infected with virtumonde and vundo trojan

View previous topic View next topic Go down

infected with virtumonde and vundo trojan

Post by imsps on 31st July 2009, 3:55 pm

Every time I scan this computer it comes up with virtumonde.sci and virtumonde prx as well as vundo,H trojan in the registry.Malawarebytes and search and destroy find it ,but apparently can't get rid of it for good.
I updated the pc for java, adobe and windows.
I let the hijack this run and will post results shortly.

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by imsps on 31st July 2009, 3:56 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:44 AM, on 7/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Linksys\WUSB100\WUSB100.exe
C:\Documents and Settings\John Scarth_2\Desktop\Curse\CurseClient.exe
C:\Program Files\Safari\Safari.exe
C:\DOCUME~1\JOHNSC~2\LOCALS~1\Temp\7j0k6eu2.tmp\winlogon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [muketujapo] Rundll32.exe "C:\WINDOWS\system32\sojadozi.dll",s
O4 - HKLM\..\Run: [5875fe75] rundll32.exe "C:\WINDOWS\system32\nonebaku.dll",b
O4 - HKLM\..\Run: [CPM5b46cde9] Rundll32.exe "c:\windows\system32\wefeyubi.dll",a
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [75095839000744022303655390411690] C:\Program Files\Antivirus 2009\av2009.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [CurseClient] C:\Documents and Settings\John Scarth_2\Desktop\Curse\CurseClient.exe -silent
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-18 Startup: IMVU.lnk = C:\Documents and Settings\John Scarth_2\Application Data\IMVUClient\IMVUClient.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: IMVU.lnk = C:\Documents and Settings\John Scarth_2\Application Data\IMVUClient\IMVUClient.exe (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Documents and Settings\John Scarth_2\Application Data\IMVUClient\IMVUClient.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB100\WUSB100.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\John Scarth_2\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - [You must be registered and logged in to see this link.]
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: windows\system32\tulowifi.dll c:\windows\system32\pifujufo.dll prxzlg.dll ujbshf.dll vaxwnt.dll jgffyr.dll prwefa.dll c:\windows\system32\ C:\WINDOWS\system32\dafubini.dll c:\windows\system32\wirokile.dll c:\windows\system32\
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 10773 bytes

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by Origin on 31st July 2009, 3:59 pm

Hello Name,

Welcome to Geek Police, my name is Origin and I will be helping you today. Please keep the following in mind:

  • If you do not get a reply from me or another helper within 2 days, please reply to your topic with the phrase BUMP
  • If you have any cracked/pirated software in your computer delete them or we will not help you.
  • Only follow advise from Geek Police Staff and not a regular member.
  • Do NOT run any tool without Geek Police supervision as it could hinder your system useless.


  • Open HijackThis.
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
    O4 - HKLM\..\Run: [muketujapo] Rundll32.exe "C:\WINDOWS\system32\sojadozi.dll",s
    O4 - HKLM\..\Run: [5875fe75] rundll32.exe "C:\WINDOWS\system32\nonebaku.dll",b
    O4 - HKLM\..\Run: [CPM5b46cde9] Rundll32.exe "c:\windows\system32\wefeyubi.dll",a
    O4 - HKCU\..\Run: [75095839000744022303655390411690] C:\Program Files\Antivirus 2009\av2009.exe
    O20 - AppInit_DLLs: windows\system32\tulowifi.dll c:\windows\system32\pifujufo.dll prxzlg.dll ujbshf.dll vaxwnt.dll jgffyr.dll prwefa.dll c:\windows\system32\ C:\WINDOWS\system32\dafubini.dll c:\windows\system32\wirokile.dll c:\windows\system32\



  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by imsps on 31st July 2009, 7:14 pm

Here is the mbam log file. It still brings up the vundo and bho trojan.
I also had and error message that informed me that it could not find certain files (those are the same files that we deleted in hijack this).
Malwarebytes' Anti-Malware 1.39
Database version: 2536
Windows 5.1.2600 Service Pack 3

7/31/2009 3:07:45 PM
mbam-log-2009-07-31 (15-07-45).txt

Scan type: Quick Scan
Objects scanned: 98714
Time elapsed: 5 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muketujapo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5875fe75 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm5b46cde9 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by Belahzur on 31st July 2009, 7:59 pm

Hello.
Before we can use something more powerful, we need to uninstall a few things.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Here's the list

Post by imsps on 1st August 2009, 12:25 am

Adobe Flash Player 10 ActiveX
Adobe Reader 9.1
AnswerWorks 4.0 Runtime - English
Apple Software Update
ASUS Gamer OSD
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
ATI HydraVision
AVG Free Edition
Avira AntiVir Personal - Free Antivirus
Bonjour
Citrix Presentation Server Client
Civilization III Complete Edition
Creative Software AutoUpdate
Creative System Information
Critical Update for Windows Media Player 11 (KB959772)
Curse Client
DivX Content Uploader
DivX Web Player
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Grand Chase
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
HP Product Detection
hp psc 1200 series
Hybrid Downloader 1,0,2,6
InterActual Player
InterVideo MSIPVS
Java(TM) 6 Update 14
Jojo's Fashion Show™
Lexmark 1300 Series
Lexmark Toolbar
Linksys WUSB100 RangePlus Wireless USB Adapter
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007 Trial
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.5.1)
MSI Radio
MSN
MSN Music Assistant
Netflix Movie Viewer
NVIDIA Drivers
Outspark Sharp Launcher
Pando Media Booster
ProjectPowder
QuickTime
Safari
Scrabble
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB969679)
Security Update for Microsoft Office Excel 2007 (KB969682)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (KB969613)
Security Update for Microsoft Office Word 2007 (KB969604)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sid Meier's Civilization 4 - Warlords
Sound Blaster X-Fi
Sounds Best On Sound Blaster
Spybot - Search & Destroy
Star Wars(R) Knights of the Old Republic(R) II: The Sith Lords(TM)
The Sims 2
The Sims 2 Open For Business
The Sims 2 Pets
The Sims 2 University
The Sims™ 2 Bon Voyage
The Sims™ 2 Celebration! Stuff
The Sims™ 2 FreeTime
The Sims™ 2 H&M® Fashion Stuff
The Sims™ 2 Kitchen & Bath Interior Design Stuff
The Sims™ 2 Seasons
The Sims™ 2 Teen Style Stuff
TurboTax Deluxe 2007
TV Tuner Driver
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office Outlook 2007 (KB969907)
Update for Outlook 2007 Junk Email Filter (kb971933)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Ventrilo Client
VIA Integrated Setup Wizard
Windows Defender
Windows Defender Signatures
Windows Imaging Component
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Search 4.0
Windows XP Service Pack 3
World of Warcraft
XviD MPEG-4 Video Codec

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by Belahzur on 1st August 2009, 1:33 am

Hello.

You are running two antivirus', I see from the uninstall list you have Avira installed, along with AVG. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove AVG to avoid conflict and other future problems.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    AVG Free Edition

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV. (Mcafee)
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

combo fix.txt part1

Post by imsps on 1st August 2009, 9:49 pm

ComboFix 09-08-01.01 - John Scarth_2 08/01/2009 17:29.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1579 [GMT -4:00]
Running from: c:\documents and settings\John Scarth_2\Desktop\Combo-Fix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\167fcbe.msp
c:\windows\Installer\167fcc0.msp
c:\windows\Installer\3211f03b.msi
c:\windows\Installer\585a27b0.msi
c:\windows\Installer\88443f.msi
c:\windows\Installer\d1c61f7.msi
c:\windows\system32\afidoron.ini
c:\windows\system32\amavapad.ini
c:\windows\system32\areyijud.ini
c:\windows\system32\arezeyak.ini
c:\windows\system32\avefidur.ini
c:\windows\system32\ebinoyam.ini
c:\windows\system32\ebuyalej.ini
c:\windows\system32\ejomulen.ini
c:\windows\system32\eledafuz.ini
c:\windows\system32\enomogan.ini
c:\windows\system32\enumusul.ini
c:\windows\system32\etidazon.ini
c:\windows\system32\etupigow.ini
c:\windows\system32\evefuter.ini
c:\windows\system32\evusizew.ini
c:\windows\system32\fabuzono.dll
c:\windows\system32\igifelaf.ini
c:\windows\system32\ihuhapos.ini
c:\windows\system32\ikazirir.ini
c:\windows\system32\ilepulid.ini
c:\windows\system32\ilodajup.ini
c:\windows\system32\inedogey.ini
c:\windows\system32\inupowal.ini
c:\windows\system32\ipenirar.ini
c:\windows\system32\ipilinor.ini
c:\windows\system32\iredagut.ini
c:\windows\system32\irunewoz.ini
c:\windows\system32\itokapud.ini
c:\windows\system32\iveheseb.ini
c:\windows\system32\iwukolih.ini
c:\windows\system32\odilerug.ini
c:\windows\system32\ogomigiw.ini
c:\windows\system32\opabipag.ini
c:\windows\system32\orukekid.ini
c:\windows\system32\oyovufoj.ini
c:\windows\system32\oyupunab.ini
c:\windows\system32\ozojekul.ini
c:\windows\system32\udegajaj.ini
c:\windows\system32\udowozin.ini
c:\windows\system32\ugibatuj.ini
c:\windows\system32\ukezuwun.ini
c:\windows\system32\ukoworaj.ini
c:\windows\system32\ununutuy.ini
c:\windows\system32\upirihiv.ini
c:\windows\system32\usimatut.ini
c:\windows\system32\utulijir.ini
c:\windows\system32\uvesigaw.ini
c:\windows\system32\uyihopog.ini
c:\windows\system32\uyurosoj.ini
c:\windows\system32\uzetiyil.ini
c:\windows\system32\wudebihe.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-08-01 00:15 . 2009-08-01 00:15 -------- d-----w- c:\documents and settings\John Scarth_2\Application Data\Windows Search
2009-07-31 23:16 . 2009-07-31 23:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-31 13:25 . 2009-07-31 13:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-07-31 03:31 . 2009-07-31 03:31 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\Identities
2009-07-31 03:31 . 2009-07-31 03:31 -------- d-----w- c:\documents and settings\John Scarth_2\Application Data\Windows Desktop Search
2009-07-31 03:30 . 2009-07-31 18:59 -------- d-----w- c:\program files\Windows Desktop Search
2009-07-31 03:30 . 2009-07-31 03:30 -------- d-----w- c:\windows\system32\GroupPolicy
2009-07-31 03:30 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-07-31 03:30 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-07-31 03:30 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-07-31 03:08 . 2009-07-31 03:08 56820 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-31 03:02 . 2009-07-31 03:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-31 02:29 . 2009-07-31 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-31 02:29 . 2009-07-31 02:29 152576 ----a-w- c:\documents and settings\John Scarth_2\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-28 23:04 . 2009-07-28 23:04 -------- d-----w- c:\documents and settings\Brandon\Local Settings\Application Data\Mozilla
2009-07-27 20:55 . 2009-07-27 20:55 -------- d-----w- c:\documents and settings\John Scarth_2\Application Data\Apple Computer
2009-07-27 18:18 . 2009-07-27 18:18 -------- d-----w- c:\program files\Safari
2009-07-27 18:17 . 2009-07-27 18:17 -------- d-----w- c:\program files\QuickTime
2009-07-27 18:17 . 2009-07-27 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-27 18:17 . 2009-07-27 20:55 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\Apple Computer
2009-07-27 18:17 . 2009-07-27 18:17 -------- d-----w- c:\program files\Bonjour
2009-07-27 18:17 . 2009-07-27 18:17 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\Apple
2009-07-27 18:17 . 2009-07-27 18:17 -------- d-----w- c:\program files\Apple Software Update
2009-07-27 18:17 . 2009-07-27 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-27 18:04 . 2009-07-27 18:04 -------- d-----w- c:\documents and settings\John Scarth_2\Application Data\Malwarebytes
2009-07-27 18:04 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-27 18:04 . 2009-07-27 18:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-27 18:04 . 2009-07-27 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-27 18:04 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-27 18:00 . 2009-07-27 18:00 0 ----a-w- c:\windows\nsreg.dat
2009-07-27 18:00 . 2009-07-27 18:00 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\Mozilla
2009-07-26 22:01 . 2009-07-26 22:01 -------- d-----w- c:\documents and settings\Brandon\Local Settings\Application Data\Google
2009-07-26 01:56 . 2009-07-26 01:56 -------- d-----w- C:\e2f6b854526ea6b6de8a4b
2009-07-26 01:51 . 2009-07-26 01:51 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\Microsoft Help
2009-07-26 00:45 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-26 00:45 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-26 00:45 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-26 00:45 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-26 00:45 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-26 00:45 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-26 00:45 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-26 00:45 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-26 00:45 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-26 00:44 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-26 00:44 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-22 03:56 . 2005-01-03 06:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-07-22 03:56 . 2009-07-22 03:56 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-07-22 01:40 . 2009-07-22 01:40 -------- d-----w- C:\Ntreev USA
2009-07-22 01:05 . 2009-07-22 01:05 -------- d-----w- c:\program files\Common Files\DirectX
2009-07-22 00:57 . 2008-09-27 04:00 230752 ----a-w- c:\windows\patchw32.dll
2009-07-22 00:57 . 2008-09-27 04:00 118176 ----a-w- c:\windows\patchw.dll
2009-07-22 00:38 . 2009-07-22 05:28 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\PMB Files
2009-07-22 00:38 . 2009-07-22 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-07-22 00:38 . 2009-07-22 00:38 -------- d-----w- c:\program files\Pando Networks
2009-07-21 22:55 . 2009-07-21 22:55 -------- d-----w- c:\program files\Persona
2009-07-17 14:50 . 2009-08-01 21:36 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\CurseClient
2009-07-16 22:39 . 2009-07-16 22:39 272384 ----a-w- c:\documents and settings\John Scarth_2\Application Data\Acreon\WowMatrix\Modules\curl.exe
2009-07-16 22:39 . 2009-07-16 22:39 192512 ----a-w- c:\documents and settings\John Scarth_2\Application Data\Acreon\WowMatrix\Libraries\wmweb.dll
2009-07-16 22:39 . 2009-07-16 22:39 258048 ----a-w- c:\documents and settings\John Scarth_2\Application Data\Acreon\WowMatrix\Libraries\wmzip.dll
2009-07-16 22:39 . 2009-07-16 22:39 -------- d-----w- c:\documents and settings\John Scarth_2\Application Data\Acreon
2009-07-16 22:39 . 2009-07-17 17:15 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\._Revolution_

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 03:22 . 2008-07-05 21:12 70720 ----a-w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-31 03:20 . 2007-03-18 18:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-31 03:12 . 2005-10-28 17:19 -------- d-----w- c:\program files\Java
2009-07-31 02:29 . 2008-06-29 21:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-26 02:02 . 2007-09-10 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-26 01:50 . 2007-09-10 14:51 -------- d-----w- c:\program files\Microsoft Works
2009-07-22 00:55 . 2008-10-12 17:50 -------- d-----w- c:\program files\Outspark
2009-07-22 00:55 . 2005-08-04 08:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-17 17:19 . 2008-06-29 22:10 -------- d-----w- c:\program files\EA GAMES
2009-07-17 01:41 . 2006-06-23 03:29 -------- d-----w- c:\program files\World of Warcraft
2009-07-14 23:19 . 2009-01-16 13:23 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-14 23:01 . 2007-12-11 14:59 -------- d-----w- c:\program files\Lx_cats
2009-07-02 00:17 . 2009-07-02 00:17 69632 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 4.30.19.1\SetupAdmin.exe
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-12 19:12 . 2005-08-03 19:42 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2007-03-18 18:49 . 2007-03-18 18:45 21822168 ----a-w- c:\program files\AdbeRdr80_en_US.exe
2009-07-15 20:30 . 2009-07-27 17:59 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-01-11 13:26 . 2009-01-11 13:26 2713 --sh--w- c:\windows\system32\gowajiwe.exe
2009-01-12 07:27 . 2009-01-12 07:27 2713 --sh--w- c:\windows\system32\hokovinu.exe
2009-04-14 13:08 . 2009-04-14 13:08 2713 --sh--w- c:\windows\system32\kezepabe.exe
2009-04-16 04:37 . 2009-04-16 04:37 2713 --sh--w- c:\windows\system32\perakivu.exe
2009-01-10 19:24 . 2009-01-10 19:24 2713 --sh--w- c:\windows\system32\riligize.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Combo fi.txt part2

Post by imsps on 1st August 2009, 9:53 pm

*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"CurseClient"="c:\documents and settings\John Scarth_2\Desktop\Curse\CurseClient.exe" [2009-07-31 1935360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-13 335872]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-05-24 18944]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Wireless Network Monitor.lnk - c:\program files\Linksys\WUSB100\WUSB100.exe [2007-10-30 5677056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinScheduler.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinScheduler.lnk
backup=c:\windows\pss\InterVideo WinScheduler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\MSIPVS\\WinDvr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.0-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\lxdccoms.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpsvc.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\ATKKBService.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Documents and Settings\\John Scarth_2\\Desktop\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Persona\\Persona.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Outspark\\ProjectPowder\\Run.exe"=
"c:\\Ntreev USA\\Grand Chase\\main.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57388:TCP"= 57388:TCP:Pando Media Booster
"57388:UDP"= 57388:UDP:Pando Media Booster
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 11:49 AM 77312]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
S2 CX88XBAR;MSI 8606 Crossbar;c:\windows\system32\drivers\CX88XBar.SYS [9/10/2005 4:54 PM 9159]
S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [9/10/2005 5:13 PM 15360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [7/28/2007 2:50 PM 517632]
S3 XDva276;XDva276;\??\c:\windows\system32\XDva276.sys --> c:\windows\system32\XDva276.sys [?]
S3 XDva281;XDva281;\??\c:\windows\system32\XDva281.sys --> c:\windows\system32\XDva281.sys [?]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [4/3/2006 8:12 PM 14032]
.
Contents of the 'Scheduled Tasks' folder

2009-07-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2007-08-03 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4180639231.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]

2009-07-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-04 00:12]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-muketujapo - c:\windows\system32\sojadozi.dll
HKLM-Run-5875fe75 - c:\windows\system32\nonebaku.dll
HKLM-Run-CPM5b46cde9 - c:\windows\system32\wefeyubi.dll
SSODL-SSODL-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = ;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\John Scarth_2\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\John Scarth_2\Application Data\Mozilla\Firefox\Profiles\p07at0sg.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

combo fix.txt part 3

Post by imsps on 1st August 2009, 9:54 pm

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-01 17:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2616)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdccoms.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\CTXFISPI.EXE
.
**************************************************************************
.
Completion time: 2009-08-01 17:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 21:41

Pre-Run: 50,099,355,648 bytes free
Post-Run: 50,208,604,160 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

376 --- E O F --- 2009-07-31 18:58

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by Origin on 2nd August 2009, 6:15 pm

Now open a new notepad file.
Input this into the notepad file:

Folder::
C:\e2f6b854526ea6b6de8a4b

File::
c:\windows\system32\gowajiwe.exe
c:\windows\system32\hokovinu.exe
c:\windows\system32\kezepabe.exe
c:\windows\system32\perakivu.exe
c:\windows\system32\riligize.exe

Driver::
XDva276
XDva281

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

combofix log part1

Post by imsps on 2nd August 2009, 8:15 pm

ComboFix 09-08-01.01 - John Scarth_2 08/02/2009 15:55.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1388 [GMT -4:00]
Running from: c:\documents and settings\John Scarth_2\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\John Scarth_2\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\gowajiwe.exe"
"c:\windows\system32\hokovinu.exe"
"c:\windows\system32\kezepabe.exe"
"c:\windows\system32\perakivu.exe"
"c:\windows\system32\riligize.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\e2f6b854526ea6b6de8a4b
c:\e2f6b854526ea6b6de8a4b\amd64\filterpipelineprintproc.dll
c:\e2f6b854526ea6b6de8a4b\amd64\msxpsdrv.cat
c:\e2f6b854526ea6b6de8a4b\amd64\msxpsdrv.inf
c:\e2f6b854526ea6b6de8a4b\amd64\msxpsinc.gpd
c:\e2f6b854526ea6b6de8a4b\amd64\msxpsinc.ppd
c:\e2f6b854526ea6b6de8a4b\amd64\mxdwdrv.dll
c:\e2f6b854526ea6b6de8a4b\amd64\xpssvcs.dll
c:\e2f6b854526ea6b6de8a4b\i386\filterpipelineprintproc.dll
c:\e2f6b854526ea6b6de8a4b\i386\msxpsdrv.cat
c:\e2f6b854526ea6b6de8a4b\i386\msxpsdrv.inf
c:\e2f6b854526ea6b6de8a4b\i386\msxpsinc.gpd
c:\e2f6b854526ea6b6de8a4b\i386\msxpsinc.ppd
c:\e2f6b854526ea6b6de8a4b\i386\mxdwdrv.dll
c:\e2f6b854526ea6b6de8a4b\i386\xpssvcs.dll
c:\windows\system32\gowajiwe.exe
c:\windows\system32\hokovinu.exe
c:\windows\system32\kezepabe.exe
c:\windows\system32\perakivu.exe
c:\windows\system32\riligize.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_XDVA276
-------\Legacy_XDVA281
-------\Service_XDva276
-------\Service_XDva281


((((((((((((((((((((((((( Files Created from 2009-07-02 to 2009-08-02 )))))))))))))))))))))))))))))))
.

2009-08-02 13:26 . 2009-08-02 13:26 -------- d-----w- c:\documents and settings\Brandon\Local Settings\Application Data\Identities
2009-08-02 13:26 . 2009-08-02 13:26 -------- d-----w- c:\documents and settings\Brandon\Application Data\Windows Desktop Search
2009-08-01 00:15 . 2009-08-01 00:15 -------- d-----w- c:\documents and settings\John Scarth_2\Application Data\Windows Search
2009-07-31 23:16 . 2009-07-31 23:16 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-07-31 13:25 . 2009-07-31 13:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2009-07-31 03:31 . 2009-07-31 03:31 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\Identities
2009-07-31 03:31 . 2009-07-31 03:31 -------- d-----w- c:\documents and settings\John Scarth_2\Application Data\Windows Desktop Search
2009-07-31 03:30 . 2009-07-31 18:59 -------- d-----w- c:\program files\Windows Desktop Search
2009-07-31 03:30 . 2009-07-31 03:30 -------- d-----w- c:\windows\system32\GroupPolicy
2009-07-31 03:30 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2009-07-31 03:30 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2009-07-31 03:30 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2009-07-31 03:08 . 2009-07-31 03:08 56820 ---ha-w- c:\windows\system32\mlfcache.dat
2009-07-31 03:02 . 2009-07-31 03:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-07-31 02:29 . 2009-07-31 02:29 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-07-31 02:29 . 2009-07-31 02:29 152576 ----a-w- c:\documents and settings\John Scarth_2\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-07-28 23:04 . 2009-07-28 23:04 -------- d-----w- c:\documents and settings\Brandon\Local Settings\Application Data\Mozilla
2009-07-27 20:55 . 2009-07-27 20:55 -------- d-----w- c:\documents and settings\John Scarth_2\Application Data\Apple Computer
2009-07-27 18:18 . 2009-07-27 18:18 -------- d-----w- c:\program files\Safari
2009-07-27 18:17 . 2009-07-27 18:17 -------- d-----w- c:\program files\QuickTime
2009-07-27 18:17 . 2009-07-27 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-07-27 18:17 . 2009-07-27 20:55 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\Apple Computer
2009-07-27 18:17 . 2009-07-27 18:17 -------- d-----w- c:\program files\Bonjour
2009-07-27 18:17 . 2009-07-27 18:17 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\Apple
2009-07-27 18:17 . 2009-07-27 18:17 -------- d-----w- c:\program files\Apple Software Update
2009-07-27 18:17 . 2009-07-27 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-07-27 18:04 . 2009-07-27 18:04 -------- d-----w- c:\documents and settings\John Scarth_2\Application Data\Malwarebytes
2009-07-27 18:04 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-27 18:04 . 2009-07-27 18:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-27 18:04 . 2009-07-27 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-27 18:04 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-27 18:00 . 2009-07-27 18:00 0 ----a-w- c:\windows\nsreg.dat
2009-07-27 18:00 . 2009-07-27 18:00 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\Mozilla
2009-07-26 22:01 . 2009-07-26 22:01 -------- d-----w- c:\documents and settings\Brandon\Local Settings\Application Data\Google
2009-07-26 01:51 . 2009-07-26 01:51 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\Microsoft Help
2009-07-26 00:45 . 2009-03-06 14:22 284160 -c----w- c:\windows\system32\dllcache\pdh.dll
2009-07-26 00:45 . 2009-02-09 12:10 729088 -c----w- c:\windows\system32\dllcache\lsasrv.dll
2009-07-26 00:45 . 2009-02-09 12:10 473600 -c----w- c:\windows\system32\dllcache\fastprox.dll
2009-07-26 00:45 . 2009-02-09 12:10 453120 -c----w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-07-26 00:45 . 2009-02-09 12:10 401408 -c----w- c:\windows\system32\dllcache\rpcss.dll
2009-07-26 00:45 . 2009-02-06 11:11 110592 -c----w- c:\windows\system32\dllcache\services.exe
2009-07-26 00:45 . 2009-02-06 10:10 227840 -c----w- c:\windows\system32\dllcache\wmiprvse.exe
2009-07-26 00:45 . 2009-02-09 12:10 714752 -c----w- c:\windows\system32\dllcache\ntdll.dll
2009-07-26 00:45 . 2009-02-09 12:10 617472 -c----w- c:\windows\system32\dllcache\advapi32.dll
2009-07-26 00:44 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-07-26 00:44 . 2008-04-21 12:08 215552 -c----w- c:\windows\system32\dllcache\wordpad.exe
2009-07-22 03:56 . 2005-01-03 06:43 4682 ----a-w- c:\windows\system32\npptNT2.sys
2009-07-22 03:56 . 2009-07-22 03:56 -------- d-----w- c:\program files\Common Files\INCA Shared
2009-07-22 01:40 . 2009-07-22 01:40 -------- d-----w- C:\Ntreev USA
2009-07-22 01:05 . 2009-07-22 01:05 -------- d-----w- c:\program files\Common Files\DirectX
2009-07-22 00:57 . 2008-09-27 04:00 230752 ----a-w- c:\windows\patchw32.dll
2009-07-22 00:57 . 2008-09-27 04:00 118176 ----a-w- c:\windows\patchw.dll
2009-07-22 00:38 . 2009-07-22 05:28 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\PMB Files
2009-07-22 00:38 . 2009-07-22 00:40 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-07-22 00:38 . 2009-07-22 00:38 -------- d-----w- c:\program files\Pando Networks
2009-07-21 22:55 . 2009-07-21 22:55 -------- d-----w- c:\program files\Persona
2009-07-17 14:50 . 2009-08-02 19:42 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\CurseClient
2009-07-16 22:39 . 2009-07-16 22:39 272384 ----a-w- c:\documents and settings\John Scarth_2\Application Data\Acreon\WowMatrix\Modules\curl.exe
2009-07-16 22:39 . 2009-07-16 22:39 192512 ----a-w- c:\documents and settings\John Scarth_2\Application Data\Acreon\WowMatrix\Libraries\wmweb.dll
2009-07-16 22:39 . 2009-07-16 22:39 258048 ----a-w- c:\documents and settings\John Scarth_2\Application Data\Acreon\WowMatrix\Libraries\wmzip.dll
2009-07-16 22:39 . 2009-07-16 22:39 -------- d-----w- c:\documents and settings\John Scarth_2\Application Data\Acreon
2009-07-16 22:39 . 2009-07-17 17:15 -------- d-----w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\._Revolution_

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 03:22 . 2008-07-05 21:12 70720 ----a-w- c:\documents and settings\John Scarth_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-31 03:20 . 2007-03-18 18:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-07-31 03:12 . 2005-10-28 17:19 -------- d-----w- c:\program files\Java
2009-07-31 02:29 . 2008-06-29 21:38 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-26 02:02 . 2007-09-10 14:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-26 01:50 . 2007-09-10 14:51 -------- d-----w- c:\program files\Microsoft Works
2009-07-22 00:55 . 2008-10-12 17:50 -------- d-----w- c:\program files\Outspark
2009-07-22 00:55 . 2005-08-04 08:59 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-17 17:19 . 2008-06-29 22:10 -------- d-----w- c:\program files\EA GAMES
2009-07-17 01:41 . 2006-06-23 03:29 -------- d-----w- c:\program files\World of Warcraft
2009-07-14 23:19 . 2009-01-16 13:23 75096 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-14 23:01 . 2007-12-11 14:59 -------- d-----w- c:\program files\Lx_cats
2009-07-02 00:17 . 2009-07-02 00:17 69632 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 4.30.19.1\SetupAdmin.exe
2009-06-29 16:12 . 2004-08-04 12:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-25 04:24 . 2008-05-27 02:18 350208 ----a-w- c:\windows\system32\mssph.dll
2009-05-12 19:12 . 2005-08-03 19:42 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-07 15:32 . 2004-08-04 12:00 345600 ----a-w- c:\windows\system32\localspl.dll
2007-03-18 18:49 . 2007-03-18 18:45 21822168 ----a-w- c:\program files\AdbeRdr80_en_US.exe
2009-07-15 20:30 . 2009-07-27 17:59 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-02 20:04 . 2009-08-02 20:04 16384 c:\windows\Temp\Perflib_Perfdata_704.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

part2

Post by imsps on 2nd August 2009, 8:17 pm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-27 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"CurseClient"="c:\documents and settings\John Scarth_2\Desktop\Curse\CurseClient.exe" [2009-07-31 1935360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXDCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll" [2007-01-22 102400]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-09-13 335872]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-04-19 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-31 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"muketujapo"="c:\windows\system32\sojadozi.dll" [BU]
"5875fe75"="c:\windows\system32\nonebaku.dll" [BU]
"CPM5b46cde9"="c:\windows\system32\wefeyubi.dll" [BU]
"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-05-24 18944]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-04-19 1626112]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
Wireless Network Monitor.lnk - c:\program files\Linksys\WUSB100\WUSB100.exe [2007-10-30 5677056]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinScheduler.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinScheduler.lnk
backup=c:\windows\pss\InterVideo WinScheduler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\MSIPVS\\WinDvr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-1.11.0-enUS-downloader.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\lxdccoms.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\lxdcamon.exe"=
"c:\\Program Files\\Lexmark 1300 Series\\App4R.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"c:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpsvc.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\WINDOWS\\ATKKBService.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Documents and Settings\\John Scarth_2\\Desktop\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Persona\\Persona.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\Outspark\\ProjectPowder\\Run.exe"=
"c:\\Ntreev USA\\Grand Chase\\main.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"57388:TCP"= 57388:TCP:Pando Media Booster
"57388:UDP"= 57388:UDP:Pando Media Booster
"6881:TCP"= 6881:TCP:Blizzard Downloader: 6881

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [12/12/2003 11:49 AM 77312]
R2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service --> c:\windows\system32\lxdccoms.exe -service [?]
S2 CX88XBAR;MSI 8606 Crossbar;c:\windows\system32\drivers\CX88XBar.SYS [9/10/2005 4:54 PM 9159]
S3 MPCSYS;MPCSYS;c:\windows\system32\drivers\mpcsys.SYS [9/10/2005 5:13 PM 15360]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 rt2870;Linksys 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [7/28/2007 2:50 PM 517632]
S4 WinDefend;Windows Defender Service;c:\program files\Windows Defender\MsMpEng.exe [4/3/2006 8:12 PM 14032]
.
Contents of the 'Scheduled Tasks' folder

2009-07-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2007-08-03 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4180639231.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]

2009-07-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-04-04 00:12]
.
- - - - ORPHANS REMOVED - - - -

SSODL-SSODL-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = ;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\John Scarth_2\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\John Scarth_2\Application Data\Mozilla\Firefox\Profiles\p07at0sg.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

part3

Post by imsps on 2nd August 2009, 8:18 pm

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-08-02 16:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXDCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1816)
c:\windows\system32\WININET.dll
c:\windows\system32\ctagent.dll
c:\windows\system32\ieframe.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\progra~1\SPYBOT~1\SDHelper.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\windows\ATKKBService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lxdccoms.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\CTXFISPI.EXE
.
**************************************************************************
.
Completion time: 2009-08-02 16:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-02 20:10
ComboFix2.txt 2009-08-01 21:41

Pre-Run: 50,148,655,104 bytes free
Post-Run: 50,141,810,688 bytes free

348 --- E O F --- 2009-07-31 18:58

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by Origin on 2nd August 2009, 8:18 pm

Run another Malwarebytes scan and post the results back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31503
# Likes # Likes : 0

View user profile

Back to top Go down

mbam -log 02-8-3

Post by imsps on 3rd August 2009, 10:36 pm

Malwarebytes' Anti-Malware 1.39
Database version: 2536
Windows 5.1.2600 Service Pack 3

8/3/2009 6:34:19 PM
mbam-log-2009-08-03 (18-34-19).txt

Scan type: Quick Scan
Objects scanned: 95672
Time elapsed: 5 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muketujapo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5875fe75 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm5b46cde9 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by Belahzur on 4th August 2009, 7:03 pm

Hello.
How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by imsps on 5th August 2009, 3:31 am

Machine runs ok. Internet Explorer still locks up a lot upon opening.
Spybot still brings up Virtumonde and malwarebytes still brings up vundo and BHO, even if I scan a few minutes later again.
I noticed that the virus scanner often quarantines a trojan called trash.gen.

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by Belahzur on 5th August 2009, 6:01 pm

You have an old version of MBAM, please update it and run a new scan.

"Malwarebytes' Anti-Malware 1.39
Database version: 2536"


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by imsps on 6th August 2009, 7:36 pm

I updated Malwarebytes today and scanned it:

Malwarebytes' Anti-Malware 1.40
Database version: 2571
Windows 5.1.2600 Service Pack 3

8/6/2009 3:31:18 PM
mbam-log-2009-08-06 (15-31-18).txt

Scan type: Quick Scan
Objects scanned: 97841
Time elapsed: 4 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muketujapo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5875fe75


(Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm5b46cde9 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by imsps on 6th August 2009, 8:02 pm

I di the same with Spybot, update and run it and resluts are for both scans still the same.

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by Belahzur on 7th August 2009, 6:30 pm

Uninstall Spybot, it's interfering.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by imsps on 14th August 2009, 8:15 pm

Spybot is uninstalled, malwarebyters is updated and I scanned the pc and we still have the same problem. Find newest scan below. No matter how often I scan the same infections pop up, right after I removed them.

Malwarebytes' Anti-Malware 1.40
Database version: 2626
Windows 5.1.2600 Service Pack 3

8/14/2009 4:11:04 PM
mbam-log-2009-08-14 (16-11-04).txt

Scan type: Quick Scan
Objects scanned: 98172
Time elapsed: 7 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muketujapo (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5875fe75 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm5b46cde9 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by Belahzur on 14th August 2009, 9:01 pm

Can you post a new Hijack This log please?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by imsps on 18th August 2009, 2:37 am

Sure there you go:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:33:04 PM, on 8/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdccoms.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\John Scarth_2\Desktop\Curse\CurseClient.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Linksys\WUSB100\WUSB100.exe
C:\Program Files\Hijackthis\winlogon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [LXDCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CurseClient] C:\Documents and Settings\John Scarth_2\Desktop\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [AdobeUpdater6] "C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe
O4 - HKUS\S-1-5-21-1177238915-573735546-839522115-1009\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Brandon')
O4 - HKUS\S-1-5-21-1177238915-573735546-839522115-1009\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Brandon')
O4 - S-1-5-18 Startup: IMVU.lnk = C:\Documents and Settings\John Scarth_2\Application Data\IMVUClient\IMVUClient.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: IMVU.lnk = C:\Documents and Settings\John Scarth_2\Application Data\IMVUClient\IMVUClient.exe (User 'Default user')
O4 - Startup: IMVU.lnk = C:\Documents and Settings\John Scarth_2\Application Data\IMVUClient\IMVUClient.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Network Monitor.lnk = C:\Program Files\Linksys\WUSB100\WUSB100.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\John Scarth_2\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - [You must be registered and logged in to see this link.]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {3DCEC959-378A-4922-AD7E-FD5C925D927F} (Disney Online Games ActiveX Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - [You must be registered and logged in to see this link.]
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdc_device - - C:\WINDOWS\system32\lxdccoms.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 9067 bytes

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by Belahzur on 18th August 2009, 2:58 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10b.exe


  • Press "Fix Checked"
  • Close Hijack This.

This should be fine now, how is the machine running?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: infected with virtumonde and vundo trojan

Post by imsps on 25th August 2009, 1:47 pm

Machine seems to run fine. The scan of Malwarebytes I just have done hasn't brought up any infections.

imsps
Intermediate
Intermediate

Posts Posts : 62
Joined Joined : 2009-07-24
OS OS : vista
Points Points : 27138
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum