Sopidkc, Virtumonde, PSW Online Gaming and various other tro

View previous topic View next topic Go down

Sopidkc, Virtumonde, PSW Online Gaming and various other trojan horses

Post by Whytecliffe(Mum) on Mon Jun 29, 2009 12:42 pm

Despite running AVG, Spybot, Adaware there appears to have been various Trojan horses somehow infecting my PC since last week. AVG seems to detect these trojans and apparantly removes them but they keep coming back. There are various different viruses stored in AVG's vault and details can be supplied if required.

Also for some reason, at Windows boot up Spybot wants to run a scan even though the settings say that a scan should not be run at startup (no automation). These seems to have started at around the same time the trojans appeared. Windows Add/Remove programs does not seem to work either.

Here is the Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:22:00, on 29/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BT Broadband Help\bin\mpbtn.exe
C:\WINDOWS\system32\wiwow64.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\sopidkc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Desktop\Alex\Hijack(GP)This.exe
C:\WINDOWS\system32\wiawow32.sys

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\Program Files\NOS\bin\getPlus_HelperSvc.exe" /UninstallGet1noarp
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [yahoo!] C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\User\LOCALS~1\Temp\11980622451don.dll,DllMain
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - [You must be registered and logged in to see this link.]
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [You must be registered and logged in to see this link.]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{96E8319B-1E2F-42AB-9FE4-AA88781FDFF6}: NameServer = 194.72.9.38 62.6.40.162
O17 - HKLM\System\CS1\Services\Tcpip\..\{96E8319B-1E2F-42AB-9FE4-AA88781FDFF6}: NameServer = 194.72.9.38 62.6.40.162
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: ,C:\DOCUME~1\User\LOCALS~1\Temp\12062342459mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\5453015246mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\39364212431mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\201796247mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\1597812422mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\39121712520mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\2904212538mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\1289372614mxx.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Inkjet Printer/Scanner Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: sopidkc Service (sopidkc) - Elecard Lt - C:\WINDOWS\system32\sopidkc.exe

--
End of file - 10344 bytes

Please can you help. Many thanks.

Whytecliffe(Mum)
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-28
OS OS : Windows XP
Points Points : 27173
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Belahzur on Mon Jun 29, 2009 4:07 pm

Hello.

Please disable Ad-Watch, as it may hinder the removal of some HijackThis entries. You can re-enable it after your computer is clean. Please see here for instructions on how to disable it:

1. Right-click on the Ad-Watch icon in the system tray (located down by the system clock for most configurations)
2. Choose *Settings* from the dropdown menu
3. Under the *General Settings* tab turn OFF (red x) the option to "Load Ad-Watch at Startup" (if enabled)

4. Click on the *Status* button in the left hand menu
5. Turn OFF (red x) the option for *Regshield*
6. Close that window, then right-click on the Ad-Watch icon shield again down in the system tray next to the clock.
7. Choose *Turn off Ad-Watch* from the drop menu

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
You can reenable TeaTimer once your system is clean.

Please make sure Teatimer is disable before we do this, otherwise this fix will fail.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\Run: [yahoo!] C:\WINDOWS\system32\rundll32.exe C:\DOCUME~1\User\LOCALS~1\Temp\11980622451don.dll,DllMain
    O20 - AppInit_DLLs: ,C:\DOCUME~1\User\LOCALS~1\Temp\12062342459mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\5453015246mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\39364212431mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\201796247mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\1597812422mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\39121712520mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\2904212538mxx.dll,C:\DOCUME~1\User\LOCALS~1\Temp\1289372614mxx.dll


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Whytecliffe(Mum) on Tue Jun 30, 2009 8:59 am

I've attached the log below as requested. FYI: After performing these, Spybot is still attempting to scan at boot up. Thanks again for your help.

Malwarebytes' Anti-Malware 1.38
Database version: 2353
Windows 5.1.2600 Service Pack 3

30/06/2009 09:54:38
mbam-log-2009-06-30 (09-54-38).txt

Scan type: Quick Scan
Objects scanned: 86390
Time elapsed: 5 minute(s), 8 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 2
Registry Keys Infected: 8
Registry Values Infected: 11
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 28

Memory Processes Infected:
C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Unloaded process successfully.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\msncache.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\tcpcon.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sopidkc (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sopidkc (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\msncache.dll (Backdoor.Bot) -> Delete on reboot.
c:\WINDOWS\system32\tpsaxyd.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\Temp\2439372130.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\Temp\2883435510.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\Temp\291812330.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\Temp\3460463455.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\Temp\395515635.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\Temp\168343536.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\User\local settings\Temp\193203845.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tmp0_11680518301.bk.old (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tmp0_24609259868.bk.old (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tmp0_707824712709.bk.old (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tmp0_82634060017.bk.old (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\txpxr_205428634000.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\txpxr_294170596314.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\txpxr_836087814148.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\txpxr_87814164726.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\txpxr_91237715856.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\t4m0_500550587884.bk.old (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\txpxr_658471711828.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\7ZR12L4W\w[1].bin (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\O789JBCM\w[1].bin (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sopidkc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpszxyd.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tcpcon.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Delete on reboot.

Whytecliffe(Mum)
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-28
OS OS : Windows XP
Points Points : 27173
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Belahzur on Tue Jun 30, 2009 9:04 am

Hello.

Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Whytecliffe(Mum) on Tue Jun 30, 2009 6:28 pm

Hi there, sorry, haven't managed to do any of this yet. It's my Mum's pc that is infected and I have to drive over to her apartment to carry out each step.

Can you just let me know before I do this so I am prepared what DDS does? Do I assume that it wipes the whole pc back to factory settings hence the back up and referring to reinstalling programs, also your comment about a "clean computer".

I am having to buy something for her so that she can back up everything beforehand so this may take me a couple of days to perform this stage.

Thanks again

Whytecliffe(Mum)
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-28
OS OS : Windows XP
Points Points : 27173
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Belahzur on Tue Jun 30, 2009 6:35 pm

No, DDS is just a scanner.
I ask that your personal things are backed up because the backdoor bots allow hackers to remotely control the machine.

See [You must be registered and logged in to see this link.] and [You must be registered and logged in to see this link.].

I also want you to backup your things because the damage done may interfere with our removal attempts should DDS find another infection we need to deal with, and this can also cause the OS to become corrupt and will no longer work.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Whytecliffe(Mum) on Thu Jul 02, 2009 6:39 pm

uWindow Title = Microsoft Internet Explorer provided by Freeserve
uSearch Bar = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
mSearchAssistant = [You must be registered and logged in to see this link.]
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [DSLSTATEXE] c:\program files\bt voyager 105 adsl modem\dslstat.exe icon
mRun: [DSLAGENTEXE] c:\program files\bt voyager 105 adsl modem\dslagent.exe
mRun: [Motive SmartBridge] c:\progra~1\btbroa~1\smartb~1\BTHelpNotifier.exe
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [YeppStudioAgent] c:\program files\samsung\samsung media studio\SamsungMediaStudioAgent.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\seagat~1.lnk - c:\documents and settings\user\application data\leadertech\powerregister\Seagate 2GHJCC0N Product Registration.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\btbroa~1.lnk - c:\program files\bt broadband help\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
TCP: {96E8319B-1E2F-42AB-9FE4-AA88781FDFF6} = 194.72.9.38 62.6.40.162
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\docume~1\user\locals~1\temp\12062342459mxx.dll,c:\docume~1\user\locals~1\temp\5453015246mxx.dll,c:\docume~1\user\locals~1\temp\39364212431mxx.dll,c:\docume~1\user\locals~1\temp\201796247mxx.dll,c:\docume~1\user\locals~1\temp\1597812422mxx.dll,c:\docume~1\user\locals~1\temp\39121712520mxx.dll,c:\docume~1\user\locals~1\temp\2904212538mxx.dll,c:\docume~1\user\locals~1\temp\1289372614mxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-7 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-7 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-7 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-7 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-6-7 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-7 298776]
R2 Ias;Microsoft Device Manager;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
R2 toisfvet;poebunv sevcive;c:\windows\system32\svchost.exe -k toisfvet [2004-8-4 14336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]

=============== Created Last 30 ================

2009-07-02 19:29 585,728 a------- c:\windows\system32\IPHACTION.dll
2009-06-30 09:59 131,072 a------- c:\windows\system32\tcpcon.dll
2009-06-30 09:48 --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-06-30 09:48 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 09:48 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-06-30 09:48 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-30 09:48 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-06-29 12:49 --d----- c:\documents and settings\user\.SunDownloadManager
2009-06-26 18:57 --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-06-26 18:52 --d----- c:\program files\common files\iS3
2009-06-26 18:52 --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-06-26 18:35 3 a------- c:\windows\system32\bversion.dll
2009-06-26 17:55 --d----- c:\windows\pss
2009-06-24 09:27 3 a------- c:\windows\system32bversion.dll
2009-06-24 09:26 94,208 a------- c:\windows\system32\TRSOCR.dll
2009-06-24 09:26 95 a------- c:\windows\system32\TRSOCR.ini
2009-06-24 09:11 --d-h--- C:\$AVG8.VAULT$
2009-06-24 09:09 14,876,672 a------- c:\windows\system32\TRSOCR.dat
2009-06-24 09:09 3 a------- c:\windows\system32\fhpatch.dll
2009-06-24 09:09 0 a------- c:\windows\system32\fiplock.dll
2009-06-24 09:09 0 a------- c:\windows\system32\IpSvchostF.dll
2009-06-24 09:08 6 a------- c:\windows\system32\iphy.dll
2009-06-24 09:07 0 a------- C:\11.ini
2009-06-14 11:54 15,688 a------- c:\windows\system32\lsdelete.exe
2009-06-11 07:38 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-11 07:38 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-06-08 09:55 26 a------- c:\windows\Zone.Identifier
2009-06-07 20:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-07 20:40 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-06-07 20:40 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-06-07 20:40 --d----- c:\windows\system32\drivers\Avg
2009-06-07 20:39 --d----- c:\program files\AVG
2009-06-07 20:39 --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-06-07 20:39 --d----- c:\docume~1\user\applic~1\Windows Search
2009-06-07 20:06 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-06-07 19:57 --dsh--- c:\documents and settings\user\IECompatCache
2009-06-07 19:55 --dsh--- c:\documents and settings\user\PrivacIE
2009-06-07 19:41 --dsh--- c:\documents and settings\user\IETldCache
2009-06-07 19:28 --d----- c:\windows\system32\XPSViewer
2009-06-07 19:26 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-07 19:26 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-07 19:26 117,760 -------- c:\windows\system32\prntvpt.dll
2009-06-07 19:26 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-07 19:26 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-06-07 19:26 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-06-07 19:26 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-06-07 19:26 --d----- C:\545f3a774d7f795115059afa15
2009-06-07 19:26 --d----- c:\windows\SxsCaPendDel
2009-06-07 19:15 --d----- c:\windows\ie8updates
2009-06-07 19:15 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-06-07 19:10 -cd-h--- c:\windows\ie8
2009-06-07 19:02 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-06-07 18:58 --d----- c:\docume~1\user\applic~1\Windows Desktop Search
2009-06-07 18:56 --d----- c:\windows\system32\GroupPolicy
2009-06-07 18:56 --d----- c:\program files\Windows Desktop Search
2009-06-07 18:54 -cd-h--- c:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-07 18:53 --d----- c:\program files\Lavasoft
2009-06-07 18:52 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-06-07 18:52 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-06-07 18:52 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-06-07 18:50 55,296 ac------ c:\windows\system32\dllcache\msfeedsbs.dll
2009-06-07 18:50 594,432 ac------ c:\windows\system32\dllcache\msfeeds.dll
2009-06-07 18:50 1,985,024 ac------ c:\windows\system32\dllcache\iertutil.dll
2009-06-07 18:50 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2009-06-07 18:50 1,241,088 ac------ c:\windows\system32\dllcache\ieframe.dll.mui
2009-06-07 18:50 11,064,832 ac------ c:\windows\system32\dllcache\ieframe.dll
2009-06-07 18:50 445,952 ac------ c:\windows\system32\dllcache\ieapfltr.dll
2009-06-07 18:50 3,698,584 ac------ c:\windows\system32\dllcache\ieapfltr.dat
2009-06-07 18:50 59,904 ac------ c:\windows\system32\dllcache\icardie.dll
2009-06-07 18:24 --d----- c:\program files\Spybot - Search & Destroy
2009-06-07 18:24 --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-06-07 18:20 --d----- c:\program files\Windows Media Connect 2
2009-06-07 18:18 8,704 ac------ c:\windows\system32\dllcache\kbdjpn.dll
2009-06-07 18:18 8,192 ac------ c:\windows\system32\dllcache\kbdkor.dll
2009-06-07 18:18 6,144 ac------ c:\windows\system32\dllcache\kbd101c.dll
2009-06-07 18:18 5,632 ac------ c:\windows\system32\dllcache\kbd103.dll
2009-06-07 18:18 8,704 a------- c:\windows\system32\kbdjpn.dll
2009-06-07 18:18 8,192 a------- c:\windows\system32\kbdkor.dll
2009-06-07 18:18 6,144 a------- c:\windows\system32\kbd101c.dll
2009-06-07 18:18 5,632 a------- c:\windows\system32\kbd103.dll
2009-06-07 18:17 6,144 ac------ c:\windows\system32\dllcache\kbd101b.dll
2009-06-07 18:17 6,144 a------- c:\windows\system32\kbd101b.dll
2009-06-07 18:17 6,144 ac------ c:\windows\system32\dllcache\kbd106.dll
2009-06-07 18:17 6,144 a------- c:\windows\system32\kbd106.dll
2009-06-07 18:16 --d----- c:\windows\system32\LogFiles
2009-06-07 18:12 --d----- c:\windows\system32\URTTEMP
2009-06-07 17:51 --d----- c:\program files\CCleaner
2009-06-07 17:45 221,184 a------- c:\windows\system32\wmpns.dll
2009-06-07 17:29 --d----- c:\windows\system32\scripting
2009-06-07 17:29 --d----- c:\windows\l2schemas
2009-06-07 17:29 --d----- c:\windows\system32\en
2009-06-07 17:29 --d----- c:\windows\system32\bits
2009-06-07 17:26 --d----- c:\windows\ServicePackFiles
2009-06-07 16:47 410,984 a------- c:\windows\system32\deploytk.dll

==================== Find3M ====================

2009-07-02 18:50 4,224 a------- c:\windows\system32\drivers\beep.sys
2009-06-24 09:20 46,566 a------- c:\docume~1\user\applic~1\wklnhst.dat
2009-06-09 10:36 62,624 a------- c:\docume~1\user\applic~1\GDIPFONTCACHEV1.DAT
2009-06-07 18:09 2,944 a---h--t c:\windows\system32\muIO.sys
2009-06-07 17:32 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2009-05-13 06:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 16:32 345,600 a------- c:\windows\system32\localspl.dll
2009-04-17 13:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 15:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2007-02-05 14:54 557,056 a------- c:\documents and settings\user\GoToAssist_phone__319_en.exe

============= FINISH: 19:37:55.73 ===============

Whytecliffe(Mum)
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-28
OS OS : Windows XP
Points Points : 27173
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Belahzur on Thu Jul 02, 2009 6:41 pm

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (AVG8)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Whytecliffe(Mum) on Fri Jul 03, 2009 2:35 pm

ComboFix 09-07-02.02 - User 03/07/2009 15:22.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1530 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\Alex\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\Installer\19376.msi
c:\windows\Installer\1a8c47.msi
c:\windows\Installer\1a8c4d.msi
c:\windows\Installer\1a8c53.msi
c:\windows\system32\bversion.dll
c:\windows\system32\fhpatch.dll
c:\windows\system32\fiplock.dll
c:\windows\system32\Iasex.dll
c:\windows\system32\IPHACTION.dll
c:\windows\system32\iphy.dll
c:\windows\system32\IpSvchostF.dll
c:\windows\system32\tcpcon.dll
c:\windows\system32bversion.dll

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_MSNCACHE
-------\Legacy_SOPIDKC
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.

2009-07-03 14:16 . 2009-06-07 19:40 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-03 14:16 . 2009-06-07 19:40 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-03 14:16 . 2009-06-07 19:40 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-07-03 14:16 . 2009-06-07 19:40 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-07-02 18:34 . 2009-01-16 07:19 1731736 ----a-w- c:\documents and settings\User\Application Data\Leadertech\PowerRegister\Seagate 2GHJCC0N Product Registration.exe
2009-07-02 18:34 . 2009-07-02 18:34 -------- d-----w- c:\documents and settings\User\Application Data\Leadertech
2009-06-30 08:48 . 2009-06-30 08:48 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-06-30 08:48 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 08:48 . 2009-06-30 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-30 08:48 . 2009-06-30 08:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 08:48 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-29 12:15 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\User\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-06-29 12:15 . 2009-06-29 12:15 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-29 12:13 . 2009-06-29 12:13 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-29 12:12 . 2009-06-30 08:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-29 12:12 . 2009-06-30 08:36 -------- d-----w- c:\program files\NOS
2009-06-29 11:49 . 2009-06-29 12:05 -------- d-----w- c:\documents and settings\User\.SunDownloadManager
2009-06-26 17:57 . 2009-06-26 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-06-26 17:52 . 2009-06-26 17:52 -------- d-----w- c:\program files\Common Files\iS3
2009-06-26 17:52 . 2009-06-26 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-06-24 08:26 . 2009-06-30 08:50 94208 ----a-w- c:\windows\system32\TRSOCR.dll
2009-06-24 08:11 . 2009-06-30 08:44 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-24 08:09 . 2009-07-03 14:20 6198960 ----a-w- c:\windows\system32\TRSOCR.dat
2009-06-14 10:55 . 2009-06-14 10:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-14 10:54 . 2009-06-07 18:00 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-13 08:29 . 2009-06-13 08:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-11 06:38 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 06:38 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-08 08:56 . 2009-06-08 08:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-06-07 19:50 . 2009-06-07 19:51 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\ApplicationHistory
2009-06-07 19:40 . 2009-07-03 14:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-07 19:40 . 2009-06-07 19:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-07 19:40 . 2009-07-03 14:19 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-07 19:40 . 2009-07-03 14:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-07 19:40 . 2009-07-03 14:20 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-07 19:39 . 2009-06-07 19:39 -------- d-----w- c:\program files\AVG
2009-06-07 19:39 . 2009-06-26 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-07 19:39 . 2009-06-07 19:39 -------- d-----w- c:\documents and settings\User\Application Data\Windows Search
2009-06-07 18:57 . 2009-06-07 18:57 -------- d-sh--w- c:\documents and settings\User\IECompatCache
2009-06-07 18:55 . 2009-06-07 18:55 -------- d-sh--w- c:\documents and settings\User\PrivacIE
2009-06-07 18:44 . 2009-06-07 18:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-07 18:41 . 2009-06-07 18:41 -------- d-sh--w- c:\documents and settings\User\IETldCache
2009-06-07 18:28 . 2009-06-07 18:28 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-07 18:28 . 2009-06-07 18:28 -------- d-----w- c:\program files\MSBuild
2009-06-07 18:28 . 2009-06-07 18:28 -------- d-----w- c:\program files\Reference Assemblies
2009-06-07 18:26 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-07 18:26 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-07 18:26 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-07 18:26 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-07 18:26 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-07 18:26 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-07 18:26 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-07 18:26 . 2009-06-07 18:28 -------- d-----w- C:\545f3a774d7f795115059afa15
2009-06-07 18:26 . 2009-06-07 18:40 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-07 18:15 . 2009-06-26 17:35 -------- d-----w- c:\windows\ie8updates
2009-06-07 18:15 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-07 18:10 . 2009-06-07 18:14 -------- dc-h--w- c:\windows\ie8
2009-06-07 18:02 . 2009-06-07 18:00 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-07 18:00 . 2009-06-07 18:00 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-07 18:00 . 2009-06-07 18:00 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-07 18:00 . 2009-06-07 18:00 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-07 18:00 . 2009-06-07 18:00 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-07 18:00 . 2009-06-07 18:00 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-07 17:58 . 2009-06-07 17:58 -------- d-----w- c:\documents and settings\User\Application Data\Windows Desktop Search
2009-06-07 17:56 . 2009-06-11 07:04 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-07 17:56 . 2009-06-07 17:56 -------- d-----w- c:\windows\system32\GroupPolicy
2009-06-07 17:54 . 2009-06-07 17:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-07 17:54 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-07 17:53 . 2009-06-07 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-07 17:53 . 2009-06-07 17:53 -------- d-----w- c:\program files\Lavasoft
2009-06-07 17:52 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-06-07 17:52 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-06-07 17:52 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-06-07 17:50 . 2009-03-08 03:31 55296 -c--a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-06-07 17:50 . 2009-03-08 03:32 594432 -c--a-w- c:\windows\system32\dllcache\msfeeds.dll
2009-06-07 17:50 . 2009-04-30 21:22 1985024 -c--a-w- c:\windows\system32\dllcache\iertutil.dll
2009-06-07 17:50 . 2009-02-20 10:20 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-06-07 17:50 . 2009-04-30 21:22 11064832 -c--a-w- c:\windows\system32\dllcache\ieframe.dll
2009-06-07 17:50 . 2009-03-08 03:11 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2009-06-07 17:50 . 2009-03-08 03:31 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2009-06-07 17:50 . 2009-02-06 20:07 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-07 17:24 . 2009-06-26 17:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-07 17:24 . 2009-06-26 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-07 17:20 . 2009-06-07 17:20 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-07 17:18 . 2001-08-17 21:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-06-07 17:16 . 2009-06-07 17:16 -------- d-----w- c:\windows\system32\LogFiles
2009-06-07 17:12 . 2009-06-07 17:12 -------- d-----w- c:\windows\system32\URTTEMP
2009-06-07 16:51 . 2009-06-07 16:51 -------- d-----w- c:\program files\CCleaner
2009-06-07 16:45 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-06-07 16:29 . 2009-06-07 16:29 -------- d-----w- c:\windows\system32\scripting
2009-06-07 16:29 . 2009-06-07 16:29 -------- d-----w- c:\windows\l2schemas
2009-06-07 16:29 . 2009-06-07 16:29 -------- d-----w- c:\windows\system32\en
2009-06-07 16:29 . 2009-06-07 16:29 -------- d-----w- c:\windows\system32\bits
2009-06-07 16:26 . 2009-06-07 16:29 -------- d-----w- c:\windows\ServicePackFiles
2009-06-07 15:47 . 2009-06-29 12:09 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-07 15:40 . 2009-06-07 15:40 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

Whytecliffe(Mum)
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-28
OS OS : Windows XP
Points Points : 27173
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Whytecliffe(Mum) on Fri Jul 03, 2009 2:37 pm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 14:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-07-02 18:48 . 2005-07-30 09:07 46342 ----a-w- c:\documents and settings\User\Application Data\wklnhst.dat
2009-07-02 18:46 . 2009-02-25 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2009-06-29 12:19 . 2005-08-15 17:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-29 12:10 . 2006-12-11 15:21 -------- d-----w- c:\program files\Java
2009-06-26 17:17 . 2005-07-30 17:14 62624 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 19:40 . 2009-07-03 14:20 11952 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2009-06-07 19:39 . 2009-07-03 14:20 908568 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-06-07 19:37 . 2006-07-30 09:29 -------- d-----w- c:\program files\Google
2009-06-07 19:37 . 2005-08-16 18:28 -------- d-----w- c:\program files\Yahoo!
2009-06-07 19:36 . 2005-07-28 15:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-07 19:27 . 2005-07-28 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-07 17:09 . 2009-05-20 17:29 2944 ---hatw- c:\windows\system32\muIO.sys
2009-06-07 16:32 . 2005-07-28 14:14 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-31 07:45 . 2009-05-31 07:45 390664 ----a-w- c:\documents and settings\User\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-24 23:24 . 2008-05-26 21:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-14 13:23 . 2009-03-01 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJ
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 14:12 . 2005-07-29 09:24 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-30 4603904]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-09-30 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"Motive SmartBridge"="c:\progra~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe" [2004-12-09 421888]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-21 518488]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-03 1948440]
"YeppStudioAgent"="c:\program files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe" [2005-09-12 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-29 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-15 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-09-30 921600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\User\Start Menu\Programs\Startup\
Seagate 2GHJCC0N Product Registration.lnk - c:\documents and settings\User\Application Data\Leadertech\PowerRegister\Seagate 2GHJCC0N Product Registration.exe [2009-7-2 1731736]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Basic Help.lnk - c:\program files\BT Broadband Help\bin\matcli.exe [2005-8-5 217088]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-03 14:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [07/06/2009 19:02 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/06/2009 20:40 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [07/06/2009 20:40 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [07/06/2009 20:39 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07/06/2009 20:39 298776]
R2 toisfvet;poebunv sevcive;c:\windows\system32\svchost.exe -k toisfvet [04/08/2004 13:00 14336]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1003344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
toisfvet REG_MULTI_SZ toisfvet

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 09:06]

2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-06-26 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-06-26 14:31]

2009-06-26 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-06-26 14:31]

2009-07-03 c:\windows\Tasks\User_Feed_Synchronization-{E0B6E363-8C63-48F9-BB48-B1AD20993E7C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
TCP: {96E8319B-1E2F-42AB-9FE4-AA88781FDFF6} = 194.72.9.38 62.6.40.162
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-03 15:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3532)
c:\windows\system32\WININET.dll
c:\progra~1\BTBROA~1\SMARTB~1\SBHook.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\ijplmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\rundll32.exe
c:\program files\BT Broadband Help\bin\mpbtn.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-07-03 15:32 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 14:32

Pre-Run: 64,406,282,240 bytes free
Post-Run: 64,391,794,688 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

299 --- E O F --- 2009-06-24 11:45

Whytecliffe(Mum)
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-28
OS OS : Windows XP
Points Points : 27173
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Belahzur on Fri Jul 03, 2009 3:40 pm

Hello.
Nearly done now, one more round.

Now open a new notepad file.
Input this into the notepad file:

Driver::
toisfvet

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
"toisfvet"=-

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Whytecliffe(Mum) on Sat Jul 04, 2009 11:59 am

ComboFix 09-07-02.02 - User 04/07/2009 12:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2047.1570 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\Alex\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\Alex\cfscript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TOISFVET
-------\Service_toisfvet


((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.

2009-07-03 14:16 . 2009-06-07 19:40 1439488 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll
2009-07-03 14:16 . 2009-06-07 19:40 1085208 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.exe
2009-07-03 14:16 . 2009-06-07 19:40 755992 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll
2009-07-03 14:16 . 2009-06-07 19:40 587032 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe
2009-07-02 18:34 . 2009-01-16 07:19 1731736 ----a-w- c:\documents and settings\User\Application Data\Leadertech\PowerRegister\Seagate 2GHJCC0N Product Registration.exe
2009-07-02 18:34 . 2009-07-02 18:34 -------- d-----w- c:\documents and settings\User\Application Data\Leadertech
2009-06-30 08:48 . 2009-06-30 08:48 -------- d-----w- c:\documents and settings\User\Application Data\Malwarebytes
2009-06-30 08:48 . 2009-06-17 10:27 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-30 08:48 . 2009-06-30 08:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-30 08:48 . 2009-06-30 08:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-30 08:48 . 2009-06-17 10:27 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-29 12:15 . 2009-02-12 09:35 38208 ----a-w- c:\documents and settings\User\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
2009-06-29 12:15 . 2009-06-29 12:15 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-29 12:13 . 2009-06-29 12:13 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-29 12:12 . 2009-06-30 08:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-29 12:12 . 2009-06-30 08:36 -------- d-----w- c:\program files\NOS
2009-06-29 11:49 . 2009-06-29 12:05 -------- d-----w- c:\documents and settings\User\.SunDownloadManager
2009-06-26 17:57 . 2009-06-26 17:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-06-26 17:52 . 2009-06-26 17:52 -------- d-----w- c:\program files\Common Files\iS3
2009-06-26 17:52 . 2009-06-26 18:14 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-06-24 08:26 . 2009-06-30 08:50 94208 ----a-w- c:\windows\system32\TRSOCR.dll
2009-06-24 08:11 . 2009-06-30 08:44 -------- d--h--w- C:\$AVG8.VAULT$
2009-06-24 08:09 . 2009-07-03 14:20 6198960 ----a-w- c:\windows\system32\TRSOCR.dat
2009-06-14 10:55 . 2009-06-14 10:55 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-06-14 10:54 . 2009-06-07 18:00 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-13 08:29 . 2009-06-13 08:29 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-06-11 06:38 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-11 06:38 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-08 08:56 . 2009-06-08 08:57 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-06-07 19:50 . 2009-06-07 19:51 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\ApplicationHistory
2009-06-07 19:40 . 2009-07-03 14:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-07 19:40 . 2009-06-07 19:40 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-06-07 19:40 . 2009-07-03 14:19 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-07 19:40 . 2009-07-03 14:19 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-07 19:40 . 2009-07-03 14:20 -------- d-----w- c:\windows\system32\drivers\Avg
2009-06-07 19:39 . 2009-06-07 19:39 -------- d-----w- c:\program files\AVG
2009-06-07 19:39 . 2009-06-26 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-06-07 19:39 . 2009-06-07 19:39 -------- d-----w- c:\documents and settings\User\Application Data\Windows Search
2009-06-07 18:57 . 2009-06-07 18:57 -------- d-sh--w- c:\documents and settings\User\IECompatCache
2009-06-07 18:55 . 2009-06-07 18:55 -------- d-sh--w- c:\documents and settings\User\PrivacIE
2009-06-07 18:44 . 2009-06-07 18:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-06-07 18:41 . 2009-06-07 18:41 -------- d-sh--w- c:\documents and settings\User\IETldCache
2009-06-07 18:28 . 2009-06-07 18:28 -------- d-----w- c:\windows\system32\XPSViewer
2009-06-07 18:28 . 2009-06-07 18:28 -------- d-----w- c:\program files\MSBuild
2009-06-07 18:28 . 2009-06-07 18:28 -------- d-----w- c:\program files\Reference Assemblies
2009-06-07 18:26 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-06-07 18:26 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-06-07 18:26 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-06-07 18:26 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-06-07 18:26 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-06-07 18:26 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-06-07 18:26 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-06-07 18:26 . 2009-06-07 18:28 -------- d-----w- C:\545f3a774d7f795115059afa15
2009-06-07 18:26 . 2009-06-07 18:40 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-07 18:15 . 2009-06-26 17:35 -------- d-----w- c:\windows\ie8updates
2009-06-07 18:15 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-06-07 18:10 . 2009-06-07 18:14 -------- dc-h--w- c:\windows\ie8
2009-06-07 18:02 . 2009-06-07 18:00 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-07 18:00 . 2009-06-07 18:00 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-06-07 18:00 . 2009-06-07 18:00 83808 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-06-07 18:00 . 2009-06-07 18:00 212848 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-06-07 18:00 . 2009-06-07 18:00 40288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-06-07 18:00 . 2009-06-07 18:00 64160 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-06-07 17:58 . 2009-06-07 17:58 -------- d-----w- c:\documents and settings\User\Application Data\Windows Desktop Search
2009-06-07 17:56 . 2009-06-11 07:04 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-07 17:56 . 2009-06-07 17:56 -------- d-----w- c:\windows\system32\GroupPolicy
2009-06-07 17:54 . 2009-06-07 17:54 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-07 17:54 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-07 17:53 . 2009-06-07 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-07 17:53 . 2009-06-07 17:53 -------- d-----w- c:\program files\Lavasoft
2009-06-07 17:52 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-06-07 17:52 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-06-07 17:52 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-06-07 17:50 . 2009-03-08 03:31 55296 -c--a-w- c:\windows\system32\dllcache\msfeedsbs.dll
2009-06-07 17:50 . 2009-03-08 03:32 594432 -c--a-w- c:\windows\system32\dllcache\msfeeds.dll
2009-06-07 17:50 . 2009-04-30 21:22 1985024 -c--a-w- c:\windows\system32\dllcache\iertutil.dll
2009-06-07 17:50 . 2009-02-20 10:20 13824 -c----w- c:\windows\system32\dllcache\ieudinit.exe
2009-06-07 17:50 . 2009-04-30 21:22 11064832 -c--a-w- c:\windows\system32\dllcache\ieframe.dll
2009-06-07 17:50 . 2009-03-08 03:11 445952 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dll
2009-06-07 17:50 . 2009-03-08 03:31 59904 -c--a-w- c:\windows\system32\dllcache\icardie.dll
2009-06-07 17:50 . 2009-02-06 20:07 3698584 -c--a-w- c:\windows\system32\dllcache\ieapfltr.dat
2009-06-07 17:24 . 2009-06-26 17:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-07 17:24 . 2009-06-26 17:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-07 17:20 . 2009-06-07 17:20 -------- d-----w- c:\program files\Windows Media Connect 2
2009-06-07 17:18 . 2001-08-17 21:36 8704 -c--a-w- c:\windows\system32\dllcache\kbdjpn.dll
2009-06-07 17:16 . 2009-06-07 17:16 -------- d-----w- c:\windows\system32\LogFiles
2009-06-07 17:12 . 2009-06-07 17:12 -------- d-----w- c:\windows\system32\URTTEMP
2009-06-07 16:51 . 2009-06-07 16:51 -------- d-----w- c:\program files\CCleaner
2009-06-07 16:45 . 2004-08-04 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll
2009-06-07 16:29 . 2009-06-07 16:29 -------- d-----w- c:\windows\system32\scripting
2009-06-07 16:29 . 2009-06-07 16:29 -------- d-----w- c:\windows\l2schemas
2009-06-07 16:29 . 2009-06-07 16:29 -------- d-----w- c:\windows\system32\en
2009-06-07 16:29 . 2009-06-07 16:29 -------- d-----w- c:\windows\system32\bits
2009-06-07 16:26 . 2009-06-07 16:29 -------- d-----w- c:\windows\ServicePackFiles
2009-06-07 15:47 . 2009-06-29 12:09 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-07 15:40 . 2009-06-07 15:40 152576 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-03 14:14 . 2004-08-04 12:00 4224 ----a-w- c:\windows\system32\drivers\beep.sys
2009-07-02 18:48 . 2005-07-30 09:07 46342 ----a-w- c:\documents and settings\User\Application Data\wklnhst.dat
2009-07-02 18:46 . 2009-02-25 12:34 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJPLM
2009-06-29 12:19 . 2005-08-15 17:48 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-29 12:10 . 2006-12-11 15:21 -------- d-----w- c:\program files\Java
2009-06-26 17:17 . 2005-07-30 17:14 62624 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-07 19:40 . 2009-07-03 14:20 11952 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll
2009-06-07 19:39 . 2009-07-03 14:20 908568 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgemc.exe
2009-06-07 19:37 . 2006-07-30 09:29 -------- d-----w- c:\program files\Google
2009-06-07 19:37 . 2005-08-16 18:28 -------- d-----w- c:\program files\Yahoo!
2009-06-07 19:36 . 2005-07-28 15:01 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-07 19:27 . 2005-07-28 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-06-07 17:09 . 2009-05-20 17:29 2944 ---hatw- c:\windows\system32\muIO.sys
2009-06-07 16:32 . 2005-07-28 14:14 76487 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-31 07:45 . 2009-05-31 07:45 390664 ----a-w- c:\documents and settings\User\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-24 23:24 . 2008-05-26 21:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-14 13:23 . 2009-03-01 09:06 -------- d-----w- c:\documents and settings\All Users\Application Data\CanonIJ
2009-05-13 05:15 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 14:12 . 2005-07-29 09:24 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2004-08-04 12:00 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-04 12:00 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-04 11:50 . 2009-07-04 11:50 16384 c:\windows\Temp\Perflib_Perfdata_5cc.dat
.

Whytecliffe(Mum)
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-28
OS OS : Windows XP
Points Points : 27173
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Whytecliffe(Mum) on Sat Jul 04, 2009 11:59 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-09-30 4603904]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2004-09-30 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"DSLSTATEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="c:\program files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"Motive SmartBridge"="c:\progra~1\BTBROA~1\SMARTB~1\BTHelpNotifier.exe" [2004-12-09 421888]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-06-21 518488]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-07-03 1948440]
"YeppStudioAgent"="c:\program files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe" [2005-09-12 40960]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-29 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-15 77824]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2004-09-30 921600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\User\Start Menu\Programs\Startup\
Seagate 2GHJCC0N Product Registration.lnk - c:\documents and settings\User\Application Data\Leadertech\PowerRegister\Seagate 2GHJCC0N Product Registration.exe [2009-7-2 1731736]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
BT Broadband Basic Help.lnk - c:\program files\BT Broadband Help\bin\matcli.exe [2005-8-5 217088]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-03 14:19 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [07/06/2009 19:02 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [07/06/2009 20:40 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [07/06/2009 20:40 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [07/06/2009 20:39 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [07/06/2009 20:39 298776]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1003344]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-14 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 09:06]

2009-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-06-26 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-06-26 14:31]

2009-06-26 c:\windows\Tasks\Spybot - Search & Destroy Updater - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SDUpdate.exe [2009-06-26 14:31]

2009-07-04 c:\windows\Tasks\User_Feed_Synchronization-{E0B6E363-8C63-48F9-BB48-B1AD20993E7C}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 03:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - [You must be registered and logged in to see this link.]
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-07-04 12:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2764)
c:\windows\system32\WININET.dll
c:\progra~1\BTBROA~1\SMARTB~1\SBHook.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Canon\IJPLM\ijplmsvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\searchindexer.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\BT Broadband Help\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2009-07-04 12:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 11:55
ComboFix2.txt 2009-07-03 14:32

Pre-Run: 64,397,635,584 bytes free
Post-Run: 64,386,203,648 bytes free

276 --- E O F --- 2009-06-24 11:45

Whytecliffe(Mum)
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-28
OS OS : Windows XP
Points Points : 27173
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Belahzur on Sat Jul 04, 2009 2:06 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Whytecliffe(Mum) on Sat Jul 04, 2009 5:19 pm

Hi there,

I tried to get my Mum to do this bit remotely and she followed the instructions but it said that ComboFix is uninstalled, so nothing really happened. Any ideas?

Regarding your question about performance, certainly, Spybot isn't scanning at startup and I haven't seen any of the virus warnings popping up recently whilst doing the above work.

Whytecliffe(Mum)
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-28
OS OS : Windows XP
Points Points : 27173
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Origin on Sat Jul 04, 2009 5:27 pm

That command was meant to uninstall ComboFix Smile

Did you enable TeaTimer? If not then do the following:

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Check "Resident TeaTimer" and OK any prompts

Is Spybot scanning on start up now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Whytecliffe(Mum) on Sat Jul 04, 2009 5:34 pm

No, thankfully Spybot seems to have stopped scanning at Startup.

We disabled Adwatch & Teatimer at the start of the process, do you suggest we enable them again now?

I know my Mum is very grateful for your help and I believe she will be making a donation to you when all is sorted out.

Whytecliffe(Mum)
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-28
OS OS : Windows XP
Points Points : 27173
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Origin on Sat Jul 04, 2009 5:40 pm

Ok, if you wish to enable them then yes it is up to you.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31463
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Whytecliffe(Mum) on Mon Jul 06, 2009 6:06 pm

I'm afraid that something seems to have gone seriously wrong since the last message.

You'll recall that Mum cancelled the uninstallation of ComboFix towards the end of the process which I mentioned above and I don't know if that has caused the current problem.

Apparently, she tried to boot up yesterday and there was a message saying cannot install user settings or something similar, so she decided that she shouldn't use the pc and to wait for me to finish by doing the above, she switched the power off without closing down properly.

I've just been round to finish off the fixes etc, and got to the stage of clicking on the "User" button at the XP Welcome page. The PC seemingly froze so I rebooted. The PC booted up this time but there appears to be nothing in the Windows start up menu, the PC is running extremely slowly, there is no Internet Explorer and I cannot get on to the internet.

It seems that the PC has been half wiped, all of her documents have gone (lucky that we backed up!) but a lot of the programs that were installed before seem to still be on there, so the PC hasn't completely gone back to factory settings.

Can you advise? As I mention above, all of a sudden the PC's reaction seems incredibly slow.

Whytecliffe(Mum)
Novice
Novice

Posts Posts : 11
Joined Joined : 2009-06-28
OS OS : Windows XP
Points Points : 27173
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Sopidkc, Virtumonde, PSW Online Gaming and various other tro

Post by Belahzur on Mon Jul 06, 2009 6:11 pm

Wouldn't suprise me to hear that...Sad tearing

Remember that I told you the backdoor allow remote access and remote attacks, and the attacker can go as far as destroying the OS literally. (linked to an article in page 1).

If I was you, I would probably format right now rather than messing around with this anymore.

Instructions how to format and reinstall Windows can be found [You must be registered and logged in to see this link.]


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245049
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum