Virtumonde.dll

T

T34m1na0r

New Member
Hey, A few weeks back i have noticed my computer start giving me a bunch of popups that told me how my computer was infected and a bunch of websites kept popping up even with my pop-up blocker on. I started doing numerous virus checks with AVG and it kept getting files that i kept deleting. Then, i decided that i should get some spyware protecting. I downloaded Windows Defender and it showed files too, I also got another spyware program but anyways....It won't let me go to a search engine, or even my e-mail. I am getting pissed off and since someone else here had Virtumonde.dll also, i looked at the post but its best if you guys look at it.

I downloaded combofix and did a report to help you guys out, im not very tech savvy at all so if you have time to explain some of the lingo it would be greatly appreciated.


ComboFix 08-06-04.3 - HP_Owner 2008-06-04 22:12:09.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.168 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Svconr
C:\Program Files\Temporary
C:\WINDOWS\BMef495747.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\ailffumx.ini
C:\WINDOWS\system32\bemhxdas.ini
C:\WINDOWS\system32\brrafcls.dll
C:\WINDOWS\system32\cjxaeivc.dll
C:\WINDOWS\system32\cosijiry.dll
C:\WINDOWS\system32\cwpbmern.ini
C:\WINDOWS\system32\dawqrwgq.ini
C:\WINDOWS\system32\exmkivfe.dll
C:\WINDOWS\system32\fgrplwdf.dll
C:\WINDOWS\system32\galutigo.dll
C:\WINDOWS\system32\gjjbivkj.dll
C:\WINDOWS\system32\gmwgksws.dll
C:\WINDOWS\system32\iplafrws.dll
C:\WINDOWS\system32\jrrggvxt.dll
C:\WINDOWS\system32\kgbgfkcm.dll
C:\WINDOWS\system32\knaglaxp.dll
C:\WINDOWS\system32\kpaoxvdj.dll
C:\WINDOWS\system32\licqkvle.ini
C:\WINDOWS\system32\LUxIOnnn.ini
C:\WINDOWS\system32\LUxIOnnn.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nbqnnndl.dll
C:\WINDOWS\system32\nrembpwc.dll
C:\WINDOWS\system32\ofwaewfa.dll
C:\WINDOWS\system32\pvxmpcjm.ini
C:\WINDOWS\system32\pxkxjfoh.dll
C:\WINDOWS\system32\qjdyiged.dll
C:\WINDOWS\system32\qnicxtov.ini
C:\WINDOWS\system32\quefgngn.ini
C:\WINDOWS\system32\raxjyhwj.dll
C:\WINDOWS\system32\rmpvcmnc.ini
C:\WINDOWS\system32\rxsbptcs.dll
C:\WINDOWS\system32\sadxhmeb.dll
C:\WINDOWS\system32\tnulcqsa.ini
C:\WINDOWS\system32\vmtsecjf.ini
C:\WINDOWS\system32\wayFgfii.ini
C:\WINDOWS\system32\wayFgfii.ini2
C:\WINDOWS\system32\welbttti.dll
C:\WINDOWS\system32\yayxUOHb.dll
C:\WINDOWS\system32\yhhemgof.ini
C:\WINDOWS\system32\yrngcsuy.dll
C:\WINDOWS\system32\ywufttwt.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-05 to 2008-06-05 )))))))))))))))))))))))))))))))
.

2008-06-04 22:18 . 2008-06-04 22:18 109,807 --a------ C:\WINDOWS\BMef495747.xml
2008-06-04 22:18 . 2008-06-04 22:18 294 ---hs---- C:\WINDOWS\system32\dawqrwgq.ini
2008-06-04 22:18 . 2008-06-04 22:18 22 --a------ C:\WINDOWS\pskt.ini
2008-06-04 22:06 . 2008-06-04 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-04 20:41 . 2008-06-04 20:44 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-06-04 20:41 . 2008-06-04 20:44 32,930 --a------ C:\WINDOWS\scunin.dat
2008-06-04 20:41 . 2008-06-04 20:44 967 --a------ C:\WINDOWS\ScUnin.pif
2008-06-04 20:32 . 2008-06-04 21:10 153 --a------ C:\WINDOWS\wininit.ini
2008-06-04 19:35 . 2008-06-04 19:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-04 19:35 . 2008-06-04 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-04 18:18 . 2008-06-04 18:18 95,232 --a------ C:\WINDOWS\system32\lhxjbjyb.dll
2008-06-04 18:09 . 2008-06-04 18:09 82,432 --a------ C:\WINDOWS\system32\qgwrqwad.dll
2008-06-04 18:06 . 2008-06-04 18:06 91,136 --a------ C:\WINDOWS\system32\neqcfutr.dll
2008-06-04 17:35 . 2008-06-04 21:03 <DIR> d-------- C:\Program Files\Starcraft
2008-06-03 18:05 . 2008-06-03 18:05 280,576 --a------ C:\WINDOWS\system32\nnnOIxUL.dll_old
2008-06-01 22:30 . 2008-06-01 22:30 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-24 11:24 . 2008-05-24 11:24 <DIR> d-------- C:\Program Files\jv16 PowerTools 2008
2008-05-24 11:24 . 2008-05-24 11:24 23 --a------ C:\WINDOWS\system32\fafcfe6_z.ocx
2008-05-24 11:24 . 2008-05-24 11:24 23 --ahs---- C:\WINDOWS\system32\acafedebcfc2_z.dll
2008-05-21 18:23 . 2008-05-26 18:18 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-05-21 18:22 . 2008-05-21 18:22 <DIR> d-------- C:\Program Files\The Creative Assembly
2008-05-13 15:37 . 2008-06-04 21:10 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-13 15:23 . 2008-05-13 15:23 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-10 21:52 . 2008-05-10 21:52 <DIR> d-------- C:\Program Files\Sun
2008-05-10 21:51 . 2008-05-11 10:36 45 --a------ C:\WINDOWS\system32\RPVersion.ini
2008-05-10 21:48 . 2008-05-11 10:57 <DIR> d-------- C:\Program Files\RegistryPatrol3.0
2008-05-08 18:10 . 2008-05-08 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-08 18:08 . 2008-05-08 18:08 <DIR> d-------- C:\Program Files\Bonjour
2008-05-08 18:01 . 2008-05-08 18:01 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-08 15:41 . 2008-05-08 15:41 4 --a------ C:\WINDOWS\system32\ulfconfig0103.ulf
2008-05-07 09:30 . 2008-05-07 11:32 754 --a------ C:\WINDOWS\WORDPAD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 00:56 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Azureus
2008-06-02 06:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-29 02:57 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-27 01:43 --------- d-----w C:\Program Files\Gamevance
2008-05-27 01:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 01:34 --------- d-----w C:\Program Files\LucasArts
2008-05-27 01:29 --------- d-----w C:\Program Files\Real
2008-05-27 01:28 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\My Games
2008-05-27 01:25 --------- d-----w C:\Program Files\Google
2008-05-27 01:24 --------- d-----w C:\Program Files\GameShadow
2008-05-24 19:00 --------- d-----w C:\Program Files\QuickTime
2008-05-24 19:00 --------- d-----w C:\Program Files\LimeWire
2008-05-23 17:52 --------- d-----w C:\Program Files\WarRock
2008-05-11 17:58 --------- d-----w C:\Program Files\Best Buy Rhapsody
2008-05-11 04:51 --------- d-----w C:\Program Files\Java
2008-05-09 01:08 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-09 00:52 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Xfire
2008-05-08 22:27 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\ijjigame
2008-04-30 20:30 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2008-04-30 00:13 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-04-29 17:22 --------- d-----w C:\Program Files\Paint.NET
2008-04-29 15:53 --------- d-----w C:\Program Files\Azureus
2008-04-28 23:27 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\TeamViewer
2008-04-28 14:36 --------- d-----w C:\Program Files\iTunes
2008-04-28 14:34 --------- d-----w C:\Program Files\iPod
2008-04-28 14:22 --------- d-----w C:\Program Files\Apple Software Update
2008-04-11 20:31 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Intuit
2008-04-05 22:41 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-05 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-05 22:40 --------- d-----w C:\Program Files\TurboTax
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9AEF5EB8-864D-48D1-B511-9479E8D79610}]
C:\WINDOWS\system32\nnnOIxUL.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BACAD5E6-774A-4D09-926C-8D6CB80BA969}]
C:\WINDOWS\system32\iifgFyaw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cd8313e8-4684-486b-a642-e44e58f80762}]
2008-06-04 18:18 95232 --a------ C:\WINDOWS\system32\lhxjbjyb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 09:51 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-03 18:43 118784]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 18:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 18:42 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 14:03 180269]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 16:57 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-27 19:39 579072]
"ec7a64db"="C:\WINDOWS\system32\qgwrqwad.dll" [2008-06-04 18:09 82432]
"BMef495747"="C:\WINDOWS\system32\neqcfutr.dll" [2008-06-04 18:06 91136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-05 10:25 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 20:29 39264]

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

S3 teamviewervpn;TeamViewer VPN Adapter;C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys [2008-01-25 02:12]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 16:45:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-05 05:20:46 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-04 22:18:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\dawqrwgq.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\qgwrqwad.dll
-> C:\WINDOWS\system32\neqcfutr.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-06-04 22:23:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-05 05:23:36

Pre-Run: 145,845,956,608 bytes free
Post-Run: 146,770,067,456 bytes free

219 --- E O F --- 2008-05-17 10:03:54
 
  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
C:\WINDOWS\BMef495747.xml
C:\WINDOWS\system32\dawqrwgq.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\lhxjbjyb.dll
C:\WINDOWS\system32\qgwrqwad.dll
C:\WINDOWS\system32\neqcfutr.dll
C:\WINDOWS\system32\nnnOIxUL.dll_old
C:\WINDOWS\system32\fafcfe6_z.ocx
C:\WINDOWS\system32\acafedebcfc2_z.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9AEF5EB8-864D-48D1-B511-9479E8D79610}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BACAD5E6-774A-4D09-926C-8D6CB80BA969}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cd8313e8-4684-486b-a642-e44e58f80762}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ec7a64db"=-
"BMef495747"=-
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScript.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.

Please download the HijackThis installer from http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe.

Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post. How is your system running now?
 
I did everything you requested. It's working great now, thx a lot. :D:D

If you have the time can you tell me how you knew how to make a script (and what the script did) with File::
C:\WINDOWS\BMef495747.xml
C:\WINDOWS\system32\dawqrwgq.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\lhxjbjyb.dll
C:\WINDOWS\system32\qgwrqwad.dll
etc............

heres the Combofix and hijack logs.



ComboFix 08-06-04.3 - HP_Owner 2008-06-05 19:05:24.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.189 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BMef495747.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acafedebcfc2_z.dll
C:\WINDOWS\system32\dawqrwgq.ini
C:\WINDOWS\system32\fafcfe6_z.ocx
C:\WINDOWS\system32\lhxjbjyb.dll
C:\WINDOWS\system32\neqcfutr.dll
C:\WINDOWS\system32\nnnOIxUL.dll_old
C:\WINDOWS\system32\qgwrqwad.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMef495747.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acafedebcfc2_z.dll
C:\WINDOWS\system32\dawqrwgq.ini
C:\WINDOWS\system32\fafcfe6_z.ocx
C:\WINDOWS\system32\lhxjbjyb.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\neqcfutr.dll
C:\WINDOWS\system32\nnnOIxUL.dll_old
C:\WINDOWS\system32\qgwrqwad.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-04 22:06 . 2008-06-04 22:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-04 20:41 . 2008-06-04 20:44 94,208 --a------ C:\WINDOWS\ScUnin.exe
2008-06-04 20:41 . 2008-06-04 20:44 32,930 --a------ C:\WINDOWS\scunin.dat
2008-06-04 20:41 . 2008-06-04 20:44 967 --a------ C:\WINDOWS\ScUnin.pif
2008-06-04 20:32 . 2008-06-04 21:10 153 --a------ C:\WINDOWS\wininit.ini
2008-06-04 19:35 . 2008-06-04 19:35 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-04 19:35 . 2008-06-04 20:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-04 17:35 . 2008-06-05 16:21 <DIR> d-------- C:\Program Files\Starcraft
2008-06-01 22:30 . 2008-06-01 22:30 <DIR> d-------- C:\Program Files\Windows Defender
2008-05-24 11:24 . 2008-05-24 11:24 <DIR> d-------- C:\Program Files\jv16 PowerTools 2008
2008-05-21 18:23 . 2008-05-26 18:18 <DIR> d-------- C:\Program Files\GameSpy Arcade
2008-05-21 18:22 . 2008-05-21 18:22 <DIR> d-------- C:\Program Files\The Creative Assembly
2008-05-13 15:37 . 2008-06-05 19:02 <DIR> d-------- C:\Program Files\Mozilla Firefox 3 Beta 5
2008-05-13 15:23 . 2008-05-13 15:23 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-10 21:52 . 2008-05-10 21:52 <DIR> d-------- C:\Program Files\Sun
2008-05-10 21:51 . 2008-05-11 10:36 45 --a------ C:\WINDOWS\system32\RPVersion.ini
2008-05-10 21:48 . 2008-05-11 10:57 <DIR> d-------- C:\Program Files\RegistryPatrol3.0
2008-05-08 18:10 . 2008-05-08 18:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-08 18:08 . 2008-05-08 18:08 <DIR> d-------- C:\Program Files\Bonjour
2008-05-08 18:01 . 2008-05-08 18:01 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-08 15:41 . 2008-05-08 15:41 4 --a------ C:\WINDOWS\system32\ulfconfig0103.ulf
2008-05-07 09:30 . 2008-05-07 11:32 754 --a------ C:\WINDOWS\WORDPAD.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-05 00:56 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Azureus
2008-06-02 06:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-29 02:57 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-27 01:43 --------- d-----w C:\Program Files\Gamevance
2008-05-27 01:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-27 01:34 --------- d-----w C:\Program Files\LucasArts
2008-05-27 01:29 --------- d-----w C:\Program Files\Real
2008-05-27 01:28 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\My Games
2008-05-27 01:25 --------- d-----w C:\Program Files\Google
2008-05-27 01:24 --------- d-----w C:\Program Files\GameShadow
2008-05-24 19:00 --------- d-----w C:\Program Files\QuickTime
2008-05-24 19:00 --------- d-----w C:\Program Files\LimeWire
2008-05-23 17:52 --------- d-----w C:\Program Files\WarRock
2008-05-11 17:58 --------- d-----w C:\Program Files\Best Buy Rhapsody
2008-05-11 04:51 --------- d-----w C:\Program Files\Java
2008-05-09 01:08 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-09 00:52 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Xfire
2008-05-08 22:27 --------- d--h--w C:\Documents and Settings\HP_Owner\Application Data\ijjigame
2008-04-30 20:30 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\AVG7
2008-04-30 00:13 --------- d-----w C:\Program Files\Common Files\INCA Shared
2008-04-29 17:22 --------- d-----w C:\Program Files\Paint.NET
2008-04-29 15:53 --------- d-----w C:\Program Files\Azureus
2008-04-28 23:27 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\TeamViewer
2008-04-28 14:36 --------- d-----w C:\Program Files\iTunes
2008-04-28 14:34 --------- d-----w C:\Program Files\iPod
2008-04-28 14:22 --------- d-----w C:\Program Files\Apple Software Update
2008-04-11 20:31 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Intuit
.

((((((((((((((((((((((((((((( snapshot@2008-06-04_22.23.03.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-26 11:48:44 297,984 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll
- 2008-06-05 05:17:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 02:08:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2004-08-04 19:00:00 294,400 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
+ 2008-02-26 11:59:50 294,912 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
- 2004-08-04 19:00:00 294,400 ----a-w C:\WINDOWS\system32\MSCTF.dll
+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-17 09:51 486856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 16:04 52736]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-08-03 18:43 118784]
"HPHUPD06"="c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" [2004-06-07 18:53 49152]
"HPHmon06"="C:\WINDOWS\system32\hphmon06.exe" [2004-06-07 18:42 659456]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-11 20:02 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-07 14:03 180269]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 20:43 233472]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 16:57 81920]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-27 19:39 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-05 10:25 219136]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 20:29 39264]

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^Xfire.lnk]
path=C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\Xfire.lnk
backup=C:\WINDOWS\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

S3 teamviewervpn;TeamViewer VPN Adapter;C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys [2008-01-25 02:12]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-04 00:01]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-29 16:45:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-06 02:11:35 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-05 19:09:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2008-06-05 19:14:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-06 02:14:24
ComboFix2.txt 2008-06-05 05:23:55

Pre-Run: 146,666,696,704 bytes free
Post-Run: 146,664,312,832 bytes free

182 --- E O F --- 2008-06-05 21:50:16












Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:15:49 PM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\PnkBstrA.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1194210932734
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1194210941875
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6459 bytes
 
Last edited:
Excellent, your logfiles appear to be clean.

I strongly recommend you update your AVG Antivirus to version 8.0 (you can download it from here), as AVG will not continue to provide critical updates to version 7.5

As for knowing how to deal with these infections, it's a matter of training and experience. There are a number of online sites that will teach you how to do it, if you're interested, I've listed a number of them at http://www.computerforum.com/853855-post10.html.


Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer. While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection. While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly. They usually have security updates every month. You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed. This is a crucial security measure.

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost. All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.

I notice you are running Spybot, which is good. You might want to consider installing and running some of the following programs; they are either free or have free versions of commercial programs and will work alongside Spybot to protect you:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.

Please keep these programs up-to-date and run them whenever you suspect a problem to prevent malware problems. A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection. However, it is important to run only one resident program of each type since they can conflict and become less effective. That means only one antivirus, firewall and scanning anti-spyware program at a time. Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs. If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately. It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information. Ask in a security forum that you trust if you are not sure. If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an alternate browser. Mozilla's Firefox browser is a very good alternative. In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure. Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here: http://www.opera.com/download/

Hopefully these steps will help to keep you error free. If you run into more difficulty, we will certainly do what we can to help. :)
 
You must log in or register to reply here.
Back
Top