Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde-PopUps-Redirects

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virtumonde-PopUps-Redirects

Unread postby 3nder » December 16th, 2008, 8:18 pm

I've got a ton going on with my computer right now. I really could use some help cleaning it so I can enroll into MRU. Spybot S&D is picking up a Virtumonde but it is unable to clean it properly and I am unable to manually delete the files. When online, I get tons of popups typically titled url.adtrgt.com or something of the sort. Firefox is also very slow. Here is my HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:16:52 PM, on 12/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {5D70495E-F414-4403-8BDB-1F5B34542C71} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {bb4f7f3b-f3e0-4eda-a258-37091c60fd7f} - C:\WINDOWS\system32\nedutana.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [CPM7bd66a08] Rundll32.exe "c:\windows\system32\yigiwopa.dll",a
O4 - HKLM\..\Run: [yunubeduye] Rundll32.exe "C:\WINDOWS\system32\ladowozi.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\Program Files\PopupPopper\SiteList.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8947606953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5637086015
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: emxmqp.dll,c:\windows\system32\goborola.dll,c:\windows\system32\navaguke.dll,c:\windows\system32\fozehuka.dll,c:\windows\system32\yisiwusu.dll,c:\windows\system32\gehiraso.dll,c:\windows\system32\yigiwopa.dll,C:\WINDOWS\system32\voguzego.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yigiwopa.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yigiwopa.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9714 bytes

(I have another post, so it will have to be deleted if this one is picked up)
Thanks for your time!
-3nder
3nder
Active Member
 
Posts: 9
Joined: December 14th, 2008, 7:52 pm
Advertisement
Register to Remove

Re: Virtumonde-PopUps-Redirects

Unread postby Axephilic » December 16th, 2008, 11:46 pm

Hello 3nder,

Welcome to the Malware Removal Forums! My name is Adam and I will be assisting you with getting the malware off of your computer. Please observe the following points before we start:
  1. If at any point you don't understand something, please let me know and I will be glad to expain or go more into depth for you. :)
  2. I am still in training, so my responses may take more time than usual because all of my posts must be checked by an expert or teacher.
    Also, please remember, I am a volunteer and I have a personal life. I go to school full time, have a part time job, and I do sports. A lot of this takes a lot of time.
  3. Please keep all of your replys in this topic/thread and do not make a new topic/thread, thanks!
  4. Please stick with this, don't stop responding because the symptoms are gone, the infection could still be there. Keep replying to my posts until I give you the All Clean message. ;)
  5. If you don't reply within five days after my last instructions this topic will be closed. If you will not be able to reply within five days please tell me so the topic will not be closed.

I have asked that your other topic be closed. The only reason I am responding to this newer one is because you have posted a newer HijackThis log which is better for my analysis. Please do not double post any more, it just causes confusion. :)

Make an Uninstall List

Next, please make an uninstall list using HijackThis.
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply. Please also include a new HijackThis log.

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde-PopUps-Redirects

Unread postby 3nder » December 17th, 2008, 12:25 am

Thanks a ton Adam. I appreciate the quick reply! Here is the new Hijack log followed by the uninstall list:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:04 PM, on 12/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {5D70495E-F414-4403-8BDB-1F5B34542C71} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {bb4f7f3b-f3e0-4eda-a258-37091c60fd7f} - C:\WINDOWS\system32\nedutana.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [yunubeduye] Rundll32.exe "C:\WINDOWS\system32\ladowozi.dll",s
O4 - HKLM\..\Run: [78e55994] rundll32.exe "C:\WINDOWS\system32\nafugizu.dll",b
O4 - HKLM\..\Run: [CPM7bd66a08] Rundll32.exe "c:\windows\system32\musafike.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\Program Files\PopupPopper\SiteList.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8947606953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5637086015
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: emxmqp.dll c:\windows\system32\goborola.dll c:\windows\system32\navaguke.dll c:\windows\system32\fozehuka.dll c:\windows\system32\yisiwusu.dll c:\windows\system32\gehiraso.dll C:\WINDOWS\system32\voguzego.dll c:\windows\system32\musafike.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\musafike.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\musafike.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9658 bytes



Ad-Aware
Adobe Acrobat 5.0
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Help Center 1.0
Adobe Reader 8.1.2
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoImpression 5
ArcSoft VideoImpression 2
ATI Display Driver
Audacity 1.2.6
AVS DVDMenu Editor 1.2.1.19
Bayden PopupPopper (remove only)
Bonjour
CIF USB Camera
CleanUp!
Compatibility Pack for the 2007 Office system
Data Lifeguard Tools
Dell ResourceCD
DellConnect
Digidesign Shared Plug-Ins 7.0
DivX Codec
DivX Converter
DivX Player
DivX Web Player
Dual-Core Optimizer
DVD Decrypter (Remove Only)
Echospin Delivery Wizard
Eusing Free Registry Cleaner
Express Burn
Express Rip
Free Mp3 Wma Converter V 1.8.0
GalleryPlayer Images
GoToAssist 8.0.0.514
Guitar Pro 5.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Intel(R) 537EP V9x DF PCI Modem
Intel(R) PRO Network Connections Drivers
InterLok Driver Kit
IrfanView (remove only)
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
JuilliardMusicAdventure
K-Lite Codec Pack 4.1.7 (Full)
Last.fm 1.5.2.38918
Logitech QuickCam
Logitech QuickCam Driver Package
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Age of Empires
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Rise Of Nations
Microsoft Silverlight
Microsoft SQL Server Desktop Engine (SONY_MEDIAMGR)
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
Microsoft WinUsb 1.0
Mozilla Firefox (3.0.4)
MSN
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML4 Parser
Musicnotes Player V1.23.2 and Viewer
Norton™ Security Scan
Oblivion
Ogg Converter
OpenMG Limited Patch 4.7-07-14-05-01
OpenMG Secure Module 4.7.00
OpenOffice.org Installer 1.0
Otto
Palm Desktop
PC Drummer Trial Edition 5.06
PCsync
Power Tab Editor 1.7
PowerDVD 5.5
Print Workshop 2009
QuickTime
RealPlayer
Rise of Nations Thrones and Patriots
Roxio DLA
Roxio RecordNow Audio
Roxio RecordNow Data@
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Sibelius Scorch Plugin
SigmaTel Audio
Skype™ 3.8
Sonic Update Manager
Sony Media Manager 2.0
Spybot - Search & Destroy
SpywareBlaster 4.1
Trend Micro PC-cillin Internet Security 12
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WavePad Uninstall
Windows Easy Transfer
Windows Live installer
Windows Live Messenger
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinFlyer
WinPatrol 2008
WinRAR archiver
Yahoo! Messenger
Yahoo! Toolbar
3nder
Active Member
 
Posts: 9
Joined: December 14th, 2008, 7:52 pm

Re: Virtumonde-PopUps-Redirects

Unread postby Axephilic » December 18th, 2008, 4:01 pm

Hello,

Disable TeaTimer
  1. If you have version 1.5, right click the Spybot Icon in the system tray near the clock (looks like a blue/white calendar with a padlock symbol).
  2. Click once on Resident Protection, then right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  3. Go to Start > All Programs > Spybot - Search & Destroy > Spybot Search & Destroy.
  4. Click on Mode > Advanced Mode. When it prompts you, click Yes.
  5. On the left hand side, click on Tools.
  6. Check (tick) this box if it is not yet ticked: Resident.
  7. You will notice that Resident is now added under Tools. Click on Resident.
  8. Uncheck (untick) this box: Resident "TeaTimer" (Protection of over-all system settings) active.
  9. Exit Spybot Search & Destroy.
  10. Restart your computer for the changes to take effect.

Disable WinPatrol

  1. Right click on the Scotty Dog near the clock and select Options.... A window will open.
  2. Select the Options tab.
  3. Uncheck (untick) this box: Automatically run Winpatrol when computer starts.
  4. Close the Winpatrol window.
  5. Right click on the Scotty Dog again and select Exit Program.

Disable AdAware
  1. Right click on the Ad-Watch icon in the system tray (Image)
  2. Select Goto Settings.
  3. Click on Status on the left.
  4. On your right hand side, click once on each of the section to turn the green tick into a red cross.
  5. Click on RegShield on the left.
  6. On your right hand side, click once on each of the section to turn the green tick into a red cross.
  7. Click on Settings on the left.
  8. Click once on Load Ad-Watch at startup to turn the green tick into a red cross.
  9. Minimize Ad-Watch.
  10. Right click on the Ad-Watch icon again and select Close Ad-Watch.
  11. You will be prompted if you want to shut down Ad-Watch. Click Yes.
  12. Restart your computer for the changes to take effect.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix


* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

In your next reply, please include:
  1. Combofix.txt
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde-PopUps-Redirects

Unread postby 3nder » December 18th, 2008, 7:36 pm

Hi,
I think it should be noted that I do not have Ad-Watch installed on my computer. I only have the free version of Ad-Aware thus I would need to buy the full version in order to have certain features (such as Ad-Watch). I hope this doesn't make a huge difference if I was unable to follow the directions for disable Ad-Watch.

Here is the ComboFix log, followed by a new HijackThis log:

ComboFix 08-12-18.01 - Cindy 2008-12-18 17:13:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.563 [GMT -6:00]
Running from: c:\documents and settings\Cindy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cindy\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Cindy\Application Data\Google\T-Scan
c:\documents and settings\Cindy\Application Data\Google\T-Scan\n.gif
c:\documents and settings\Cindy\Application Data\Google\T-Scan\t.gif
c:\documents and settings\Cindy\Application Data\Google\T-Scan\y.gif
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\avepufit.ini
c:\windows\system32\bikuhagu.dll
c:\windows\system32\Cache
c:\windows\system32\dokopiba.dll
c:\windows\system32\ebihabom.ini
c:\windows\system32\erevakat.ini
c:\windows\system32\gabuwuwo.dll
c:\windows\system32\gijoyeri.dll
c:\windows\system32\gitoribo.dll
c:\windows\system32\ireyojig.ini
c:\windows\system32\ivomozum.ini
c:\windows\system32\iyodapay.ini
c:\windows\system32\kelewaba.dll
c:\windows\system32\lelimoza.dll
c:\windows\system32\letunupo.dll
c:\windows\system32\Memman.vxd
c:\windows\system32\mogukevu.dll
c:\windows\system32\muzomovi.dll
c:\windows\system32\nigobani.dll
c:\windows\system32\obirotig.ini
c:\windows\system32\odavuluw.ini
c:\windows\system32\ogoputow.ini
c:\windows\system32\opunutel.ini
c:\windows\system32\otavetey.ini
c:\windows\system32\podobira.dll
c:\windows\system32\skinboxer43.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\tifupeva.dll
c:\windows\system32\tuhuduta.dll
c:\windows\system32\ugahukib.ini
c:\windows\system32\uzigufan.ini
c:\windows\system32\voguzego.dll
c:\windows\system32\wasubezu.dll
c:\windows\system32\wotupogo.dll
c:\windows\system32\wuluvado.dll
c:\windows\system32\yapadoyi.dll
c:\windows\system32\yetevato.dll
c:\windows\Tasks\kfrdyahq.job

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-11-18 to 2008-12-18 )))))))))))))))))))))))))))))))
.

2008-12-14 18:53 . 2008-12-14 18:53 <DIR> d-------- c:\program files\BillP Studios
2008-12-14 18:53 . 2008-12-14 18:53 <DIR> d-------- c:\documents and settings\Cindy\Application Data\WinPatrol
2008-12-11 20:38 . 2008-12-11 20:38 <DIR> d-------- c:\program files\IObit
2008-12-11 20:38 . 2008-12-11 20:38 <DIR> d-------- c:\documents and settings\Cindy\Application Data\IObit
2008-12-11 20:36 . 2008-12-11 22:37 <DIR> d-------- c:\program files\Wise Registry Cleaner 3
2008-12-11 20:24 . 2008-12-11 20:24 <DIR> d-------- c:\program files\CleanMyPC
2008-12-09 20:49 . 2008-12-09 20:49 <DIR> d-------- c:\program files\Free Audio Pack
2008-12-02 22:57 . 2008-12-04 09:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-02 22:57 . 2008-12-04 09:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 22:50 . 2008-12-02 22:50 <DIR> d-------- c:\documents and settings\Cindy\Application Data\Malwarebytes
2008-12-01 19:39 . 2008-12-01 19:39 <DIR> d-------- c:\program files\AVG
2008-12-01 19:39 . 2008-12-11 20:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-01 19:35 . 2008-12-01 19:35 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-01 19:20 . 2008-12-01 19:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 19:20 . 2008-12-01 19:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 18:34 . 2008-11-30 18:34 <DIR> d-------- C:\HJT
2008-11-30 17:44 . 2008-11-30 17:43 67,424 --a------ c:\windows\system32\drivers\CDAVFS.sys
2008-11-30 17:44 . 2008-11-30 17:44 64 --a------ c:\windows\av_affiliate.ini
2008-11-30 17:44 . 2008-11-30 17:44 64 --a------ c:\windows\as_affiliate.ini
2008-11-28 12:28 . 2008-11-28 12:28 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-28 12:28 . 2008-07-04 00:34 860,160 --a------ c:\windows\system32\lameACM.acm
2008-11-28 12:28 . 2008-01-10 06:15 755,027 --a------ c:\windows\system32\xvidcore.dll
2008-11-28 12:28 . 2004-01-25 10:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2008-11-28 12:28 . 2007-09-04 10:56 164,352 --a------ c:\windows\system32\unrar.dll
2008-11-28 12:28 . 2008-01-10 06:16 159,839 --a------ c:\windows\system32\xvidvfw.dll
2008-11-28 12:28 . 2008-06-12 12:36 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-11-28 12:28 . 2007-07-10 10:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-28 12:28 . 2007-10-03 09:03 414 --a------ c:\windows\system32\lame_acm.xml
2008-11-28 12:28 . 2008-07-30 13:09 38 --a------ c:\windows\avisplitter.ini
2008-11-28 11:47 . 2008-11-28 11:47 <DIR> d-------- c:\documents and settings\Cindy\Application Data\Media Player Classic
2008-11-24 05:56 . 2008-11-24 05:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 23:16 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2008-12-18 23:16 0 ----a-w c:\windows\system32\drivers\logiflt.iad
2008-12-17 01:50 --------- d-----w c:\documents and settings\Cindy\Application Data\skypePM
2008-12-17 01:50 --------- d-----w c:\documents and settings\Cindy\Application Data\Skype
2008-12-12 21:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-12 21:00 --------- d-----w c:\program files\Norton Security Scan
2008-12-12 17:25 --------- d--h--w c:\documents and settings\Cindy\Application Data\Move Networks
2008-12-12 04:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-12 04:32 --------- d-----w c:\program files\Yahoo!
2008-12-11 11:41 --------- d-----w c:\documents and settings\Cindy\Application Data\Desktopicon
2008-12-09 05:00 --------- d-----w c:\documents and settings\Cindy\Application Data\uTorrent
2008-12-02 02:07 --------- d-----w c:\program files\Trend Micro
2008-12-01 00:53 --------- d-----w c:\program files\AWS
2008-11-24 11:56 --------- d--h--w c:\documents and settings\Cindy\Application Data\yahoo!
2008-11-15 00:56 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-11 19:06 --------- d-----w c:\program files\Sun
2008-11-11 19:06 --------- d-----w c:\program files\Java
2008-11-09 06:42 --------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2008-11-09 06:41 --------- d-----w c:\program files\Last.fm
2008-11-08 21:43 --------- d-----w c:\program files\uTorrent
2008-11-03 00:33 --------- d-----w c:\documents and settings\Cindy\Application Data\ArcSoft
2008-11-01 21:41 --------- d-----w c:\program files\Musicnotes
2008-11-01 21:40 --------- d-----w c:\documents and settings\All Users\Application Data\Musicnotes
2008-10-27 18:00 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-26 19:00 --------- d-----w c:\program files\Common Files\LogiShrd
2008-10-26 18:57 --------- d-----w c:\program files\Logitech
2008-10-26 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-10-26 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 01:21 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-21 02:48 --------- d-----w c:\program files\Skype
2008-10-21 02:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-21 02:45 --------- d-----w c:\program files\ArcSoft
2008-10-21 02:44 --------- d-----w c:\program files\Common Files\ArcSoft
2008-10-21 02:42 --------- d-----w c:\program files\CIF USB Camera
2008-10-14 00:22 24 ----a-w c:\documents and settings\Cindy\jagex_runescape_preferences.dat
2008-07-21 22:53 61,224 ----a-w c:\documents and settings\Cindy\GoToAssistDownloadHelper.exe
2008-05-30 19:37 97,916 -c--a-w c:\program files\dxupdate.cab
2008-05-30 19:36 4,165,878 -c--a-w c:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 19:36 13,267,416 -c--a-w c:\program files\dxnt.cab
2008-05-30 19:36 1,805,306 -c--a-w c:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 19:36 1,803,408 -c--a-w c:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 19:34 528,392 ----a-w c:\program files\DXSETUP.exe
2007-04-25 00:06 88 --sha-r c:\windows\system32\808A268AF2.sys
2007-04-25 00:06 2,516 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-09-16 23:55 62,694 --sha-w c:\windows\system32\nedutana.dll
2008-08-18 21:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080819\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bb4f7f3b-f3e0-4eda-a258-37091c60fd7f}]
2008-09-16 17:55 62694 --ahs---- c:\windows\system32\nedutana.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"CPM7bd66a08"="c:\windows\system32\giyesewu.dll" [2008-12-18 96923]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-01-11 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\giyesewu.dll" [2008-12-18 96923]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\giyesewu.dll [2008-12-18 96923]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-21 16:53 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cindy^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cindy^Start Menu^Programs^Startup^Registration Heritage of Kings - The Settlers.LNK]
backup=c:\windows\pss\Registration Heritage of Kings - The Settlers.LNKStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPseti

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
--a--c--- 2006-11-17 16:49 77824 c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-11-07 05:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a--c--- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-08-05 13:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 16:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2006-12-08 19:06 823362 c:\program files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2008-04-13 18:11 177152 c:\windows\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-03-22 18:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Documents and Settings\\Cindy\\Desktop\\utorrent.exe"=
"c:\\Documents and Settings\\Cindy\\Desktop\\Skype.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 12\\Tmntsrv.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2006-12-08 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2006-12-08 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-12-08 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2006-12-08 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-12-08 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-24 24652]
S3 CDAVFS;CDAVFS;c:\windows\system32\DRIVERS\CDAVFS.sys [2008-11-30 67424]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-01-07 513152]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\DRIVERS\MusCVideo32.sys [2008-01-07 3768]
S3 PAC207;CIF USB Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2008-10-20 505984]
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-12-13 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-01-18 17:24]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5D70495E-F414-4403-8BDB-1F5B34542C71} - (no file)
Toolbar-SITEguard - (no file)
HKLM-Run-yunubeduye - c:\windows\system32\ladowozi.dll
MSConfigStartUp-WinFlyer32 - c:\windows\system32\WinFlyer32.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Cindy\Application Data\Mozilla\Firefox\Profiles\w80lv25l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://us.mg3.mail.yahoo.com/dc/launch? ... r25qqqla35
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Cindy\Application Data\Mozilla\Firefox\Profiles\w80lv25l.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 17:17:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\snmp.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\progra~1\TRENDM~1\INTERN~1\pccguide.exe
.
**************************************************************************
.
Completion time: 2008-12-18 17:26:51 - machine was rebooted [Cindy]
ComboFix-quarantined-files.txt 2008-12-18 23:25:29

Pre-Run: 44,317,065,216 bytes free
Post-Run: 44,608,782,336 bytes free

307 --- E O F --- 2008-11-12 06:07:04




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:35:18 PM, on 12/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\explorer.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {bb4f7f3b-f3e0-4eda-a258-37091c60fd7f} - C:\WINDOWS\system32\nedutana.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [CPM7bd66a08] Rundll32.exe "c:\windows\system32\giyesewu.dll",a
O4 - HKLM\..\Run: [yunubeduye] Rundll32.exe "C:\WINDOWS\system32\ladowozi.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\Program Files\PopupPopper\SiteList.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8947606953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5637086015
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\giyesewu.dll,C:\WINDOWS\system32\voguzego.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\giyesewu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\giyesewu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9223 bytes
3nder
Active Member
 
Posts: 9
Joined: December 14th, 2008, 7:52 pm

Re: Virtumonde-PopUps-Redirects

Unread postby Axephilic » December 19th, 2008, 3:37 pm

Ok, thanks for letting me know about Ad-Aware. :)

Run GMER
Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.
  6. Double click on gmer.exe to run it.
  7. Select the Rootkit tab.
  8. On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
  9. Select all drives that are connected to your system to be scanned.
  10. Click on the Scan button.
  11. When the scan is finished, click Copy to save the scan log to the Windows clipboard.
  12. Open Notepad or a similar text editor.
  13. Paste the clipboard contents into the text editor.
  14. Save the Gmer scan log and post it in your next reply.
  15. Close Gmer.
  16. Open Command Prompt by going to Start > Run and type in cmd. Press Enter.
  17. In Command Prompt, type in net stop gmer. Press Enter.
  18. Type in exit to close Command Prompt.

Note: Do not run any programs while Gmer is running.

In your next reply, please include:
  1. GMER Log
  2. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde-PopUps-Redirects

Unread postby 3nder » December 22nd, 2008, 1:12 am

Here is the GMER log followed by a new HiJackthis log:

Device \FileSystem\Fastfat \Fat EF966297

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device \FileSystem\Cdfs \Cdfs 829921F8
Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x41 0x1C 0x51 0xC1 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x36 0xD1 0x9A 0xBD ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x90 0x15 0xFD 0xC0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x41 0x1C 0x51 0xC1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x36 0xD1 0x9A 0xBD ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x90 0x15 0xFD 0xC0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x41 0x1C 0x51 0xC1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x36 0xD1 0x9A 0xBD ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x90 0x15 0xFD 0xC0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{24540EBC-316E-35D2-80DB-8A535CAF6A35}\ProgMd
Reg HKLM\SOFTWARE\Classes\CLSID\{24540EBC-316E-35D2-80DB-8A535CAF6A35}\ProgMd@ System.Runtime.Remoting.RemotingException
Reg HKLM\SOFTWARE\Classes\CLSID\{432D76CE-8C9E-4EED-ADDD-91737F27A8CB}\InprocServer32@ mscoree.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{432D76CE-8C9E-4EED-ADDD-91737F27A8CB}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{432D76CE-8C9E-4EED-ADDD-91737F27A8CB}\InprocServer32@Class Microsoft.JScript.DebugConvert
Reg HKLM\SOFTWARE\Classes\CLSID\{432D76CE-8C9E-4EED-ADDD-91737F27A8CB}\InprocServer32@Assembly Microsoft.JScript, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Reg HKLM\SOFTWARE\Classes\CLSID\{432D76CE-8C9E-4EED-ADDD-91737F27A8CB}\InprocServer32@RuntimeVersion v1.1.4322
Reg HKLM\SOFTWARE\Classes\CLSID\{432D76CE-8C9E-4EED-ADDD-91737F27A8CB}\InprocServer32\7.0.5000.0@Assembly Microsoft.JScript, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Reg HKLM\SOFTWARE\Classes\CLSID\{432D76CE-8C9E-4EED-ADDD-91737F27A8CB}\InprocServer32\8.0.0.0
Reg HKLM\SOFTWARE\Classes\CLSID\{432D76CE-8C9E-4EED-ADDD-91737F27A8CB}\InprocServer32\8.0.0.0@Class Microsoft.JScript.DebugConvert
Reg HKLM\SOFTWARE\Classes\CLSID\{432D76CE-8C9E-4EED-ADDD-91737F27A8CB}\InprocServer32\8.0.0.0@Assembly Microsoft.JScript, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Reg HKLM\SOFTWARE\Classes\CLSID\{432D76CE-8C9E-4EED-ADDD-91737F27A8CB}\InprocServer32\8.0.0.0@RuntimeVersion v2.0.50727
Reg HKLM\SOFTWARE\Classes\CLSID\{88D969E8-F192-11D4-A65F-0040963251E5}\InProcServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{88D969E8-F192-11D4-A65F-0040963251E5}\InProcServer32@ C:\Program Files\Common Giles\Microsoft Shared\OFFICE11\msxml5.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{88D969E8-F192-11D4-A65F-0040963251E5}\InProcServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{DE4AF3B0-F4D4-11D3-B41A-0050DA2E6C21}\Implemented Categories
Reg HKLM\SOFTWARE\Classes\CLSID\{DE4AF3B0-F4D4-11D3-B41A-0050DA2E6C21}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{DE4AF3B0-F4D4-11D3-B41A-0050DA2E6C21}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{FB1F0014-B5EE-456F-9182-652A9366CADA}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FB1F0014-B5EE-456F-9182-652A9366CADA}\InprocServer32@ C:\WINDOWS\system32\wbocx.ocx
Reg HKLM\SOFTWARE\Classes\Interface\{000C1228-0000-0000-C000-000000000046}\ProxyStubClsid32@ {000C1225-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\Interface\{B4B00613-C48B-3FA9-B8F6-A527EC6F21C3}\TypeLib@Version 2.0
Reg HKLM\SOFTWARE\Classes\iTunes.Applisation
Reg HKLM\SOFTWARE\Classes\iTunes.Applisation@ iTunes Class
Reg HKLM\SOFTWARE\Classes\iTunes.Applisation\CLSID
Reg HKLM\SOFTWARE\Classes\iTunes.Applisation\CLSID@ {DC0C2640-1415-4644-875C-6F4D769839BA}
Reg HKLM\SOFTWARE\Classes\iTunes.Applisation\CurVer
Reg HKLM\SOFTWARE\Classes\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win32
Reg HKLM\SOFTWARE\Classes\TypeLib\{0D452EE1-E08F-101A-852E-02608C4D0BB4}\2.0\0\win32@ C:\WINDOWS\system32\FM20.DLL
Reg HKLM\SOFTWARE\Classes\TypeLib\{3EDC3093-6AF0-11D4-963C-000039B6C417}\1.0\FLAGS
Reg HKLM\SOFTWARE\Classes\TypeLib\{3EDC3093-6AF0-11D4-963C-000039B6C417}\1.0\FLAGS@ 0

---- EOF - GMER 1.0.14 ----

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:50 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {bb4f7f3b-f3e0-4eda-a258-37091c60fd7f} - C:\WINDOWS\system32\nedutana.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [yunubeduye] Rundll32.exe "C:\WINDOWS\system32\ladowozi.dll",s
O4 - HKLM\..\Run: [78e55994] rundll32.exe "C:\WINDOWS\system32\gifeleho.dll",b
O4 - HKLM\..\Run: [CPM7bd66a08] Rundll32.exe "c:\windows\system32\suwuwari.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\Program Files\PopupPopper\SiteList.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8947606953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5637086015
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\voguzego.dll c:\windows\system32\suwuwari.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\suwuwari.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\suwuwari.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9054 bytes
3nder
Active Member
 
Posts: 9
Joined: December 14th, 2008, 7:52 pm

Re: Virtumonde-PopUps-Redirects

Unread postby Axephilic » December 22nd, 2008, 4:06 pm

Hello,

Fix HijackThis lines

  • Run HijackThis!
  • Click on Do a System Scan only
  • Place a tick next to the following lines:

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {bb4f7f3b-f3e0-4eda-a258-37091c60fd7f} - C:\WINDOWS\system32\nedutana.dll
    O3 - Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
    O4 - HKLM\..\Run: [yunubeduye] Rundll32.exe "C:\WINDOWS\system32\ladowozi.dll",s
    O4 - HKLM\..\Run: [78e55994] rundll32.exe "C:\WINDOWS\system32\gifeleho.dll",b
    O4 - HKLM\..\Run: [CPM7bd66a08] Rundll32.exe "c:\windows\system32\suwuwari.dll",a
    O20 - AppInit_DLLs: C:\WINDOWS\system32\voguzego.dll c:\windows\system32\suwuwari.dll
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\suwuwari.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\suwuwari.dll
Close all open windows and click on Fix checked and when you get a popup window click on Yes.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\suwuwari.dll
C:\WINDOWS\system32\gifeleho.dll
C:\WINDOWS\system32\ladowozi.dll
C:\WINDOWS\system32\nedutana.dll

Folder::
c:\documents and settings\Cindy\Application Data\uTorrent
c:\documents and settings\Cindy\Application Data\Desktopicon
c:\program files\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Cindy\\Desktop\\utorrent.exe"=-



Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Kaspersky Online Scanner
Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.


In your next reply, please include:
  1. Kaskpersky Report
  2. CFScript.txt
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde-PopUps-Redirects

Unread postby 3nder » December 22nd, 2008, 8:39 pm

Alright, here is my Kaspersky scan results followed by the new ComboFix log and a new HijackThis log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, December 22, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, December 22, 2008 19:56:48
Records in database: 1501570
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 112784
Threat name: 6
Infected objects: 8
Suspicious objects: 2
Duration of the scan: 02:05:05


File name / Threat name / Threats count
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\13E.tmp Infected: Trojan.Win32.Agent.amp 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\2D0.tmp Infected: Trojan.Win32.Agent.amp 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3CF.tmp Infected: Trojan.Win32.Agent.amp 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\CE.tmp Infected: EICAR-Test-File 1
C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F.tmp Infected: EICAR-Test-File 1
C:\Program Files\Trend Micro\Internet Security 12\VSSCUHJV.026 Suspicious: Type_Win32 1
C:\Program Files\Trend Micro\Internet Security 12\VSSIF33F.00I Suspicious: Type_Win32 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gitoribo.dll.vir Infected: Trojan.Win32.Agent.awbx 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\lelimoza.dll.vir Infected: Trojan-Downloader.Win32.Agent.avsj 1
E:\Program Files\Incomplete\T-2368521-i want girl married dear old 192kb.mp3 Infected: Trojan-Downloader.WMA.GetCodec.f 1

The selected area was scanned.

ComboFix 08-12-18.01 - Cindy 2008-12-22 15:01:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.565 [GMT -6:00]
Running from: c:\documents and settings\Cindy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cindy\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\system32\beratano.dll
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\gifeleho.dll
c:\windows\system32\ladowozi.dll
c:\windows\system32\nedutana.dll
c:\windows\system32\suwuwari.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Cindy\Application Data\Desktopicon
c:\documents and settings\Cindy\Application Data\Desktopicon\config.ini
c:\documents and settings\Cindy\Application Data\uTorrent
c:\documents and settings\Cindy\Application Data\uTorrent\Amazing Martial Arts Secrets Of Fitness[h33t][shahaz].torrent
c:\documents and settings\Cindy\Application Data\uTorrent\dht.dat
c:\documents and settings\Cindy\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Cindy\Application Data\uTorrent\Mixed.Martial.Arts.The.Book.of.Knowledge.-.BJ.Penn.pdf.torrent
c:\documents and settings\Cindy\Application Data\uTorrent\resume.dat
c:\documents and settings\Cindy\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Cindy\Application Data\uTorrent\rss.dat
c:\documents and settings\Cindy\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Cindy\Application Data\uTorrent\settings.dat
c:\documents and settings\Cindy\Application Data\uTorrent\settings.dat.old
c:\program files\uTorrent
c:\windows\system32\abidimuz.ini
c:\windows\system32\drivers\logiflt.iad
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\gifeleho.dll
c:\windows\system32\nedutana.dll
c:\windows\system32\ofuwuboj.ini
c:\windows\system32\ohelefig.ini
c:\windows\system32\suwuwari.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-22 15:10 . 2008-12-22 15:10 <DIR> d-------- c:\windows\LastGood
2008-12-21 22:51 . 2008-12-21 22:52 250 --a------ c:\windows\gmer.ini
2008-12-14 18:53 . 2008-12-14 18:53 <DIR> d-------- c:\program files\BillP Studios
2008-12-14 18:53 . 2008-12-14 18:53 <DIR> d-------- c:\documents and settings\Cindy\Application Data\WinPatrol
2008-12-11 20:38 . 2008-12-11 20:38 <DIR> d-------- c:\program files\IObit
2008-12-11 20:38 . 2008-12-11 20:38 <DIR> d-------- c:\documents and settings\Cindy\Application Data\IObit
2008-12-11 20:36 . 2008-12-11 22:37 <DIR> d-------- c:\program files\Wise Registry Cleaner 3
2008-12-11 20:24 . 2008-12-11 20:24 <DIR> d-------- c:\program files\CleanMyPC
2008-12-09 20:49 . 2008-12-09 20:49 <DIR> d-------- c:\program files\Free Audio Pack
2008-12-02 22:57 . 2008-12-04 09:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-02 22:57 . 2008-12-04 09:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 22:50 . 2008-12-02 22:50 <DIR> d-------- c:\documents and settings\Cindy\Application Data\Malwarebytes
2008-12-01 19:39 . 2008-12-01 19:39 <DIR> d-------- c:\program files\AVG
2008-12-01 19:39 . 2008-12-11 20:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-01 19:35 . 2008-12-01 19:35 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-01 19:20 . 2008-12-01 19:20 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-01 19:20 . 2008-12-01 19:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 18:34 . 2008-11-30 18:34 <DIR> d-------- C:\HJT
2008-11-30 17:44 . 2008-11-30 17:43 67,424 --a------ c:\windows\system32\drivers\CDAVFS.sys
2008-11-30 17:44 . 2008-11-30 17:44 64 --a------ c:\windows\av_affiliate.ini
2008-11-30 17:44 . 2008-11-30 17:44 64 --a------ c:\windows\as_affiliate.ini
2008-11-28 12:28 . 2008-11-28 12:28 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-28 12:28 . 2008-07-04 00:34 860,160 --a------ c:\windows\system32\lameACM.acm
2008-11-28 12:28 . 2008-01-10 06:15 755,027 --a------ c:\windows\system32\xvidcore.dll
2008-11-28 12:28 . 2004-01-25 10:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2008-11-28 12:28 . 2007-09-04 10:56 164,352 --a------ c:\windows\system32\unrar.dll
2008-11-28 12:28 . 2008-01-10 06:16 159,839 --a------ c:\windows\system32\xvidvfw.dll
2008-11-28 12:28 . 2008-06-12 12:36 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-11-28 12:28 . 2007-07-10 10:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-28 12:28 . 2007-10-03 09:03 414 --a------ c:\windows\system32\lame_acm.xml
2008-11-28 12:28 . 2008-07-30 13:09 38 --a------ c:\windows\avisplitter.ini
2008-11-28 11:47 . 2008-11-28 11:47 <DIR> d-------- c:\documents and settings\Cindy\Application Data\Media Player Classic
2008-11-24 05:56 . 2008-11-24 05:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 19:38 --------- d-----w c:\program files\Common Files\Adobe
2008-12-17 01:50 --------- d-----w c:\documents and settings\Cindy\Application Data\skypePM
2008-12-17 01:50 --------- d-----w c:\documents and settings\Cindy\Application Data\Skype
2008-12-12 21:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-12 21:00 --------- d-----w c:\program files\Norton Security Scan
2008-12-12 17:25 --------- d--h--w c:\documents and settings\Cindy\Application Data\Move Networks
2008-12-12 04:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-12 04:32 --------- d-----w c:\program files\Yahoo!
2008-12-02 02:07 --------- d-----w c:\program files\Trend Micro
2008-12-01 00:53 --------- d-----w c:\program files\AWS
2008-11-24 11:56 --------- d--h--w c:\documents and settings\Cindy\Application Data\yahoo!
2008-11-15 00:56 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-11 19:06 --------- d-----w c:\program files\Sun
2008-11-11 19:06 --------- d-----w c:\program files\Java
2008-11-09 06:42 --------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2008-11-09 06:41 --------- d-----w c:\program files\Last.fm
2008-11-03 00:33 --------- d-----w c:\documents and settings\Cindy\Application Data\ArcSoft
2008-11-01 21:41 --------- d-----w c:\program files\Musicnotes
2008-11-01 21:40 --------- d-----w c:\documents and settings\All Users\Application Data\Musicnotes
2008-10-27 18:00 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-26 19:00 --------- d-----w c:\program files\Common Files\LogiShrd
2008-10-26 18:57 --------- d-----w c:\program files\Logitech
2008-10-26 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-10-26 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 01:21 --------- d-----w c:\program files\Microsoft Silverlight
2008-10-14 00:22 24 ----a-w c:\documents and settings\Cindy\jagex_runescape_preferences.dat
2008-07-21 22:53 61,224 ----a-w c:\documents and settings\Cindy\GoToAssistDownloadHelper.exe
2008-05-30 19:37 97,916 -c--a-w c:\program files\dxupdate.cab
2008-05-30 19:36 4,165,878 -c--a-w c:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 19:36 13,267,416 -c--a-w c:\program files\dxnt.cab
2008-05-30 19:36 1,805,306 -c--a-w c:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 19:36 1,803,408 -c--a-w c:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 19:34 528,392 ----a-w c:\program files\DXSETUP.exe
2007-04-25 00:06 88 --sha-r c:\windows\system32\808A268AF2.sys
2007-04-25 00:06 2,516 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-08-18 21:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080819\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-18_17.24.29.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-22 04:50:59 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-w c:\windows\gmer.exe
+ 2008-12-22 19:38:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
+ 2008-12-22 17:19:09 95,858 --sha-w c:\windows\system32\berateno.dll
+ 2008-12-22 04:50:59 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
- 2008-12-18 23:17:41 219,507 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-22 21:06:31 219,496 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-19 13:47:42 97,862 --sha-w c:\windows\system32\jugusaja.dll
+ 2008-12-22 17:19:09 83,228 --sha-w c:\windows\system32\zumidiba.dll
+ 2008-12-22 21:06:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_248.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"yunubeduye"="c:\windows\system32\ladowozi.dll" [BU]
"CPM7bd66a08"="c:\windows\system32\berateno.dll" [2008-12-22 95858]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe [2008-10-15 39792]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\berateno.dll" [2008-12-22 95858]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\berateno.dll [2008-12-22 95858]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-21 16:53 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\berateno.dll
"LoadAppInit_DLLs"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cindy^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cindy^Start Menu^Programs^Startup^Registration Heritage of Kings - The Settlers.LNK]
backup=c:\windows\pss\Registration Heritage of Kings - The Settlers.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
--a--c--- 2006-11-17 16:49 77824 c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-11-07 05:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a--c--- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-08-05 13:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 16:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2006-12-08 19:06 823362 c:\program files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-03-14 02:43 83608 c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2008-04-13 18:11 177152 c:\windows\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-03-22 18:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Documents and Settings\\Cindy\\Desktop\\Skype.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 12\\Tmntsrv.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LQCVFX\\COCIManager.exe"=

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2006-12-08 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2006-12-08 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-12-08 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2006-12-08 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-12-08 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-24 24652]
S3 CDAVFS;CDAVFS;c:\windows\system32\DRIVERS\CDAVFS.sys [2008-11-30 67424]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-01-07 513152]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\DRIVERS\MusCVideo32.sys [2008-01-07 3768]
S3 PAC207;CIF USB Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2008-10-20 505984]
.
Contents of the 'Scheduled Tasks' folder

2008-12-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-12-13 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-01-18 17:24]
.
- - - - ORPHANS REMOVED - - - -

BHO-{bb4f7f3b-f3e0-4eda-a258-37091c60fd7f} - c:\windows\system32\nedutana.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Cindy\Application Data\Mozilla\Firefox\Profiles\w80lv25l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://us.mg3.mail.yahoo.com/dc/launch? ... r25qqqla35
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Cindy\Application Data\Mozilla\Firefox\Profiles\w80lv25l.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 15:33:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\explorer.exe [184] 0x82B4DB88

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\snmp.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-12-22 15:39:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-22 21:38:58
ComboFix2.txt 2008-12-18 23:26:53

Pre-Run: 44,501,741,568 bytes free
Post-Run: 44,374,110,208 bytes free

321 --- E O F --- 2008-11-12 06:07:04

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:39:18 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [yunubeduye] Rundll32.exe "C:\WINDOWS\system32\ladowozi.dll",s
O4 - HKLM\..\Run: [CPM7bd66a08] Rundll32.exe "C:\WINDOWS\system32\berateno.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\Program Files\PopupPopper\SiteList.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8947606953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5637086015
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\berateno.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\berateno.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\berateno.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8676 bytes
3nder
Active Member
 
Posts: 9
Joined: December 14th, 2008, 7:52 pm

Re: Virtumonde-PopUps-Redirects

Unread postby Axephilic » December 23rd, 2008, 12:52 pm

Hello,

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9.
Please uninstall all old versions of Adobe Reader and then you can download the newest version from http://www.adobe.com/products/acrobat/readstep2.html
If you already have Adobe Photoshop� Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop� Album Starter Edition.


Update Java
Your JRE is out of date. The current version is Java Runtime Environment (JRE) 6 Update 11.

  1. Click on Start > Control Panel and double click on Add/Remove Programs. Locate J2SE Runtime Environment 5.0 Update 1
    and click on Change/Remove to uninstall it.
  2. Repeat for these old versions of JRE

    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 3
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 7
    Java(TM) SE Runtime Environment 6 Update 1
  3. Click here to visit Java's website.
  4. Select Windows from the drop-down list for Platform.
  5. Select Multi-language from the drop-down list for Language.
  6. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  7. Click on jre-6u11-windows-i586-p.exe link to download it and save this to a convenient location.
  8. Run this installation to update your Java.


Fix HijackThis lines

  • Run HijackThis!
  • Click on Do a System Scan only
  • Place a tick next to the following lines:

    O4 - HKLM\..\Run: [yunubeduye] Rundll32.exe "C:\WINDOWS\system32\ladowozi.dll",s
    O4 - HKLM\..\Run: [CPM7bd66a08] Rundll32.exe "C:\WINDOWS\system32\berateno.dll",a
    O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\berateno.dll
    O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\berateno.dll
Close all open windows and click on Fix checked and when you get a popup window click on Yes.


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
E:\Program Files\Incomplete\T-2368521-i want girl married dear old 192kb.mp3
c:\windows\system32\zumidiba.dll
c:\windows\system32\jugusaja.dll
c:\windows\system32\berateno.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"=""


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Scan with Malwarebytes' Anti-Malware

  • Double click on the Malwarebytes' Anti-Malware icon on your desktop.
  • Once the program has loaded, click on the Update tab and click on Check for Updates.
  • Click on the Scanner tab.
  • Select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

In your next reply, please include:
  1. ComboFix.txt log
  2. MalwareBytes' log
  3. A new HijackThis log

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde-PopUps-Redirects

Unread postby 3nder » December 24th, 2008, 5:31 pm

Here is the Combofix log followed by the Malware log and a new Hijackthis:

ComboFix 08-12-18.01 - Cindy 2008-12-24 13:18:10.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.498 [GMT -6:00]
Running from: c:\documents and settings\Cindy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cindy\Desktop\CfScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\system32\berateno.dll
c:\windows\system32\jugusaja.dll
c:\windows\system32\zumidiba.dll
e:\program files\Incomplete\T-2368521-i want girl married dear old 192kb.mp3
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\berateno.dll
c:\windows\system32\jugusaja.dll
c:\windows\system32\zumidiba.dll
e:\program files\Incomplete\T-2368521-i want girl married dear old 192kb.mp3

.
((((((((((((((((((((((((( Files Created from 2008-11-24 to 2008-12-24 )))))))))))))))))))))))))))))))
.

2008-12-24 13:12 . 2008-12-24 13:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 13:12 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 13:12 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-24 12:49 . 2008-12-24 12:49 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-23 17:42 . 2008-12-23 17:41 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-23 17:42 . 2008-12-23 17:41 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-23 13:15 . 2008-12-24 13:23 0 --a------ c:\windows\system32\drivers\lvuvc.hs
2008-12-22 15:53 . 2008-12-23 17:25 <DIR> d-------- c:\documents and settings\Cindy\Application Data\uTorrent
2008-12-21 22:51 . 2008-12-21 22:52 250 --a------ c:\windows\gmer.ini
2008-12-14 18:53 . 2008-12-14 18:53 <DIR> d-------- c:\program files\BillP Studios
2008-12-14 18:53 . 2008-12-14 18:53 <DIR> d-------- c:\documents and settings\Cindy\Application Data\WinPatrol
2008-12-11 20:38 . 2008-12-11 20:38 <DIR> d-------- c:\program files\IObit
2008-12-11 20:38 . 2008-12-11 20:38 <DIR> d-------- c:\documents and settings\Cindy\Application Data\IObit
2008-12-11 20:36 . 2008-12-11 22:37 <DIR> d-------- c:\program files\Wise Registry Cleaner 3
2008-12-11 20:24 . 2008-12-11 20:24 <DIR> d-------- c:\program files\CleanMyPC
2008-12-09 20:49 . 2008-12-09 20:49 <DIR> d-------- c:\program files\Free Audio Pack
2008-12-02 22:57 . 2008-12-04 09:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-02 22:57 . 2008-12-04 09:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 22:50 . 2008-12-02 22:50 <DIR> d-------- c:\documents and settings\Cindy\Application Data\Malwarebytes
2008-12-01 19:39 . 2008-12-01 19:39 <DIR> d-------- c:\program files\AVG
2008-12-01 19:39 . 2008-12-11 20:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-01 19:35 . 2008-12-01 19:35 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-01 19:20 . 2008-12-01 19:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 18:34 . 2008-11-30 18:34 <DIR> d-------- C:\HJT
2008-11-30 17:44 . 2008-11-30 17:43 67,424 --a------ c:\windows\system32\drivers\CDAVFS.sys
2008-11-30 17:44 . 2008-11-30 17:44 64 --a------ c:\windows\av_affiliate.ini
2008-11-30 17:44 . 2008-11-30 17:44 64 --a------ c:\windows\as_affiliate.ini
2008-11-28 12:28 . 2008-11-28 12:28 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-28 12:28 . 2008-07-04 00:34 860,160 --a------ c:\windows\system32\lameACM.acm
2008-11-28 12:28 . 2008-01-10 06:15 755,027 --a------ c:\windows\system32\xvidcore.dll
2008-11-28 12:28 . 2004-01-25 10:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2008-11-28 12:28 . 2007-09-04 10:56 164,352 --a------ c:\windows\system32\unrar.dll
2008-11-28 12:28 . 2008-01-10 06:16 159,839 --a------ c:\windows\system32\xvidvfw.dll
2008-11-28 12:28 . 2008-06-12 12:36 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-11-28 12:28 . 2007-07-10 10:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-28 12:28 . 2007-10-03 09:03 414 --a------ c:\windows\system32\lame_acm.xml
2008-11-28 12:28 . 2008-07-30 13:09 38 --a------ c:\windows\avisplitter.ini
2008-11-28 11:47 . 2008-11-28 11:47 <DIR> d-------- c:\documents and settings\Cindy\Application Data\Media Player Classic
2008-11-24 05:56 . 2008-11-24 05:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 19:05 --------- d-----w c:\program files\Common Files\Adobe
2008-12-24 05:29 --------- d-----w c:\documents and settings\Cindy\Application Data\Skype
2008-12-24 05:03 --------- d-----w c:\documents and settings\Cindy\Application Data\skypePM
2008-12-23 23:41 --------- d-----w c:\program files\Java
2008-12-12 21:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-12 21:00 --------- d-----w c:\program files\Norton Security Scan
2008-12-12 17:25 --------- d--h--w c:\documents and settings\Cindy\Application Data\Move Networks
2008-12-12 04:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-12 04:32 --------- d-----w c:\program files\Yahoo!
2008-12-02 02:07 --------- d-----w c:\program files\Trend Micro
2008-12-01 00:53 --------- d-----w c:\program files\AWS
2008-11-24 11:56 --------- d--h--w c:\documents and settings\Cindy\Application Data\yahoo!
2008-11-15 00:56 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-11 19:06 --------- d-----w c:\program files\Sun
2008-11-09 06:42 --------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2008-11-09 06:41 --------- d-----w c:\program files\Last.fm
2008-11-03 00:33 --------- d-----w c:\documents and settings\Cindy\Application Data\ArcSoft
2008-11-01 21:41 --------- d-----w c:\program files\Musicnotes
2008-11-01 21:40 --------- d-----w c:\documents and settings\All Users\Application Data\Musicnotes
2008-10-27 18:00 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-26 19:00 --------- d-----w c:\program files\Common Files\LogiShrd
2008-10-26 18:57 --------- d-----w c:\program files\Logitech
2008-10-26 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-10-26 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-14 00:22 24 ----a-w c:\documents and settings\Cindy\jagex_runescape_preferences.dat
2008-07-21 22:53 61,224 ----a-w c:\documents and settings\Cindy\GoToAssistDownloadHelper.exe
2008-05-30 19:37 97,916 -c--a-w c:\program files\dxupdate.cab
2008-05-30 19:36 4,165,878 -c--a-w c:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 19:36 13,267,416 -c--a-w c:\program files\dxnt.cab
2008-05-30 19:36 1,805,306 -c--a-w c:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 19:36 1,803,408 -c--a-w c:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 19:34 528,392 ----a-w c:\program files\DXSETUP.exe
2007-04-25 00:06 88 --sha-r c:\windows\system32\808A268AF2.sys
2007-04-25 00:06 2,516 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-08-18 21:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080819\index.dat
.

((((((((((((((((((((((((((((( snapshot_2008-12-23_17.52.49.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 21:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2008-11-02 13:30:10 552,768 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-24 19:23:33 202,528 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-12-23 19:20:25 219,495 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-24 19:28:01 219,500 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-24 19:24:03 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_248.dat
+ 2008-12-24 19:24:01 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-21 16:53 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cindy^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cindy^Start Menu^Programs^Startup^Registration Heritage of Kings - The Settlers.LNK]
backup=c:\windows\pss\Registration Heritage of Kings - The Settlers.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
--a--c--- 2006-11-17 16:49 77824 c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-11-07 05:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a--c--- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-08-05 13:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 16:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2006-12-08 19:06 823362 c:\program files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2008-04-13 18:11 177152 c:\windows\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-03-22 18:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 12\\Tmntsrv.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LQCVFX\\COCIManager.exe"=
"c:\\Documents and Settings\\Cindy\\Desktop\\uTorrent.exe"=
"c:\\Documents and Settings\\Cindy\\Desktop\\Skype.exe"=

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2006-12-08 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2006-12-08 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-12-08 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2006-12-08 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-12-08 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-24 24652]
S3 CDAVFS;CDAVFS;c:\windows\system32\DRIVERS\CDAVFS.sys [2008-11-30 67424]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-01-07 513152]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\DRIVERS\MusCVideo32.sys [2008-01-07 3768]
S3 PAC207;CIF USB Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2008-10-20 505984]
.
Contents of the 'Scheduled Tasks' folder

2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-12-13 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-01-18 17:24]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-CPM7bd66a08 - c:\windows\system32\berateno.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Cindy\Application Data\Mozilla\Firefox\Profiles\w80lv25l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://us.mg3.mail.yahoo.com/dc/launch? ... r25qqqla35
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Cindy\Application Data\Mozilla\Firefox\Profiles\w80lv25l.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-24 13:25:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

c:\windows\explorer.exe [3824] 0x830059E0

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\system32\inetsrv\inetinfo.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\snmp.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-12-24 13:33:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-24 19:33:00
ComboFix2.txt 2008-12-23 23:54:45
ComboFix3.txt 2008-12-22 21:39:40
ComboFix4.txt 2008-12-18 23:26:53

Pre-Run: 42,823,573,504 bytes free
Post-Run: 42,821,468,160 bytes free

265 --- E O F --- 2008-12-23 19:09:35


Malwarebytes' Anti-Malware 1.31
Database version: 1542
Windows 5.1.2600 Service Pack 3

12/24/2008 3:29:43 PM
mbam-log-2008-12-24 (15-29-43).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 157416
Time elapsed: 1 hour(s), 46 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 35

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP640\A0100802.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP640\A0100807.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP640\A0100808.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP640\A0100814.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP640\A0100816.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP640\A0100824.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP640\A0100830.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP640\A0100831.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP640\A0100832.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP640\A0100833.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP640\A0100920.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP642\A0101040.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP642\A0101042.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP655\A0102688.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP655\A0102689.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{527CB35E-A860-439A-9A9D-FB3D3219BF94}\RP655\A0102690.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\giyesewu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mobahibe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\takavere.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nafugizu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\berateno.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\bikuhagu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gifeleho.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gijoyeri.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gitoribo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jugusaja.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\letunupo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\muzomovi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\suwuwari.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tifupeva.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wotupogo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wuluvado.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yapadoyi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yetevato.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zumidiba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:40:50 PM, on 12/24/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\Program Files\PopupPopper\SiteList.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8947606953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5637086015
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8400 bytes
3nder
Active Member
 
Posts: 9
Joined: December 14th, 2008, 7:52 pm

Re: Virtumonde-PopUps-Redirects

Unread postby Axephilic » December 25th, 2008, 4:29 am

Hello,

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
c:\windows\system32\drivers\lvuvc.hs

Folder::
c:\documents and settings\Cindy\Application Data\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Documents and Settings\\Cindy\\Desktop\\utorrent.exe"=-


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply. Please also post a new HijackThis log and how your computer is running now. :)

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde-PopUps-Redirects

Unread postby 3nder » December 25th, 2008, 12:24 pm

Computer is running great. Haven't had the usual pop-ups and sluggishness. Everything seems to be in working order! :)
(by the way... Happy Holidays!)

Here is the ComboFix log and a HijackThis log:

ComboFix 08-12-18.01 - Cindy 2008-12-25 10:12:47.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.538 [GMT -6:00]
Running from: c:\documents and settings\Cindy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cindy\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\system32\drivers\lvuvc.hs
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Cindy\Application Data\uTorrent
c:\documents and settings\Cindy\Application Data\uTorrent\dht.dat
c:\documents and settings\Cindy\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Cindy\Application Data\uTorrent\resume.dat
c:\documents and settings\Cindy\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Cindy\Application Data\uTorrent\rss.dat
c:\documents and settings\Cindy\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Cindy\Application Data\uTorrent\settings.dat
c:\documents and settings\Cindy\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Cindy\Application Data\uTorrent\utorrent.lng
c:\windows\system32\drivers\lvuvc.hs

.
((((((((((((((((((((((((( Files Created from 2008-11-25 to 2008-12-25 )))))))))))))))))))))))))))))))
.

2008-12-24 13:38 . 2008-12-24 13:37 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-24 13:12 . 2008-12-24 13:12 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-24 13:12 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-24 13:12 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-24 12:49 . 2008-12-24 12:49 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-12-23 17:42 . 2008-12-24 13:37 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-21 22:51 . 2008-12-21 22:52 250 --a------ c:\windows\gmer.ini
2008-12-14 18:53 . 2008-12-14 18:53 <DIR> d-------- c:\program files\BillP Studios
2008-12-14 18:53 . 2008-12-14 18:53 <DIR> d-------- c:\documents and settings\Cindy\Application Data\WinPatrol
2008-12-11 20:38 . 2008-12-11 20:38 <DIR> d-------- c:\program files\IObit
2008-12-11 20:38 . 2008-12-11 20:38 <DIR> d-------- c:\documents and settings\Cindy\Application Data\IObit
2008-12-11 20:36 . 2008-12-11 22:37 <DIR> d-------- c:\program files\Wise Registry Cleaner 3
2008-12-11 20:24 . 2008-12-11 20:24 <DIR> d-------- c:\program files\CleanMyPC
2008-12-09 20:49 . 2008-12-09 20:49 <DIR> d-------- c:\program files\Free Audio Pack
2008-12-02 22:57 . 2008-12-04 09:56 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-02 22:57 . 2008-12-04 09:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-02 22:50 . 2008-12-02 22:50 <DIR> d-------- c:\documents and settings\Cindy\Application Data\Malwarebytes
2008-12-01 19:39 . 2008-12-01 19:39 <DIR> d-------- c:\program files\AVG
2008-12-01 19:39 . 2008-12-11 20:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-01 19:35 . 2008-12-01 19:35 <DIR> d-------- c:\program files\SpywareBlaster
2008-12-01 19:20 . 2008-12-01 19:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-30 18:34 . 2008-11-30 18:34 <DIR> d-------- C:\HJT
2008-11-30 17:44 . 2008-11-30 17:43 67,424 --a------ c:\windows\system32\drivers\CDAVFS.sys
2008-11-30 17:44 . 2008-11-30 17:44 64 --a------ c:\windows\av_affiliate.ini
2008-11-30 17:44 . 2008-11-30 17:44 64 --a------ c:\windows\as_affiliate.ini
2008-11-28 12:28 . 2008-11-28 12:28 <DIR> d-------- c:\program files\K-Lite Codec Pack
2008-11-28 12:28 . 2008-07-04 00:34 860,160 --a------ c:\windows\system32\lameACM.acm
2008-11-28 12:28 . 2008-01-10 06:15 755,027 --a------ c:\windows\system32\xvidcore.dll
2008-11-28 12:28 . 2004-01-25 10:18 217,088 --a------ c:\windows\system32\yv12vfw.dll
2008-11-28 12:28 . 2007-09-04 10:56 164,352 --a------ c:\windows\system32\unrar.dll
2008-11-28 12:28 . 2008-01-10 06:16 159,839 --a------ c:\windows\system32\xvidvfw.dll
2008-11-28 12:28 . 2008-06-12 12:36 7,680 --a------ c:\windows\system32\ff_vfw.dll
2008-11-28 12:28 . 2007-07-10 10:10 547 --a------ c:\windows\system32\ff_vfw.dll.manifest
2008-11-28 12:28 . 2007-10-03 09:03 414 --a------ c:\windows\system32\lame_acm.xml
2008-11-28 12:28 . 2008-07-30 13:09 38 --a------ c:\windows\avisplitter.ini
2008-11-28 11:47 . 2008-11-28 11:47 <DIR> d-------- c:\documents and settings\Cindy\Application Data\Media Player Classic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-24 19:37 --------- d-----w c:\program files\Java
2008-12-24 19:05 --------- d-----w c:\program files\Common Files\Adobe
2008-12-24 05:29 --------- d-----w c:\documents and settings\Cindy\Application Data\Skype
2008-12-24 05:03 --------- d-----w c:\documents and settings\Cindy\Application Data\skypePM
2008-12-17 00:55 93,884 --sha-w c:\windows\system32\musafike.dll
2008-12-16 23:55 93,949 --sha-w c:\windows\system32\yigiwopa.dll
2008-12-16 23:55 62,694 --sha-w c:\windows\system32\vebeleje.dll
2008-12-12 21:04 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-12-12 21:00 --------- d-----w c:\program files\Norton Security Scan
2008-12-12 17:25 --------- d--h--w c:\documents and settings\Cindy\Application Data\Move Networks
2008-12-12 04:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-12 04:32 --------- d-----w c:\program files\Yahoo!
2008-12-02 02:07 --------- d-----w c:\program files\Trend Micro
2008-12-01 00:53 --------- d-----w c:\program files\AWS
2008-11-24 11:56 --------- d--h--w c:\documents and settings\Cindy\Application Data\yahoo!
2008-11-24 11:56 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-11-15 00:56 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-11-11 19:06 --------- d-----w c:\program files\Sun
2008-11-09 06:42 --------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2008-11-09 06:41 --------- d-----w c:\program files\Last.fm
2008-11-03 00:33 --------- d-----w c:\documents and settings\Cindy\Application Data\ArcSoft
2008-11-01 21:41 --------- d-----w c:\program files\Musicnotes
2008-11-01 21:40 --------- d-----w c:\documents and settings\All Users\Application Data\Musicnotes
2008-10-27 18:00 --------- d-----w c:\program files\Microsoft CAPICOM 2.1.0.2
2008-10-26 19:00 --------- d-----w c:\program files\Common Files\LogiShrd
2008-10-26 18:57 --------- d-----w c:\program files\Logitech
2008-10-26 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\Logitech
2008-10-26 18:57 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 20:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 20:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-14 00:22 24 ----a-w c:\documents and settings\Cindy\jagex_runescape_preferences.dat
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 22:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-25 02:33 484,352 ----a-w c:\windows\system32\lame_enc.dll
2008-07-21 22:53 61,224 ----a-w c:\documents and settings\Cindy\GoToAssistDownloadHelper.exe
2008-05-30 19:37 97,916 -c--a-w c:\program files\dxupdate.cab
2008-05-30 19:36 4,165,878 -c--a-w c:\program files\Apr2006_MDX1_x86_Archive.cab
2008-05-30 19:36 13,267,416 -c--a-w c:\program files\dxnt.cab
2008-05-30 19:36 1,805,306 -c--a-w c:\program files\Nov2007_d3dx9_36_x64.cab
2008-05-30 19:36 1,803,408 -c--a-w c:\program files\AUG2007_d3dx9_35_x64.cab
2008-05-30 19:34 528,392 ----a-w c:\program files\DXSETUP.exe
2007-04-25 00:06 88 --sha-r c:\windows\system32\808A268AF2.sys
2007-04-25 00:06 2,516 -csha-w c:\windows\system32\KGyGaAvL.sys
2008-08-18 21:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081820080819\index.dat
.

((((((((((((((((((((((((((((( snapshot_2008-12-23_17.52.49.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 21:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2008-11-02 13:30:10 552,768 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-12-24 19:23:33 202,528 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-12-23 19:20:25 219,495 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
+ 2008-12-24 19:28:01 219,500 ----a-w c:\windows\system32\inetsrv\MetaBase.bin
- 2008-12-23 23:41:57 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-12-24 19:37:55 144,792 ----a-w c:\windows\system32\java.exe
- 2008-12-23 23:41:57 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-12-24 19:37:55 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-12-23 23:41:57 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-24 19:37:55 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-12-24 19:24:03 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_248.dat
+ 2008-12-24 19:38:40 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_9ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 564496]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 2196240]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-24 136600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-07-21 16:53 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Cindy^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Cindy^Start Menu^Programs^Startup^Registration Heritage of Kings - The Settlers.LNK]
backup=c:\windows\pss\Registration Heritage of Kings - The Settlers.LNKStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\amd_dc_opt]
--a--c--- 2006-11-17 16:49 77824 c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a--c--- 2005-11-07 05:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--a--c--- 2005-02-23 16:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a--c--- 2005-08-05 13:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 16:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 16:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
--a------ 2006-12-08 19:06 823362 c:\program files\Trend Micro\Internet Security 12\pccguide.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsmqIntCert]
--a------ 2008-04-13 18:11 177152 c:\windows\system32\mqrt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a--c--- 2005-03-22 18:20 339968 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"e:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security 12\\Tmntsrv.exe"=
"c:\\Program Files\\Lavasoft\\Ad-Aware\\aawservice.exe"=
"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=
"c:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\Program Files\\Common Files\\LogiShrd\\LQCVFX\\COCIManager.exe"=
"c:\\Documents and Settings\\Cindy\\Desktop\\Skype.exe"=

R2 Tmfilter;Tmfilter;c:\windows\system32\drivers\TmXPFlt.sys [2006-12-08 205328]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2006-12-08 290889]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-12-08 585792]
R2 Tmpreflt;Tmpreflt;c:\windows\system32\drivers\Tmpreflt.sys [2006-12-08 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-12-08 262215]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-11-24 24652]
S3 CDAVFS;CDAVFS;c:\windows\system32\DRIVERS\CDAVFS.sys [2008-11-30 67424]
S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-01-07 513152]
S3 MusCVideo32;MusCVideo32;c:\windows\system32\DRIVERS\MusCVideo32.sys [2008-01-07 3768]
S3 PAC207;CIF USB Camera;c:\windows\system32\DRIVERS\PFC027.SYS [2008-10-20 505984]

*Newly Created Service* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2008-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-12-13 c:\windows\Tasks\Norton Security Scan.job
- c:\program files\Norton Security Scan\Nss.exe [2007-01-18 17:24]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Cindy\Application Data\Mozilla\Firefox\Profiles\w80lv25l.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://us.mg3.mail.yahoo.com/dc/launch? ... r25qqqla35
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Cindy\Application Data\Mozilla\Firefox\Profiles\w80lv25l.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npsnapfish.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-25 10:16:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(768)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2008-12-25 10:19:15
ComboFix-quarantined-files.txt 2008-12-25 16:17:57
ComboFix2.txt 2008-12-24 19:33:27
ComboFix3.txt 2008-12-23 23:54:45
ComboFix4.txt 2008-12-22 21:39:40
ComboFix5.txt 2008-12-25 16:12:18

Pre-Run: 42,747,596,800 bytes free
Post-Run: 42,731,974,656 bytes free

267 --- E O F --- 2008-12-23 19:09:35


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:16 AM, on 12/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Control Popups in Internet Explorer - {41353F8B-78CE-48A5-BE44-153ED293D192} - C:\PROGRA~1\POPUPP~1\PopLib.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: PopupPopper Control Panel - {3E94F358-9537-4BBA-8D12-D7F8A0136973} - C:\Program Files\PopupPopper\SiteList.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 8947606953
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 5637086015
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8293 bytes
3nder
Active Member
 
Posts: 9
Joined: December 14th, 2008, 7:52 pm

Re: Virtumonde-PopUps-Redirects

Unread postby Axephilic » December 25th, 2008, 1:56 pm

Congratulations! You are now all clean! To help to prevent from becoming reinfected, please follow the instructions below in order. If you have any questions, please feel free to ask them.

Now lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

Hide system files

  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Do not show hidden files and folders.
  6. Check (tick) Hide extensions of known file types.
  7. Check (tick) Hide protected operating system files (Recommended).
  8. Click OK.
  9. Close My Computer.

Flush the system restore points

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Check (tick) Turn off system restore on all drives box.
  4. Click Apply.
  5. Uncheck (untick) Turn off system restore on all drives box.
  6. Click OK.
  7. Restart your computer.
Note: Do this only ONCE, don't flush it regularly.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update


Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

  1. Go to Start > Control Panel > Automatic Updates
  2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

  1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
  2. Never open emails from unknown senders.
  3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.
  4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.

For Internet Explorer 7

Please read this article to configure Internet Explorer 7 properly.

Stop malicious scripts

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  2. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  3. Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.

  4. SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Virtumonde-PopUps-Redirects

Unread postby 3nder » December 25th, 2008, 2:52 pm

Thank you so much! The computer is running great now and I will be sure to keep it that way!
Thank you for all of your time and hard work!
3nder
Active Member
 
Posts: 9
Joined: December 14th, 2008, 7:52 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 325 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware