Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

WinCtrl32.dll Virtumonde or Something Else?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

WinCtrl32.dll Virtumonde or Something Else?

Unread postby jdb1981 » July 6th, 2008, 3:38 pm

OK, this will require a brief explanation- I have previously posted in the Spybot S&D Forums on this same issue, but they are currently down (see this thread: http://www.neowin.net/forum/index.php?s ... 3437&st=15) and I'm not sure how long that's going to go on. They are not currently working on anything for me, but waiting for a response. Unless a response in this thread tells me differently, I am moving the issue here, and will post a request to remove my original thread whenever those forums are accessible again. I actually have 2 infected computers, but I'd like to focus on one for now, I believe they have the same problem. The URL for my original post at Spybot Forums is: http://forums.spybot.info/showthread.ph ... to=newpost
*/edit - That thread has now been removed, so you're my only hope here, thanks!
They requested both Combofix and Hijackthis logs, so I'll post both below. The problems I'm having are: Pop-ups randomly, or whenever I start a browser; Security Center constantly tells me I need to turn automatic updates ON, even though they are on; Lots of junk .dlls, and they create a .dll in system32 called WinCtrl32.dll that is not deletable, and even if you use Killbox or delete it with a Linux Live CD, it comes back immediately. I'm hoping that's all that's going on, but I've disconnected the machine from the internet, and deleted all cookies and stored passwords in it just in case.
Thanks in advance for your help, and I hope I've done the right thing here, I'm sure Spybot forums will be up and running again soon, but I'd rather just try to resolve this here. I'll start with the Hijackthis log (it was run AFTER I ran Combofix,) I apologize if the Combofix log is not needed, but it's below as well. I also note that I probably need to install the recovery console, but I'm not going to touch the machine at all until I hear something back. Please let me know what to do next!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:36:07 PM, on 7/6/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 5858 bytes

--------------------------------------------------
Begin Combofix log
--------------------------------------------------
ComboFix 08-07-05.1 - Customer 2008-07-06 13:36:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.805 [GMT -4:00]
Running from: C:\Documents and Settings\Customer\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\adlzvz.dll
C:\WINDOWS\system32\arhvsjix.dll
C:\WINDOWS\system32\blrtypjf.ini
C:\WINDOWS\system32\bwvfhaww.dll
C:\WINDOWS\system32\cfudsyau.ini
C:\WINDOWS\system32\dhrpwivi.dll
C:\WINDOWS\system32\dyathu.dll
C:\WINDOWS\system32\eqgdqcth.dll
C:\WINDOWS\system32\flptej.dll
C:\WINDOWS\system32\gtnyrmin.ini
C:\WINDOWS\system32\hsevbt.dll
C:\WINDOWS\system32\jdaaidgg.ini
C:\WINDOWS\system32\jkkJyVOh.dll
C:\WINDOWS\system32\kujzlu.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mfqpkcrn.dll
C:\WINDOWS\system32\pAHhQqru.ini
C:\WINDOWS\system32\pAHhQqru.ini2
C:\WINDOWS\system32\pvthqn.dll
C:\WINDOWS\system32\rgodxxkp.ini
C:\WINDOWS\system32\rjaleoer.dll
C:\WINDOWS\system32\rohjenoo.dll
C:\WINDOWS\system32\swdwbxpr.ini
C:\WINDOWS\system32\uaysdufc.dll
C:\WINDOWS\system32\vevpacgl.dll
C:\WINDOWS\system32\wlxrlcrj.dll
C:\WINDOWS\system32\xijsvhra.ini
C:\WINDOWS\system32\xtgntiim.dll
C:\WINDOWS\system32\xvqvgqpe.dll
C:\WINDOWS\system32\ybatmnfq.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-06 to 2008-07-06 )))))))))))))))))))))))))))))))
.

2008-07-02 20:41 . 2008-07-02 20:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-30 21:38 . 2008-06-30 21:32 691,545 --a------ C:\WINDOWS\unins000.exe
2008-06-30 21:38 . 2008-06-30 21:38 2,548 --a------ C:\WINDOWS\unins000.dat
2008-06-28 13:49 . 2008-07-06 11:52 110,419 --a------ C:\WINDOWS\BM57b70805.xml
2008-06-28 00:30 . 2008-06-28 00:30 <DIR> d-------- C:\Documents and Settings\Customer\Application Data\ACD Systems
2008-06-28 00:28 . 2008-06-28 00:28 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-06-28 00:28 . 2008-06-28 00:28 <DIR> d-------- C:\Program Files\ACD Systems
2008-06-28 00:28 . 2008-06-28 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2008-06-27 15:28 . 2008-06-27 15:28 <DIR> d-------- C:\WINDOWS\ie8updates
2008-06-21 14:51 . 2008-06-21 14:51 <DIR> d-------- C:\Program Files\HDD Health
2008-06-14 00:05 . 2008-05-07 01:12 1,288,192 --a------ C:\WINDOWS\system32\dllcache\quartz.dll
2008-06-14 00:01 . 2008-05-08 10:02 203,136 --a------ C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-14 00:00 . 2008-06-13 07:05 272,128 --a------ C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-06 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-01 01:39 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-28 04:08 --------- d-----w C:\Program Files\Paint.NET
2008-06-28 04:03 --------- d-----w C:\Documents and Settings\Customer\Application Data\ImgBurn
2008-06-28 03:56 --------- d-----w C:\Documents and Settings\Customer\Application Data\uTorrent
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-22 01:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-22 01:20 --------- d-----w C:\Program Files\Motorola Phone Tools
2008-05-22 01:20 --------- d-----w C:\Documents and Settings\Customer\Application Data\InstallShield
2008-05-22 01:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\BVRP Software
2008-05-16 13:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-14 09:42 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 09:42 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 09:42 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 09:42 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 09:42 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 09:42 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 09:42 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-14 09:41 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 09:41 39,424 ----a-w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 09:41 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 09:41 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 09:41 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 09:41 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
2006-05-03 09:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2007-02-21 10:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 11:36 114688]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2008-06-14 08:13 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 18:29 62976]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 1 (0x1)
"DisableStatusMessages"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"=hex(2):58,50,69,7a,65,5f,4c,6f,67,6f,6e,2e,65,78,65,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.i420"= i420vfw.dll
"VIDC.ACDV"= ACDV.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HDDHealth]
--a------ 2008-06-15 12:14 1692672 C:\Program Files\HDD Health\hddhealth.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\UltraVNC\\vncviewer.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Opera\\Opera.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2bc6b0b4-dcb6-11dc-b4ef-00909672a3f6}]
\Shell\AutoRun\command - E:\PortableApps\PortableAppsMenu\PortableAppsMenu.exe

*Newly Created Service* - HELPSVC
.
Contents of the 'Scheduled Tasks' folder
"2008-07-03 22:27:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{7DEDA23A-E5C3-4831-BCDB-99C471CE0BF1} - C:\WINDOWS\system32\urqQhHAp.dll
HKLM-Run-54843b99 - C:\WINDOWS\system32\arhvsjix.dll
HKLM-Run-BM57b70805 - C:\WINDOWS\system32\xvqvgqpe.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-06 14:08:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-06 14:18:05
ComboFix-quarantined-files.txt 2008-07-06 18:16:59

Pre-Run: 17,813,237,760 bytes free
Post-Run: 17,800,007,680 bytes free

165 --- E O F --- 2008-06-27 19:28:32
jdb1981
Active Member
 
Posts: 3
Joined: July 6th, 2008, 2:49 pm
Top
Advertisement
Register to Remove

Re: WinCtrl32.dll Virtumonde or Something Else?

Unread postby MWR 3 day Mod » July 9th, 2008, 8:20 am

Hi, jdb1981

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am
Top

Re: WinCtrl32.dll Virtumonde or Something Else?

Unread postby jdb1981 » July 10th, 2008, 9:21 am

Here's a new HJT Log. I hope someone is going to be able to help me here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:44, on 2008-07-10
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.17184)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\663e7188bbb3d768555f5280d384ddab\update\update.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {5CD7177D-1D51-4351-9754-0ACFCCD823FC} - C:\Documents and Settings\Customer\Local Settings\Temporary Internet Files\Content.IE5\ZPDS5D3V\3077ahntdksr[1].dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B7FEC83C-DA4A-490A-8C76-A97E8A7F2B96} - C:\WINDOWS\system32\urqQhHAp.dll (file missing)
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\jkkJyVOh.dll (file missing)
O2 - BHO: (no name) - {D880AC13-B1B2-4B85-92B3-5F15192852C4} - C:\WINDOWS\system32\erqjxtqk.dll (file missing)
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [BM57b70805] Rundll32.exe "C:\WINDOWS\system32\oegwhekw.dll",s
O4 - HKLM\..\Run: [54843b99] rundll32.exe "C:\WINDOWS\system32\tqrtpmub.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: jkkJyVOh - jkkJyVOh.dll (file missing)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Indexing Service (CiSvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBPRO.EXE
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\spool\drivers\w32x86\3\HPBOID.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Uninterruptible Power Supply (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe (file missing)

--
End of file - 6451 bytes
jdb1981
Active Member
 
Posts: 3
Joined: July 6th, 2008, 2:49 pm
Top

Re: WinCtrl32.dll Virtumonde or Something Else?

Unread postby mz30 » July 10th, 2008, 10:42 am

Hi
I'm Mz30
I will be helping you with your malware issue's.
I am currently reviewing your hjt log and will post back soon with instructions.
As I am still in training, everything that I post to you, must be checked by an Admin or Moderator. Therefore there could be a delay between posts, but it shouldn't be too long.

  • The fixes i post, are for fixing your issues only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean,as even if you appear clean the chances are you are not.
  • Please bookmark or favourite this page. In case you need it as reference.
  • Please remember that all the staff here are volunteers and help in our free time and you will sometimes have to wait for a reply.

    Important
  • Please do not attempt to remove anything or fix anything unless i ask,This includes running any sort of anti-virus/spyware programs as they may make thing's harder to remove.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool
Top

Re: WinCtrl32.dll Virtumonde or Something Else?

Unread postby Vino Rosso » July 10th, 2008, 5:46 pm

Hi

It seems you've also posted here where you are receiving help from Shaba

http://forums.spybot.info/showthread.ph ... post208762

Although we understand you wish your problems to be addressed as soon as possible, there are reasons why multi-posting causes problems.
  • By Multi Posting you are utilising the time of two (or more) trained helpers
    Helpers take a long time to train. They need a great deal of expertise and knowledge to be able to safely remove malware from your computer and, because of this, helpers are in short supply. We wish to use them to help the maximum number of people and, if they are researching the log of someone who is already being helped, then their time and effort is going to waste.
    Understandably this causes a certain amount of bad feeling
    • From the helper who has needlessly spent time researching your log and compiling and posting instructions.
    • From others who have to wait longer for their problems to be addressed.
  • Advice from two separate helpers can cause problems
    Different helpers may use different methods to combat your infection. Whilst each in isolation is safe, that may not be so if you follow the advice of both together. Some of the tools we use are very powerful and have to be used in a specific way and in some cases do not combine well with others. By using advice from two different sources, it is possible that tools may be used that do not combine well and you may severely damage your computer, even rendering it inoperable in some circumstances.

I will close and archive this thread as you are already receiving help elsewhere.
User avatar
Vino Rosso
Admin/Teacher Emeritus
 
Posts: 9024
Joined: April 24th, 2006, 8:36 am
Location: Gloria Jean's in Murray St. Mall (I wish!)
Top
Advertisement
Register to Remove
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 117 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index