Virtumonde.dll ( what a biotch)

themarsvolta55 · 05-31-2008, 07:24 PM

alright, so i recieved a virus from selfishly downloading a keygen for a prog.
and iv tried ALOT, mostly using spybot, doing the normal scan, trying to remove it,removing the BHO's, killing the process/module then once the module is killed ( either urqPjGyV.dll or ssqQKCuR.dll ) trying to use a file shredder and going into the system 32 folder and shredding it. iv also tried safemode, scanning, then cleaning it, doesnt work either

any help would be GREAT!!!!

jordan

adarsh · 05-31-2008, 07:33 PM

Please download the latest copy of HijackThis from Trend Micro and save it to your desktop.
Double click on HJTInstall.exe to install it. Click on Install. By default, it will install to C:\Program Files\Trend Micro\HijackThis.
Read through the License Agreement presented to you on the next screen and click on I Accept.
Once installed, HijackThis will start automatically. If it doesn't, please go to your desktop and double click on the HijackThis shortcut created there.
Select Do a system scan and save a logfile.
Close HijackThis.

Please post the contents of the post here for the experts to review and help you with the removal.
Note: Do not click on the AnalyzeThis button.

Do not fix any lines you see in HijackThis as most entries are harmless and needed for the normal functioning of Windows.

P.S :Please note that I will not be participating in your fix because I'm still under training. This is just to help the experts here and to save time.

Punk · 05-31-2008, 08:32 PM

Please post the Hijackthis log along with these logs:

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Download this file from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
Then double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

alexyu · 05-31-2008, 09:04 PM

nothing of these helped me when i had vundo
you should consider reinstalling os

Punk · 05-31-2008, 09:09 PM

Quote:

Originally Posted by alexyu

nothing of these helped me when i had vundo
you should consider reinstalling os

Lol did you do it yourself or did you follow someone's fixes, someone who had fixed that infection before?

We've cleaned many virtumonde infections on this forum...

themarsvolta55 · 06-01-2008, 01:41 AM

sorry- should of thought earlier and posted the hijack

-------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:49 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Desktop Lighter\DLighter.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Volumouse\volumouse.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe"
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [bc67c3f0] rundll32.exe "C:\WINDOWS\system32\bjioviqv.dll",b
O4 - HKLM\..\Run: [BMbf54f06c] Rundll32.exe "C:\WINDOWS\system32\usegsaif.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DLIGHTER] C:\Program Files\Desktop Lighter\DLighter.exe /h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 4801 bytes

Punk · 06-01-2008, 11:44 AM

Please follow the instructions I posted earlier

themarsvolta55 · 06-01-2008, 06:37 PM

vundo-fix didnt find anything (?)

and this is the log from combo fix...

---------------------------------------------------------
ComboFix 08-05-29.1 - Jordan 2008-06-01 10:47:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1161 [GMT -4:00]
Running from: C:\Documents and Settings\Jordan\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMbf54f06c.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aeqlitfu.ini
C:\WINDOWS\system32\bjioviqv.dll
C:\WINDOWS\system32\ekhtfhmh.dll
C:\WINDOWS\system32\fMUtDcdd.ini
C:\WINDOWS\system32\fMUtDcdd.ini2
C:\WINDOWS\system32\gicwucxv.ini
C:\WINDOWS\system32\GQAyyccf.ini
C:\WINDOWS\system32\GQAyyccf.ini2
C:\WINDOWS\system32\jduyvobr.dll
C:\WINDOWS\system32\jwphvqde.dll
C:\WINDOWS\system32\lnWFNqss.ini
C:\WINDOWS\system32\lnWFNqss.ini2
C:\WINDOWS\system32\lojcnoja.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mTDfPqru.ini
C:\WINDOWS\system32\mTDfPqru.ini2
C:\WINDOWS\system32\qlkkcics.ini
C:\WINDOWS\system32\rbovyudj.ini
C:\WINDOWS\system32\RrBbdccf.ini
C:\WINDOWS\system32\RrBbdccf.ini2
C:\WINDOWS\system32\RuCKQqss.ini
C:\WINDOWS\system32\RuCKQqss.ini2
C:\WINDOWS\system32\scickklq.dll
C:\WINDOWS\system32\sjmmbote.exe
C:\WINDOWS\system32\uftilqea.dll
C:\WINDOWS\system32\usegsaif.dll
C:\WINDOWS\system32\vpbgglcw.exe
C:\WINDOWS\system32\vqivoijb.ini
C:\WINDOWS\system32\vxcuwcig.dll
C:\WINDOWS\system32\xdjeeggc.dll
C:\WINDOWS\system32\xpenpkxd.exe
C:\WINDOWS\system32\yGPWayay.ini
C:\WINDOWS\system32\yGPWayay.ini2
C:\WINDOWS\system32\ywtyljec.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 10:58 . 2008-06-01 10:58 373,248 --a------ C:\WINDOWS\system32\vtUlMfFU.dll
2008-06-01 10:58 . 2008-06-01 10:58 345 --ahs---- C:\WINDOWS\system32\UFfMlUtv.ini2
2008-06-01 10:58 . 2008-06-01 10:58 345 --ahs---- C:\WINDOWS\system32\UFfMlUtv.ini
2008-06-01 10:35 . 2008-06-01 10:35 <DIR> d-------- C:\VundoFix Backups
2008-06-01 00:36 . 2008-06-01 00:54 <DIR> d-------- C:\!KillBox
2008-05-31 12:54 . 2008-05-31 12:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-31 12:54 . 2008-05-31 12:54 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-31 00:51 . 373,248 C:\WINDOWS\system32\fccdbBrR.dll_old
2008-05-31 00:50 . 2008-05-31 00:50 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-05-29 22:35 . 2008-05-29 22:41 <DIR> d-------- C:\Program Files\CCleaner
2008-05-28 20:20 . 2008-05-28 20:20 <DIR> d-------- C:\Program Files\aKill
2008-05-28 19:59 . 2008-05-28 19:59 <DIR> d-------- C:\Program Files\Safer Networking
2008-05-28 19:53 . 2008-06-01 10:16 611 --a------ C:\WINDOWS\wininit.ini
2008-05-28 17:31 . 2008-05-29 00:13 <DIR> d-------- C:\Program Files\File Shredder
2008-05-28 17:20 . 2008-05-29 00:14 372,736 --a------ C:\WINDOWS\system32\23560491.dll_old
2008-05-28 17:16 . 2008-05-28 17:16 58,368 --a------ C:\WINDOWS\system32\cbXRKEvv.dll
2008-05-28 17:15 . 2008-05-28 17:15 58,368 --a------ C:\WINDOWS\system32\urqPjGyV.dll
2008-05-28 17:15 . 2008-05-28 17:15 58,368 --a------ C:\WINDOWS\system32\mlJCuuSJ.dll
2008-05-27 23:18 . 2008-05-27 23:18 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-05-27 13:26 . 2008-05-27 13:26 <DIR> d-------- C:\Program Files\LimeWire
2008-05-27 13:26 . 2008-05-28 17:20 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\LimeWire
2008-05-27 13:24 . 2008-05-27 13:24 <DIR> d-------- C:\WINDOWS\system32\SDA
2008-05-27 13:24 . 2008-05-27 13:24 <DIR> d-------- C:\Program Files\TOSHIBA
2008-05-26 12:14 . 2008-05-26 12:15 <DIR> d-------- C:\Program Files\FLAC
2008-05-26 11:35 . 2008-05-26 11:37 <DIR> d-------- C:\Program Files\Winamp
2008-05-26 11:35 . 2008-05-26 11:45 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\Winamp
2008-05-23 00:02 . 2008-05-23 00:02 116 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-22 12:35 . 2008-05-23 00:03 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\Ahead
2008-05-22 12:34 . 2008-05-22 12:34 <DIR> d-------- C:\Program Files\Nero
2008-05-22 12:34 . 2008-05-22 12:34 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-05-22 10:40 . 2008-05-22 10:40 <DIR> d-------- C:\Westwood
2008-05-17 18:33 . 2008-05-17 18:33 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-16 12:09 . 2008-05-16 12:09 <DIR> d-------- C:\Program Files\EA GAMES
2008-05-16 12:08 . 2008-05-16 12:08 <DIR> d-------- C:\Program Files\MagicDisc
2008-05-16 12:08 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys
2008-05-16 12:04 . 2008-05-16 12:04 <DIR> d-------- C:\Program Files\MagicISO
2008-05-15 13:52 . 2008-06-01 00:35 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-14 18:45 . 2008-05-15 13:51 0 --a------ C:\WINDOWS\vpd.properties
2008-05-14 18:42 . 2008-05-14 18:42 <DIR> d-------- C:\Program Files\Sybase
2008-05-13 22:23 . 2008-05-13 22:23 <DIR> d-------- C:\Program Files\uTorrent
2008-05-13 22:22 . 2008-05-28 17:42 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\uTorrent
2008-05-12 20:08 . 2008-05-28 17:44 <DIR> d-------- C:\Program Files\Google
2008-05-11 02:09 . 2008-05-11 02:09 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-10 20:46 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-10 15:01 . 2008-05-10 15:01 <DIR> d-------- C:\Program Files\Red Kawa
2008-05-10 15:01 . 2008-05-10 15:01 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-08 14:31 . 2005-06-10 22:02 12,800 --a------ C:\WINDOWS\system32\vncdrv.dll
2008-05-08 14:31 . 2004-06-26 13:22 6,016 --a------ C:\WINDOWS\system32\drivers\vnccom.SYS
2008-05-08 14:31 . 2004-06-26 13:21 5,760 --a------ C:\WINDOWS\system32\vnchelp.dll
2008-05-08 14:31 . 2004-06-26 13:22 4,736 --a------ C:\WINDOWS\system32\drivers\vncdrv.sys
2008-05-08 14:31 . 2008-05-08 14:31 44 --a------ C:\WINDOWS\system32\'
2008-05-08 03:00 . 2008-05-08 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-05-06 21:02 . 2008-05-06 21:05 <DIR> d-------- C:\Program Files\AutoCAD 2009
2008-05-06 21:02 . 2008-05-28 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk
2008-05-06 21:02 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-06 21:01 . 2008-05-06 21:01 <DIR> d-------- C:\Program Files\MSBuild
2008-05-06 20:59 . 2008-05-06 20:59 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-05-06 20:59 . 2008-05-06 20:59 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-05-06 20:58 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-05-06 20:56 . 2008-05-06 21:06 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared
2008-05-06 20:56 . 2008-05-06 20:56 <DIR> d-------- C:\Program Files\Autodesk
2008-05-06 20:56 . 2008-05-28 23:51 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\Autodesk
2008-05-06 20:40 . 2008-05-06 20:40 <DIR> d-------- C:\install
2008-05-06 13:57 . 2008-05-06 13:57 <DIR> d-------- C:\WINDOWS\Sun
2008-05-06 13:57 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-06 13:56 . 2008-05-06 13:57 <DIR> d-------- C:\Program Files\Java
2008-05-06 13:49 . 2008-05-06 13:49 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-06 13:38 . 2008-05-06 13:38 <DIR> d-------- C:\Documents and Settings\Jordan\WINDOWS
2008-05-06 13:38 . 1995-09-02 15:57 269,312 --a------ C:\WINDOWS\uninst.exe
2008-05-04 12:58 . 2008-05-04 12:59 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-02 00:38 . 2008-05-10 20:47 <DIR> d-------- C:\Program Files\Desktop Lighter
2008-05-01 13:42 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2008-05-01 13:42 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2008-05-01 13:42 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-05-01 13:42 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-05-28 21:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-14 18:32 --------- d-----w C:\Program Files\Need for Speed Underground 2
2008-05-03 03:28 --------- d-----w C:\Program Files\Buddy Icon Maker
2008-05-03 03:10 --------- d-----w C:\Program Files\AIM6
2008-04-30 21:18 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-30 07:08 --------- d-----w C:\Documents and Settings\Jordan\Application Data\ATI
2008-04-30 07:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2008-04-30 03:27 --------- d-----w C:\Program Files\EphPod
2008-04-30 02:39 --------- d-----w C:\Program Files\Common Files\DirectX
2008-04-30 02:31 --------- d-----w C:\Program Files\DirectX 9.0c
2008-04-30 02:05 --------- d-----w C:\Program Files\Volumouse
2008-04-30 02:04 39,424 ----a-w C:\WINDOWS\zipinst.exe
2008-04-30 00:29 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-30 00:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 00:29 --------- d-----w C:\Program Files\Realtek
2008-04-30 00:23 --------- d-----w C:\Program Files\Infogrames
2008-04-30 00:13 --------- d-----w C:\Program Files\QuickTime
2008-04-30 00:13 --------- d-----w C:\Program Files\iTunes
2008-04-30 00:13 --------- d-----w C:\Program Files\iPod
2008-04-30 00:13 --------- d-----w C:\Program Files\Bonjour
2008-04-30 00:13 --------- d-----w C:\Documents and Settings\Jordan\Application Data\Apple Computer
2008-04-30 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-30 00:12 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-30 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-29 23:54 --------- d-----w C:\Documents and Settings\Jordan\Application Data\acccore
2008-04-29 23:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP
2008-04-29 23:53 --------- d-----w C:\Program Files\Colorizer
2008-04-29 23:51 --------- d-----w C:\Program Files\AIM FightList
2008-04-29 23:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-04-29 23:47 --------- d-----w C:\Documents and Settings\Jordan\Application Data\vlc
2008-04-29 23:46 --------- d-----w C:\Program Files\VideoLAN
2008-04-29 23:44 --------- d-----w C:\Program Files\Trend Micro
2008-04-29 23:37 --------- d-----w C:\Program Files\ATI
2008-04-29 23:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-29 23:36 --------- d-----w C:\Program Files\ATI Technologies
2008-04-29 23:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-29 23:08 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-17 20:33 4,707,328 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-04-10 20:52 16,861,184 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-04-02 13:27 1,196,032 ----a-w C:\WINDOWS\RtlUpd.exe
2008-03-29 05:19 9,801,728 ----a-w C:\WINDOWS\system32\atioglx2.dll
2008-03-29 04:40 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2008-03-29 04:05 372,736 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2008-03-29 04:04 299,008 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2008-03-29 03:56 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2008-03-29 03:56 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2008-03-29 03:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2008-03-29 03:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2008-03-29 03:55 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2008-03-29 03:54 536,576 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2008-03-29 03:52 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2008-03-29 03:43 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll
2008-03-29 03:39 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2008-03-29 03:36 1,765,120 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2008-03-29 03:24 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll
2008-03-29 03:23 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll
2008-03-29 03:21 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll
2008-03-29 03:19 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2008-03-29 03:12 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2008-03-29 01:05 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 22:07 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}]
2008-05-28 17:15 58368 --a------ C:\WINDOWS\system32\urqPjGyV.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5170872F-A9BD-4D9E-9DF2-FF8E4CB503F3}]
2008-06-01 10:58 373248 --a------ C:\WINDOWS\system32\vtUlMfFU.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E54863BA-42B9-447F-BD94-A50156215BD7}]
C:\WINDOWS\system32\fccdbBrR.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528]
"DLIGHTER"="C:\Program Files\Desktop Lighter\DLighter.exe" [2008-03-15 02:30 224768]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AtiPTA"="atiptaxx.exe" [2006-02-21 21:05 344064 C:\WINDOWS\system32\atiptaxx.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440]
"ATICustomerCare"="C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 18:38 307200]
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-01-28 11:43 5146448]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16:52 16861184 C:\WINDOWS\RTHDCPL.exe]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 11:50 155648]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 14:49 36352]
"BMbf54f06c"="C:\WINDOWS\system32\xniefnue.dll " [2008-06-01 11:02 126464]

C:\Documents and Settings\Jordan\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-16 12:08:05 546816]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks]
"{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}"= C:\WINDOWS\system32\urqPjGyV.dll [2008-05-28 17:15 58368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqPjGyV]
urqPjGyV.dll 2008-05-28 17:15 58368 C:\WINDOWS\system32\urqPjGyV.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\vtUlMfFU

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.S YS [2004-06-26 13:22]
S3 cpuz;cpuz;C:\DOCUME~1\Jordan\LOCALS~1\Temp\Rar$EX0 0.422\cpuz.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe
\Shell\readit\command - notepad readme.doc

.
Contents of the 'Scheduled Tasks' folder
"2008-05-26 20:48:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-01 07:00:03 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 10:58:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\xniefnue.dll

scan completed successfully
hidden files: 1

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\urqPjGyV.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\xniefnue.dll
-> C:\WINDOWS\system32\vtUlMfFU.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\verclsid.exe
.
************************************************** ************************
.
Completion time: 2008-06-01 11:06:07 - machine was rebooted [Jordan]
ComboFix-quarantined-files.txt 2008-06-01 15:05:22

Pre-Run: 178,504,417,280 bytes free
Post-Run: 178,550,452,224 bytes free

286 --- E O F --- 2008-05-28 07:01:12

Punk · 06-01-2008, 08:41 PM

OK

Download Avenger, and unzip it to your desktop or somewhere you can find it.Â (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

Open a Notepad file by clicking Start > RunÂ and typing Notepad.exe in the box, click OK.
Click Format, and ensure Word Wrap is unchecked.
Copy and Paste the text in the box below into Notepad.
Now save the file as RemoveFiles.txt in a location where you can find it.

Quote:

Files to delete:
C:\WINDOWS\system32\vtUlMfFU.dll
C:\WINDOWS\system32\UFfMlUtv.ini2
C:\WINDOWS\system32\UFfMlUtv.ini
C:\WINDOWS\system32\fccdbBrR.dll_old
C:\WINDOWS\system32\d3d8caps.dat
C:\WINDOWS\system32\23560491.dll_old
C:\WINDOWS\system32\cbXRKEvv.dll
C:\WINDOWS\system32\urqPjGyV.dll
C:\WINDOWS\system32\mlJCuuSJ.dll
C:\WINDOWS\system32\xniefnue.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.

Check Load script from file:
Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
Double click it to enter it into Avenger.
Click the green traffic light symbol.
You will be asked if you want to execute the script, answer Yes.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer Yes, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created C:\avenger.txt.
Copy and Paste it into your next post please.

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.

themarsvolta55 · 06-02-2008, 07:12 AM

here is my avenger
deckards will be posted shortly...

------------------------------------------------------
Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\WINDOWS\system32\vtUlMfFU.dll" not found!
Deletion of file "C:\WINDOWS\system32\vtUlMfFU.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\UFfMlUtv.ini2" deleted successfully.
File "C:\WINDOWS\system32\UFfMlUtv.ini" deleted successfully.

Error: file "C:\WINDOWS\system32\fccdbBrR.dll_old" not found!
Deletion of file "C:\WINDOWS\system32\fccdbBrR.dll_old" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\WINDOWS\system32\d3d8caps.dat" deleted successfully.
File "C:\WINDOWS\system32\23560491.dll_old" deleted successfully.
File "C:\WINDOWS\system32\cbXRKEvv.dll" deleted successfully.
File "C:\WINDOWS\system32\urqPjGyV.dll" deleted successfully.
File "C:\WINDOWS\system32\mlJCuuSJ.dll" deleted successfully.
File "C:\WINDOWS\system32\xniefnue.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

05-31-2008, 07:24 PM	#1 (permalink)
themarsvolta55 Bronze Member Join Date: Jan 2006 Posts: 62	Virtumonde.dll ( what a biotch) alright, so i recieved a virus from selfishly downloading a keygen for a prog. and iv tried ALOT, mostly using spybot, doing the normal scan, trying to remove it,removing the BHO's, killing the process/module then once the module is killed ( either urqPjGyV.dll or ssqQKCuR.dll ) trying to use a file shredder and going into the system 32 folder and shredding it. iv also tried safemode, scanning, then cleaning it, doesnt work either any help would be GREAT!!!! jordan __________________ TheMarsVolta55

05-31-2008, 07:33 PM	#2 (permalink)
adarsh Platinum Member Join Date: Jul 2007 Location: Dubai Posts: 895	Please download the latest copy of HijackThis from Trend Micro and save it to your desktop. Double click on HJTInstall.exe to install it. Click on Install. By default, it will install to C:\Program Files\Trend Micro\HijackThis. Read through the License Agreement presented to you on the next screen and click on I Accept. Once installed, HijackThis will start automatically. If it doesn't, please go to your desktop and double click on the HijackThis shortcut created there. Select Do a system scan and save a logfile. Close HijackThis. Please post the contents of the post here for the experts to review and help you with the removal. Note: Do not click on the AnalyzeThis button. Do not fix any lines you see in HijackThis as most entries are harmless and needed for the normal functioning of Windows. P.S :Please note that I will not be participating in your fix because I'm still under training. This is just to help the experts here and to save time. __________________ http://img77.imageshack.us/img77/7130/kainzr2.jpg Your views about my post are highly appreciated. Please bear in mind that I too am human, and therefore am prone to making errors. If you think that I am wrong, please do not hesitate to PM me suggesting a better fix. Thank you. Please visit Punk's gallery Last edited by adarsh; 05-31-2008 at 07:39 PM.

05-31-2008, 08:32 PM	#3 (permalink)
Punk Diamond Member Join Date: Jan 2007 Location: France Age: 19 Posts: 5,283	Please post the Hijackthis log along with these logs: Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. Download and Run ComboFix If you already have Combofix, please delete this copy and download it again as it's being updated regularly. Download this file from one of the three below listed places : http://download.bleepingcomputer.com/sUBs/ComboFix.exe http://www.forospyware.com/sUBs/ComboFix.exe http://subs.geekstogo.com/ComboFix.exe Then double click combofix.exe & follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall Combofix should never take more that 20 minutes including the reboot if malware is detected. If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue. If that happened we want to know, and also what process you had to end. __________________ Punk's Website making and registering tutorial! Rise And Fall, Rage And Grace The Offspring! Huck it! I just want to be who I want to be guess that's hard for others to see

05-31-2008, 09:04 PM	#4 (permalink)
alexyu Diamond Member Join Date: May 2008 Location: IASI, ROMANIA Posts: 1,212	nothing of these helped me when i had vundo you should consider reinstalling os __________________ Winner of the Photo tourney - Animals Any other Papa Roach fans around here? My profile on their site: here Fun webpage about them: here

06-01-2008, 01:41 AM	#6 (permalink)
themarsvolta55 Bronze Member Join Date: Jan 2006 Posts: 62	sorry- should of thought earlier and posted the hijack ------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 7:44:49 PM, on 5/31/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\wscntfy.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\Desktop Lighter\DLighter.exe C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\iTunes\iTunes.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe C:\Program Files\Volumouse\volumouse.exe C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file) O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [ATICustomerCare] "C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [bc67c3f0] rundll32.exe "C:\WINDOWS\system32\bjioviqv.dll",b O4 - HKLM\..\Run: [BMbf54f06c] Rundll32.exe "C:\WINDOWS\system32\usegsaif.dll",s O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [DLIGHTER] C:\Program Files\Desktop Lighter\DLighter.exe /h O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe -- End of file - 4801 bytes __________________ TheMarsVolta55

06-01-2008, 11:44 AM	#7 (permalink)
Punk Diamond Member Join Date: Jan 2007 Location: France Age: 19 Posts: 5,283	Please follow the instructions I posted earlier __________________ Punk's Website making and registering tutorial! Rise And Fall, Rage And Grace The Offspring! Huck it! I just want to be who I want to be guess that's hard for others to see

06-01-2008, 06:37 PM	#8 (permalink)
themarsvolta55 Bronze Member Join Date: Jan 2006 Posts: 62	vundo-fix didnt find anything (?) and this is the log from combo fix... --------------------------------------------------------- ComboFix 08-05-29.1 - Jordan 2008-06-01 10:47:41.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1161 [GMT -4:00] Running from: C:\Documents and Settings\Jordan\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BMbf54f06c.xml C:\WINDOWS\pskt.ini C:\WINDOWS\system32\aeqlitfu.ini C:\WINDOWS\system32\bjioviqv.dll C:\WINDOWS\system32\ekhtfhmh.dll C:\WINDOWS\system32\fMUtDcdd.ini C:\WINDOWS\system32\fMUtDcdd.ini2 C:\WINDOWS\system32\gicwucxv.ini C:\WINDOWS\system32\GQAyyccf.ini C:\WINDOWS\system32\GQAyyccf.ini2 C:\WINDOWS\system32\jduyvobr.dll C:\WINDOWS\system32\jwphvqde.dll C:\WINDOWS\system32\lnWFNqss.ini C:\WINDOWS\system32\lnWFNqss.ini2 C:\WINDOWS\system32\lojcnoja.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mTDfPqru.ini C:\WINDOWS\system32\mTDfPqru.ini2 C:\WINDOWS\system32\qlkkcics.ini C:\WINDOWS\system32\rbovyudj.ini C:\WINDOWS\system32\RrBbdccf.ini C:\WINDOWS\system32\RrBbdccf.ini2 C:\WINDOWS\system32\RuCKQqss.ini C:\WINDOWS\system32\RuCKQqss.ini2 C:\WINDOWS\system32\scickklq.dll C:\WINDOWS\system32\sjmmbote.exe C:\WINDOWS\system32\uftilqea.dll C:\WINDOWS\system32\usegsaif.dll C:\WINDOWS\system32\vpbgglcw.exe C:\WINDOWS\system32\vqivoijb.ini C:\WINDOWS\system32\vxcuwcig.dll C:\WINDOWS\system32\xdjeeggc.dll C:\WINDOWS\system32\xpenpkxd.exe C:\WINDOWS\system32\yGPWayay.ini C:\WINDOWS\system32\yGPWayay.ini2 C:\WINDOWS\system32\ywtyljec.dll . ((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 ))))))))))))))))))))))))))))))) . 2008-06-01 10:58 . 2008-06-01 10:58 373,248 --a------ C:\WINDOWS\system32\vtUlMfFU.dll 2008-06-01 10:58 . 2008-06-01 10:58 345 --ahs---- C:\WINDOWS\system32\UFfMlUtv.ini2 2008-06-01 10:58 . 2008-06-01 10:58 345 --ahs---- C:\WINDOWS\system32\UFfMlUtv.ini 2008-06-01 10:35 . 2008-06-01 10:35 <DIR> d-------- C:\VundoFix Backups 2008-06-01 00:36 . 2008-06-01 00:54 <DIR> d-------- C:\!KillBox 2008-05-31 12:54 . 2008-05-31 12:54 54,156 --ah----- C:\WINDOWS\QTFont.qfn 2008-05-31 12:54 . 2008-05-31 12:54 1,409 --a------ C:\WINDOWS\QTFont.for 2008-05-31 00:51 . 373,248 C:\WINDOWS\system32\fccdbBrR.dll_old 2008-05-31 00:50 . 2008-05-31 00:50 552 --a------ C:\WINDOWS\system32\d3d8caps.dat 2008-05-29 22:35 . 2008-05-29 22:41 <DIR> d-------- C:\Program Files\CCleaner 2008-05-28 20:20 . 2008-05-28 20:20 <DIR> d-------- C:\Program Files\aKill 2008-05-28 19:59 . 2008-05-28 19:59 <DIR> d-------- C:\Program Files\Safer Networking 2008-05-28 19:53 . 2008-06-01 10:16 611 --a------ C:\WINDOWS\wininit.ini 2008-05-28 17:31 . 2008-05-29 00:13 <DIR> d-------- C:\Program Files\File Shredder 2008-05-28 17:20 . 2008-05-29 00:14 372,736 --a------ C:\WINDOWS\system32\23560491.dll_old 2008-05-28 17:16 . 2008-05-28 17:16 58,368 --a------ C:\WINDOWS\system32\cbXRKEvv.dll 2008-05-28 17:15 . 2008-05-28 17:15 58,368 --a------ C:\WINDOWS\system32\urqPjGyV.dll 2008-05-28 17:15 . 2008-05-28 17:15 58,368 --a------ C:\WINDOWS\system32\mlJCuuSJ.dll 2008-05-27 23:18 . 2008-05-27 23:18 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI 2008-05-27 13:26 . 2008-05-27 13:26 <DIR> d-------- C:\Program Files\LimeWire 2008-05-27 13:26 . 2008-05-28 17:20 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\LimeWire 2008-05-27 13:24 . 2008-05-27 13:24 <DIR> d-------- C:\WINDOWS\system32\SDA 2008-05-27 13:24 . 2008-05-27 13:24 <DIR> d-------- C:\Program Files\TOSHIBA 2008-05-26 12:14 . 2008-05-26 12:15 <DIR> d-------- C:\Program Files\FLAC 2008-05-26 11:35 . 2008-05-26 11:37 <DIR> d-------- C:\Program Files\Winamp 2008-05-26 11:35 . 2008-05-26 11:45 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\Winamp 2008-05-23 00:02 . 2008-05-23 00:02 116 --a------ C:\WINDOWS\NeroDigital.ini 2008-05-22 12:35 . 2008-05-23 00:03 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\Ahead 2008-05-22 12:34 . 2008-05-22 12:34 <DIR> d-------- C:\Program Files\Nero 2008-05-22 12:34 . 2008-05-22 12:34 <DIR> d-------- C:\Program Files\Common Files\Ahead 2008-05-22 10:40 . 2008-05-22 10:40 <DIR> d-------- C:\Westwood 2008-05-17 18:33 . 2008-05-17 18:33 <DIR> d-------- C:\WINDOWS\system32\LogFiles 2008-05-16 12:09 . 2008-05-16 12:09 <DIR> d-------- C:\Program Files\EA GAMES 2008-05-16 12:08 . 2008-05-16 12:08 <DIR> d-------- C:\Program Files\MagicDisc 2008-05-16 12:08 . 2008-02-18 17:29 96,256 --a------ C:\WINDOWS\system32\drivers\mcdbus.sys 2008-05-16 12:04 . 2008-05-16 12:04 <DIR> d-------- C:\Program Files\MagicISO 2008-05-15 13:52 . 2008-06-01 00:35 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5 2008-05-14 18:45 . 2008-05-15 13:51 0 --a------ C:\WINDOWS\vpd.properties 2008-05-14 18:42 . 2008-05-14 18:42 <DIR> d-------- C:\Program Files\Sybase 2008-05-13 22:23 . 2008-05-13 22:23 <DIR> d-------- C:\Program Files\uTorrent 2008-05-13 22:22 . 2008-05-28 17:42 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\uTorrent 2008-05-12 20:08 . 2008-05-28 17:44 <DIR> d-------- C:\Program Files\Google 2008-05-11 02:09 . 2008-05-11 02:09 <DIR> d-------- C:\Program Files\Apple Software Update 2008-05-10 20:46 . 2004-08-04 08:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll 2008-05-10 15:01 . 2008-05-10 15:01 <DIR> d-------- C:\Program Files\Red Kawa 2008-05-10 15:01 . 2008-05-10 15:01 <DIR> d-------- C:\Program Files\AviSynth 2.5 2008-05-08 14:31 . 2005-06-10 22:02 12,800 --a------ C:\WINDOWS\system32\vncdrv.dll 2008-05-08 14:31 . 2004-06-26 13:22 6,016 --a------ C:\WINDOWS\system32\drivers\vnccom.SYS 2008-05-08 14:31 . 2004-06-26 13:21 5,760 --a------ C:\WINDOWS\system32\vnchelp.dll 2008-05-08 14:31 . 2004-06-26 13:22 4,736 --a------ C:\WINDOWS\system32\drivers\vncdrv.sys 2008-05-08 14:31 . 2008-05-08 14:31 44 --a------ C:\WINDOWS\system32\' 2008-05-08 03:00 . 2008-05-08 03:00 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-05-06 21:02 . 2008-05-06 21:05 <DIR> d-------- C:\Program Files\AutoCAD 2009 2008-05-06 21:02 . 2008-05-28 23:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Autodesk 2008-05-06 21:02 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll 2008-05-06 21:01 . 2008-05-06 21:01 <DIR> d-------- C:\Program Files\MSBuild 2008-05-06 20:59 . 2008-05-06 20:59 <DIR> d-------- C:\WINDOWS\system32\XPSViewer 2008-05-06 20:59 . 2008-05-06 20:59 <DIR> d-------- C:\Program Files\Reference Assemblies 2008-05-06 20:58 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll 2008-05-06 20:56 . 2008-05-06 21:06 <DIR> d-------- C:\Program Files\Common Files\Autodesk Shared 2008-05-06 20:56 . 2008-05-06 20:56 <DIR> d-------- C:\Program Files\Autodesk 2008-05-06 20:56 . 2008-05-28 23:51 <DIR> d-------- C:\Documents and Settings\Jordan\Application Data\Autodesk 2008-05-06 20:40 . 2008-05-06 20:40 <DIR> d-------- C:\install 2008-05-06 13:57 . 2008-05-06 13:57 <DIR> d-------- C:\WINDOWS\Sun 2008-05-06 13:57 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl 2008-05-06 13:56 . 2008-05-06 13:57 <DIR> d-------- C:\Program Files\Java 2008-05-06 13:49 . 2008-05-06 13:49 <DIR> d-------- C:\Program Files\Common Files\Java 2008-05-06 13:38 . 2008-05-06 13:38 <DIR> d-------- C:\Documents and Settings\Jordan\WINDOWS 2008-05-06 13:38 . 1995-09-02 15:57 269,312 --a------ C:\WINDOWS\uninst.exe 2008-05-04 12:58 . 2008-05-04 12:59 <DIR> d-------- C:\Program Files\Common Files\Adobe 2008-05-02 00:38 . 2008-05-10 20:47 <DIR> d-------- C:\Program Files\Desktop Lighter 2008-05-01 13:42 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys 2008-05-01 13:42 . 2004-08-03 23:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys 2008-05-01 13:42 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll 2008-05-01 13:42 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2008-05-28 21:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-05-14 18:32 --------- d-----w C:\Program Files\Need for Speed Underground 2 2008-05-03 03:28 --------- d-----w C:\Program Files\Buddy Icon Maker 2008-05-03 03:10 --------- d-----w C:\Program Files\AIM6 2008-04-30 21:18 --------- d-----w C:\Program Files\Microsoft ActiveSync 2008-04-30 07:08 --------- d-----w C:\Documents and Settings\Jordan\Application Data\ATI 2008-04-30 07:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI 2008-04-30 03:27 --------- d-----w C:\Program Files\EphPod 2008-04-30 02:39 --------- d-----w C:\Program Files\Common Files\DirectX 2008-04-30 02:31 --------- d-----w C:\Program Files\DirectX 9.0c 2008-04-30 02:05 --------- d-----w C:\Program Files\Volumouse 2008-04-30 02:04 39,424 ----a-w C:\WINDOWS\zipinst.exe 2008-04-30 00:29 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-04-30 00:29 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-04-30 00:29 --------- d-----w C:\Program Files\Realtek 2008-04-30 00:23 --------- d-----w C:\Program Files\Infogrames 2008-04-30 00:13 --------- d-----w C:\Program Files\QuickTime 2008-04-30 00:13 --------- d-----w C:\Program Files\iTunes 2008-04-30 00:13 --------- d-----w C:\Program Files\iPod 2008-04-30 00:13 --------- d-----w C:\Program Files\Bonjour 2008-04-30 00:13 --------- d-----w C:\Documents and Settings\Jordan\Application Data\Apple Computer 2008-04-30 00:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer 2008-04-30 00:12 --------- d-----w C:\Program Files\Common Files\Apple 2008-04-30 00:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple 2008-04-29 23:54 --------- d-----w C:\Documents and Settings\Jordan\Application Data\acccore 2008-04-29 23:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL OCP 2008-04-29 23:53 --------- d-----w C:\Program Files\Colorizer 2008-04-29 23:51 --------- d-----w C:\Program Files\AIM FightList 2008-04-29 23:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL 2008-04-29 23:47 --------- d-----w C:\Documents and Settings\Jordan\Application Data\vlc 2008-04-29 23:46 --------- d-----w C:\Program Files\VideoLAN 2008-04-29 23:44 --------- d-----w C:\Program Files\Trend Micro 2008-04-29 23:37 --------- d-----w C:\Program Files\ATI 2008-04-29 23:36 --------- d-----w C:\Program Files\Common Files\InstallShield 2008-04-29 23:36 --------- d-----w C:\Program Files\ATI Technologies 2008-04-29 23:35 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-04-29 23:08 --------- d-----w C:\Program Files\microsoft frontpage 2008-04-17 20:33 4,707,328 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys 2008-04-10 20:52 16,861,184 ----a-w C:\WINDOWS\RTHDCPL.exe 2008-04-02 13:27 1,196,032 ----a-w C:\WINDOWS\RtlUpd.exe 2008-03-29 05:19 9,801,728 ----a-w C:\WINDOWS\system32\atioglx2.dll 2008-03-29 04:40 167,936 ----a-w C:\WINDOWS\system32\atiok3x2.dll 2008-03-29 04:05 372,736 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll 2008-03-29 04:04 299,008 ----a-w C:\WINDOWS\system32\ati2dvag.dll 2008-03-29 03:56 172,032 ----a-w C:\WINDOWS\system32\atipdlxx.dll 2008-03-29 03:56 126,976 ----a-w C:\WINDOWS\system32\Oemdspif.dll 2008-03-29 03:55 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll 2008-03-29 03:55 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe 2008-03-29 03:55 126,976 ----a-w C:\WINDOWS\system32\ati2evxx.dll 2008-03-29 03:54 536,576 ----a-w C:\WINDOWS\system32\ati2evxx.exe 2008-03-29 03:52 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL 2008-03-29 03:43 3,176,480 ----a-w C:\WINDOWS\system32\ati3duag.dll 2008-03-29 03:39 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll 2008-03-29 03:36 1,765,120 ----a-w C:\WINDOWS\system32\ativvaxx.dll 2008-03-29 03:24 46,080 ----a-w C:\WINDOWS\system32\amdpcom32.dll 2008-03-29 03:23 5,439,488 ----a-w C:\WINDOWS\system32\atioglxx.dll 2008-03-29 03:21 393,216 ----a-w C:\WINDOWS\system32\atikvmag.dll 2008-03-29 03:19 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll 2008-03-29 03:12 520,192 ----a-w C:\WINDOWS\system32\ati2cqag.dll 2008-03-29 01:05 593,920 ----a-w C:\WINDOWS\system32\ati2sgag.exe 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-05 22:07 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}] 2008-05-28 17:15 58368 --a------ C:\WINDOWS\system32\urqPjGyV.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5170872F-A9BD-4D9E-9DF2-FF8E4CB503F3}] 2008-06-01 10:58 373248 --a------ C:\WINDOWS\system32\vtUlMfFU.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E54863BA-42B9-447F-BD94-A50156215BD7}] C:\WINDOWS\system32\fccdbBrR.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-03-25 16:21 50528] "DLIGHTER"="C:\Program Files\Desktop Lighter\DLighter.exe" [2008-03-15 02:30 224768] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-09-03 15:18 94208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "AtiPTA"="atiptaxx.exe" [2006-02-21 21:05 344064 C:\WINDOWS\system32\atiptaxx.exe] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440] "ATICustomerCare"="C:\Program Files\ATI\ATICustomerCare\ATICustomerCare.exe" [2007-10-04 18:38 307200] "SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" [2008-01-28 11:43 5146448] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048] "RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16:52 16861184 C:\WINDOWS\RTHDCPL.exe] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 11:50 155648] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-04-01 14:49 36352] "BMbf54f06c"="C:\WINDOWS\system32\xniefnue.dll " [2008-06-01 11:02 126464] C:\Documents and Settings\Jordan\Start Menu\Programs\Startup\ MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2008-05-16 12:08:05 546816] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] [hkey_local_machine\software\microsoft\windows\curr entversion\explorer\shellexecutehooks] "{166BCB27-FCFD-4588-9BDB-44FC6A02EF35}"= C:\WINDOWS\system32\urqPjGyV.dll [2008-05-28 17:15 58368] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqPjGyV] urqPjGyV.dll 2008-05-28 17:15 58368 C:\WINDOWS\system32\urqPjGyV.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa] Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\vtUlMfFU [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= R2 vnccom;vnccom;C:\WINDOWS\system32\Drivers\vnccom.S YS [2004-06-26 13:22] S3 cpuz;cpuz;C:\DOCUME~1\Jordan\LOCALS~1\Temp\Rar$EX0 0.422\cpuz.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\autorun.exe \Shell\readit\command - notepad readme.doc . Contents of the 'Scheduled Tasks' folder "2008-05-26 20:48:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-01 07:00:03 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job" - C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe . ************************************************ ******************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-01 10:58:27 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\xniefnue.dll scan completed successfully hidden files: 1 ********************************************** ******************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\urqPjGyV.dll PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\xniefnue.dll -> C:\WINDOWS\system32\vtUlMfFU.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\wdfmgr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Mozilla Firefox 3 Beta 5\firefox.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\verclsid.exe . ********************************************** ********************** . Completion time: 2008-06-01 11:06:07 - machine was rebooted [Jordan] ComboFix-quarantined-files.txt 2008-06-01 15:05:22 Pre-Run: 178,504,417,280 bytes free Post-Run: 178,550,452,224 bytes free 286 --- E O F --- 2008-05-28 07:01:12 __________________ TheMarsVolta55

06-02-2008, 07:12 AM	#10 (permalink)
themarsvolta55 Bronze Member Join Date: Jan 2006 Posts: 62	here is my avenger deckards will be posted shortly... ------------------------------------------------------ Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ***************** Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Rootkit scan active. No rootkits found! Error: file "C:\WINDOWS\system32\vtUlMfFU.dll" not found! Deletion of file "C:\WINDOWS\system32\vtUlMfFU.dll" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist File "C:\WINDOWS\system32\UFfMlUtv.ini2" deleted successfully. File "C:\WINDOWS\system32\UFfMlUtv.ini" deleted successfully. Error: file "C:\WINDOWS\system32\fccdbBrR.dll_old" not found! Deletion of file "C:\WINDOWS\system32\fccdbBrR.dll_old" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist File "C:\WINDOWS\system32\d3d8caps.dat" deleted successfully. File "C:\WINDOWS\system32\23560491.dll_old" deleted successfully. File "C:\WINDOWS\system32\cbXRKEvv.dll" deleted successfully. File "C:\WINDOWS\system32\urqPjGyV.dll" deleted successfully. File "C:\WINDOWS\system32\mlJCuuSJ.dll" deleted successfully. File "C:\WINDOWS\system32\xniefnue.dll" deleted successfully. Completed script processing. ***************** Finished! Terminate. __________________ TheMarsVolta55

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Hybrid Mode Switch to Threaded Mode