID Device Minidriver;c:\windows\system32\drivers\bcgame.sys [2003-07-24 22821]
R3 chdrvr01;CH Control Manager Driver 1;c:\windows\system32\DRIVERS\chdrvr01.sys [2007-07-10 215104]
R3 chdrvr02;CH Control Manager Driver 2;c:\windows\system32\DRIVERS\chdrvr02.sys [2007-07-10 3744]
R3 chdrvr03;CH Control Manager Driver 3;c:\windows\system32\DRIVERS\chdrvr03.sys [2007-07-10 9024]
R3 NPUSB;NPUSB;c:\windows\system32\DRIVERS\npusb.sys [2007-12-13 22816]
S3 huadio;huadio;\??\c:\windows\system32\huadio.tmp [2008-12-03 5318]
S3 SaiH0109;SaiH0109;c:\windows\system32\DRIVERS\SaiH0109.sys [2005-11-03 176640]
S3 SaiU0109;SaiU0109;c:\windows\system32\DRIVERS\SaiU0109.sys [2005-11-03 27264]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\Setup.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-21 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
MSConfigStartUp-Start WingMan Profiler - c:\program files\Logitech\Profiler\lwemon.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.google.com/nwshp?hl=en&tab=wn
uInternet Settings,ProxyOverride = *.local
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: www.gamls.com
Trusted Zone: *.rexplorer.net
TCP: {7BE7FCAD-85A0-4A39-AFB9-3EDC672EB886} = 68.87.68.162,68.87.74.162

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\system32\TKUNINST.EXE - c:\windows\system32\TKWEB.OCX
O16 -: {2564B8E6-7D84-11D4-A689-30475BC10000}
hxxp://www.toolkitcma.com/tkweb/tkweb.cab
c:\windows\Downloaded Program Files\tkweb.inf

c:\windows\Downloaded Program Files\mapviewer.ocx - O16 -: {F375116A-793C-11D2-BFE1-444553540001}
hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
FF - ProfilePath - c:\documents and settings\BURNER\Application Data\Mozilla\Firefox\Profiles\7cplr6vc.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-15 18:53:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\huadio]
"ImagePath"="\??\c:\windows\system32\huadio.tmp"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\nHancer\nHancerService.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-15 18:59:12 - machine was rebooted [BURNER]
ComboFix-quarantined-files.txt 2008-12-15 23:59:09

Pre-Run: 2,459,934,720 bytes free
Post-Run: 3,372,171,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

281 --- E O F --- 2008-11-19 01:41:30
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP