Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Help Virtumundo - VBG and hijackthis logs Help Virtumundo - VBG and hijackthis logs
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 05-12-2008, 07:35 AM   #1 (permalink)
Registered User
 
Join Date: May 2008
Posts: 4
OS: win xp


Help Virtumundo - VBG and hijackthis logs
Hello,

Can someone please help me I have a browser hijacker I believe called Virtumundo .. which i have downloaded a apparent fix which said it removed it but appears to still be on my computer. Below is the log from the program and also a current log from hijack this.

Thankyou in advance.


VGB.txt

-------------

[05/12/2008, 17:25:50] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\user\Desktop\VirtumundoBeGone.exe" )
[05/12/2008, 17:25:59] - Detected System Information:
[05/12/2008, 17:25:59] - Windows Version: 5.1.2600, Service Pack 3
[05/12/2008, 17:25:59] - Current Username: Administrator (Admin)
[05/12/2008, 17:25:59] - Windows is in SAFE mode with Networking.
[05/12/2008, 17:25:59] - Searching for Browser Helper Objects:
[05/12/2008, 17:25:59] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/12/2008, 17:25:59] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/12/2008, 17:25:59] - BHO 3: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/12/2008, 17:25:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 17:25:59] - No filename found. Continuing.
[05/12/2008, 17:25:59] - BHO 4: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/12/2008, 17:25:59] - BHO 5: {97985D7C-CE80-4404-82B9-0E48837345B8} ()
[05/12/2008, 17:25:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 17:25:59] - Checking for HKLM\...\Winlogon\Notify\wvUkhfFy
[05/12/2008, 17:25:59] - Key not found: HKLM\...\Winlogon\Notify\wvUkhfFy, continuing.
[05/12/2008, 17:25:59] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/12/2008, 17:25:59] - BHO 7: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[05/12/2008, 17:25:59] - BHO 8: {EE5A1465-1E73-4784-8F63-45983FDF0DB8} ()
[05/12/2008, 17:25:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 17:25:59] - Checking for HKLM\...\Winlogon\Notify\nnnnNGWm
[05/12/2008, 17:25:59] - Found: HKLM\...\Winlogon\Notify\nnnnNGWm - This is probably Virtumundo.
[05/12/2008, 17:25:59] - Assigning {EE5A1465-1E73-4784-8F63-45983FDF0DB8} MSEvents Object
[05/12/2008, 17:25:59] - BHO list has been changed! Starting over...
[05/12/2008, 17:25:59] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/12/2008, 17:25:59] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/12/2008, 17:25:59] - BHO 3: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/12/2008, 17:25:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 17:26:00] - No filename found. Continuing.
[05/12/2008, 17:26:00] - BHO 4: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/12/2008, 17:26:00] - BHO 5: {97985D7C-CE80-4404-82B9-0E48837345B8} ()
[05/12/2008, 17:26:00] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 17:26:00] - Checking for HKLM\...\Winlogon\Notify\wvUkhfFy
[05/12/2008, 17:26:00] - Key not found: HKLM\...\Winlogon\Notify\wvUkhfFy, continuing.
[05/12/2008, 17:26:00] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/12/2008, 17:26:00] - BHO 7: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[05/12/2008, 17:26:00] - BHO 8: {EE5A1465-1E73-4784-8F63-45983FDF0DB8} (MSEvents Object)
[05/12/2008, 17:26:00] - ALERT: Found MSEvents Object!
[05/12/2008, 17:26:00] - Finished Searching Browser Helper Objects
[05/12/2008, 17:26:00] - *** Detected MSEvents Object
[05/12/2008, 17:26:00] - Trying to remove MSEvents Object...
[05/12/2008, 17:26:01] - Terminating Process: IEXPLORE.EXE
[05/12/2008, 17:26:01] - Terminating Process: RUNDLL32.EXE
[05/12/2008, 17:26:01] - Disabling Automatic Shell Restart
[05/12/2008, 17:26:01] - Terminating Process: EXPLORER.EXE
[05/12/2008, 17:26:01] - Suspending the NT Session Manager System Service
[05/12/2008, 17:26:01] - Terminating Windows NT Logon/Logoff Manager
[05/12/2008, 17:26:02] - Re-enabling Automatic Shell Restart
[05/12/2008, 17:26:02] - File to disable: C:\WINDOWS\system32\nnnnNGWm.dll
[05/12/2008, 17:26:02] - Renaming C:\WINDOWS\system32\nnnnNGWm.dll -> C:\WINDOWS\system32\nnnnNGWm.dll.vir
[05/12/2008, 17:26:02] - File successfully renamed!
[05/12/2008, 17:26:02] - Removing HKLM\...\Browser Helper Objects\{EE5A1465-1E73-4784-8F63-45983FDF0DB8}
[05/12/2008, 17:26:02] - Removing HKCR\CLSID\{EE5A1465-1E73-4784-8F63-45983FDF0DB8}
[05/12/2008, 17:26:02] - Adding Kill Bit for ActiveX for GUID: {EE5A1465-1E73-4784-8F63-45983FDF0DB8}
[05/12/2008, 17:26:02] - Deleting ATLEvents/MSEvents Registry entries
[05/12/2008, 17:26:02] - Removing HKLM\...\Winlogon\Notify\nnnnNGWm
[05/12/2008, 17:26:02] - Searching for Browser Helper Objects:
[05/12/2008, 17:26:02] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/12/2008, 17:26:02] - BHO 2: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/12/2008, 17:26:02] - BHO 3: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/12/2008, 17:26:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 17:26:02] - No filename found. Continuing.
[05/12/2008, 17:26:02] - BHO 4: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/12/2008, 17:26:02] - BHO 5: {97985D7C-CE80-4404-82B9-0E48837345B8} ()
[05/12/2008, 17:26:02] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 17:26:02] - Checking for HKLM\...\Winlogon\Notify\wvUkhfFy
[05/12/2008, 17:26:02] - Key not found: HKLM\...\Winlogon\Notify\wvUkhfFy, continuing.
[05/12/2008, 17:26:02] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/12/2008, 17:26:02] - BHO 7: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[05/12/2008, 17:26:02] - Finished Searching Browser Helper Objects
[05/12/2008, 17:26:02] - Finishing up...
[05/12/2008, 17:26:02] - A restart is needed.
[05/12/2008, 17:26:02] - Automatic Reboot on STOP Error is not set. User will have to manually restart.
[05/12/2008, 17:26:12] - Attempting to Restart via STOP error (Blue Screen!)

[05/12/2008, 17:29:16] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\user\Desktop\VirtumundoBeGone.exe" )
[05/12/2008, 17:29:24] - Detected System Information:
[05/12/2008, 17:29:24] - Windows Version: 5.1.2600, Service Pack 3
[05/12/2008, 17:29:24] - Current Username: Administrator (Admin)
[05/12/2008, 17:29:24] - Windows is in SAFE mode with Networking.
[05/12/2008, 17:29:24] - Searching for Browser Helper Objects:
[05/12/2008, 17:29:24] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[05/12/2008, 17:29:24] - BHO 2: {61464EB9-25A8-43DF-864F-64FFCC17DA0E} ()
[05/12/2008, 17:29:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 17:29:24] - Checking for HKLM\...\Winlogon\Notify\wvUkhfFy
[05/12/2008, 17:29:24] - Key not found: HKLM\...\Winlogon\Notify\wvUkhfFy, continuing.
[05/12/2008, 17:29:24] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[05/12/2008, 17:29:24] - BHO 4: {7E853D72-626A-48EC-A868-BA8D5E23E045} ()
[05/12/2008, 17:29:24] - WARNING: BHO has no default name. Checking for Winlogon reference.
[05/12/2008, 17:29:24] - No filename found. Continuing.
[05/12/2008, 17:29:24] - BHO 5: {9030D464-4C02-4ABF-8ECC-5164760863C6} (Windows Live Sign-in Helper)
[05/12/2008, 17:29:24] - BHO 6: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[05/12/2008, 17:29:24] - BHO 7: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} (Google Toolbar Notifier BHO)
[05/12/2008, 17:29:24] - Finished Searching Browser Helper Objects
[05/12/2008, 17:29:24] - Finishing up...
[05/12/2008, 17:29:24] - Nothing found! Exiting...
--------


Hijack this.log

--------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:45 AM, on 5/13/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\D-Link\AirPlusG+\AirPlus.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ViewSonic W2201 WebCam
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GUI] C:\D-Link\AirPlusG+\AirPlus.exe
O4 - HKLM\..\Run: [f4ff0e76] rundll32.exe "C:\WINDOWS\system32\qyofiddp.dll",b
O4 - HKLM\..\Run: [BMf7cc3dea] Rundll32.exe "C:\WINDOWS\system32\bmxtixkb.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: D-Link AirPlus G+ Wireless Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1206085306573
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1206117154390
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://johnny81.spaces.live.com/Phot...d/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7103 bytes

----------
johnny81 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-15-2008, 01:00 AM   #2 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Location: BC, Canada
Posts: 2,440
OS: XP


Re: Help Virtumundo - VBG and hijackthis logs
Hi, welcome to TSF!

If you still need assistance, please post a fresh hijackthis log
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-16-2008, 12:48 AM   #3 (permalink)
Registered User
 
Join Date: May 2008
Posts: 4
OS: win xp


Re: Help Virtumundo - VBG and hijackthis logs
Yes this is still a problem.. here is a current hijack this log

Thankyou

-----------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:12 PM, on 5/16/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VM_STI.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\D-Link\AirPlusG+\AirPlus.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCMAIN.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Adobe\Adobe After Effects CS3\Support Files\AfterFX.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ViewSonic W2201 WebCam
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GUI] C:\D-Link\AirPlusG+\AirPlus.exe
O4 - HKLM\..\Run: [f4ff0e76] rundll32.exe "C:\WINDOWS\system32\usdravgu.dll",b
O4 - HKLM\..\Run: [BMf7cc3dea] Rundll32.exe "C:\WINDOWS\system32\ygxxpalo.dll",s
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: D-Link AirPlus G+ Wireless Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1206085306573
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1206117154390
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://johnny81.spaces.live.com/Phot...d/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 7543 bytes
johnny81 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-16-2008, 12:50 AM   #4 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Location: BC, Canada
Posts: 2,440
OS: XP


Re: Help Virtumundo - VBG and hijackthis logs
Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/comb...o-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-17-2008, 01:04 AM   #5 (permalink)
Registered User
 
Join Date: May 2008
Posts: 4
OS: win xp


Re: Help Virtumundo - VBG and hijackthis logs
ComboFix 08-05-15.3 - user 2008-05-17 17:38:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1003 [GMT 10:00]
Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\asyljaea.exe
C:\WINDOWS\system32\awtQkIaw.dll
C:\WINDOWS\system32\bmxtixkb.dll
C:\WINDOWS\system32\ecpwonoy.ini
C:\WINDOWS\system32\ehlyflkp.exe
C:\WINDOWS\system32\fnwikcwx.exe
C:\WINDOWS\system32\hbjfglaf.dll
C:\WINDOWS\system32\ibamfbic.exe
C:\WINDOWS\system32\idvoyfpj.dll
C:\WINDOWS\system32\jkwfwxly.ini
C:\WINDOWS\system32\jojswpep.exe
C:\WINDOWS\system32\kmaescpk.exe
C:\WINDOWS\system32\kuecodcr.dll
C:\WINDOWS\system32\ljaogsus.dll
C:\WINDOWS\system32\loomennv.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\moxxxfnk.ini
C:\WINDOWS\system32\nhiwvssd.dll
C:\WINDOWS\system32\pddifoyq.ini
C:\WINDOWS\system32\pmqnrwft.exe
C:\WINDOWS\system32\rapdtxow.ini
C:\WINDOWS\system32\susgoajl.ini
C:\WINDOWS\system32\tcxvxfjg.dll
C:\WINDOWS\system32\ttpwwhgy.ini
C:\WINDOWS\system32\tvvmdejr.exe
C:\WINDOWS\system32\ugvardsu.ini
C:\WINDOWS\system32\usdravgu.dll
C:\WINDOWS\system32\vyirwnwc.dll
C:\WINDOWS\system32\wvUkhfFy.dll
C:\WINDOWS\system32\xvawiyvw.dll
C:\WINDOWS\system32\yFfhkUvw.ini
C:\WINDOWS\system32\yFfhkUvw.ini2
C:\WINDOWS\system32\yghwwptt.dll
C:\WINDOWS\system32\ygxxpalo.dll
C:\WINDOWS\system32\ytkrdjqn.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-17 to 2008-05-17 )))))))))))))))))))))))))))))))
.

2008-05-16 20:02 . 2008-05-16 20:03 <DIR> d-------- C:\Program Files\Access Password Recovery Master
2008-05-12 17:25 . 2008-05-12 17:25 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-12 17:25 . 2008-05-17 17:38 1,024 --ah----- C:\Documents and Settings\Administrator\NtUser.dat.LOG
2008-05-11 22:27 . 2008-05-11 22:27 <DIR> d-------- C:\Program Files\Passware
2008-05-10 13:08 . 2004-08-04 22:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-10 13:08 . 2001-08-17 22:36 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2008-05-10 13:08 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-05-10 13:08 . 2008-04-14 05:39 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2008-05-10 13:08 . 2008-04-14 05:39 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-05-10 10:50 . 2008-05-10 10:50 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-10 10:46 . 2008-05-10 10:46 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-10 10:42 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\003416_.tmp
2008-05-09 19:32 . 2008-05-17 17:36 109,835 --a------ C:\WINDOWS\BMf7cc3dea.xml
2008-05-05 19:02 . 2008-05-05 19:02 <DIR> d-------- C:\VundoFix Backups
2008-05-02 20:20 . 2008-05-02 20:20 <DIR> d-------- C:\Documents and Settings\user\Application Data\GeoVid
2008-05-02 20:19 . 2008-05-02 20:19 <DIR> d-------- C:\Program Files\GeoVid
2008-05-02 20:19 . 2004-08-04 15:00 1,700,352 --a------ C:\WINDOWS\system32\gdiplus.dll
2008-05-02 20:19 . 2003-03-19 08:19 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2008-05-02 20:19 . 2003-03-19 08:12 1,047,552 --a------ C:\WINDOWS\system32\mfc71u.dll
2008-05-02 20:19 . 2005-06-07 15:11 60,416 --a------ C:\WINDOWS\system32\dsetup.dll
2008-05-01 23:27 . 2008-05-14 21:59 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-05-01 23:21 . 2008-05-01 23:21 37,888 --a------ C:\WINDOWS\system32\nnnnNGWm.dll.vir
2008-04-30 00:42 . 2008-04-30 00:42 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-04-29 23:48 . 2006-05-04 00:21 6,684,672 --a------ C:\WINDOWS\system32\atioglx1.dll
2008-04-29 23:48 . 2006-05-03 11:57 520,192 --------- C:\WINDOWS\system32\ati2sgag.exe
2008-04-29 23:48 . 2006-05-04 00:12 286,720 --a------ C:\WINDOWS\system32\ATIDEMGR.dll
2008-04-29 23:15 . 2008-04-29 23:15 <DIR> d-------- C:\D-Link
2008-04-29 23:15 . 2004-10-25 12:38 439,296 --a------ C:\WINDOWS\system32\drivers\GPlus_XP.sys
2008-04-29 23:15 . 2004-10-19 20:10 95,988 --a------ C:\WINDOWS\system32\drivers\FwRad19.bin
2008-04-29 23:15 . 2004-10-19 20:10 93,844 --a------ C:\WINDOWS\system32\drivers\FwRad17.bin
2008-04-29 23:15 . 2004-10-19 20:10 92,488 --a------ C:\WINDOWS\system32\drivers\FwRad16.bin
2008-04-29 23:15 . 2004-10-25 12:35 69,632 --a------ C:\WINDOWS\system32\drivers\tnetwcoinst.dll
2008-04-28 22:59 . 2008-04-28 22:59 <DIR> d-------- C:\Program Files\Western Digital
2008-04-21 23:57 . 2008-05-16 00:01 <DIR> d-------- C:\Program Files\Full Tilt Poker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-17 07:44 --------- d-----w C:\Documents and Settings\user\Application Data\Skype
2008-05-17 06:08 --------- d-----w C:\Documents and Settings\user\Application Data\skypePM
2008-05-14 13:42 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-05-09 18:24 --------- d-----w C:\Program Files\Trend Micro
2008-05-06 15:07 --------- d-----w C:\Documents and Settings\user\Application Data\uTorrent
2008-05-01 10:30 --------- d-----w C:\Program Files\Winamp
2008-04-29 13:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-29 08:04 --------- d-----w C:\Program Files\Google
2008-04-24 09:15 --------- d-----w C:\Documents and Settings\user\Application Data\Winamp
2008-04-20 08:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-14 07:57 --------- d-----w C:\Documents and Settings\user\Application Data\mIRC
2008-04-14 07:51 --------- d-----w C:\Program Files\mIRC
2008-04-13 19:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-13 19:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-13 19:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-13 19:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-13 19:42 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-13 19:42 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-13 19:42 34,816 ----a-w C:\WINDOWS\Help\sniffpol.dll
2008-04-13 19:42 33,280 ----a-w C:\WINDOWS\Help\sstub.dll
2008-04-13 19:42 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-13 19:42 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-13 19:42 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-13 19:42 279,040 ----a-w C:\WINDOWS\Help\tshoot.dll
2008-04-13 19:42 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-13 19:42 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-13 19:42 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-13 19:42 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 14:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 14:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 14:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 14:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 14:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 14:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 14:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 14:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 14:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 14:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 14:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 14:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 14:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 14:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 14:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 14:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 14:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 14:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 14:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 14:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 14:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 14:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 14:30 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 14:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 14:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 14:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 14:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 14:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 14:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 14:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 14:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 14:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 14:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 14:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 14:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 14:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 14:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 14:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 14:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 14:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 14:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 14:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 14:25 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 14:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 14:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 14:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 14:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 14:23 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 14:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 14:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 14:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 14:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 14:21 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 14:17 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 14:15 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 14:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 14:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 14:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 14:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 14:13 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 14:13 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 14:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 14:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-04-13 14:09 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 14:09 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 14:09 5,504 ----a-w C:\WINDOWS\system32\drivers\mstee.sys
2008-04-13 14:09 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-13 14:09 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 14:09 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys
2008-04-13 14:09 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 14:09 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 14:09 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-14 22:15 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39 1289000]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-02-01 17:22 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-04-13 04:58 3429904]
"Launch LCDMon"="C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe" [2007-12-13 17:43 2051096]
"Launch LGDCore"="C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" [2007-12-13 17:57 2095640]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2004-06-09 15:37 40960]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-07-22 10:42 1519616]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-29 18:04 29744]
"GUI"="C:\D-Link\AirPlusG+\AirPlus.exe" [2005-08-24 20:01 1474560]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
D-Link AirPlus G+ Wireless Utility.lnk - C:\D-Link\AirPlusG+\AirPlus.exe [2008-04-29 23:15:29 1474560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf7cc3dea]
C:\WINDOWS\system32\idvoyfpj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f4ff0e76]
C:\WINDOWS\system32\yghwwptt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Bonjour Service"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 Pv848;V-Gear DV Pro, WDM Video Capture;C:\WINDOWS\system32\drivers\Pv848.sys [2002-03-04 16:58]
R2 PvXBAR;V-Gear DV Pro, WDM Crossbar;C:\WINDOWS\system32\drivers\PvXBAR.sys [2002-03-07 11:56]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-29 18:04]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2007-12-26 10:47]
S3 TNET1130;D-Link AirPlus G+ Wireless Adapter;C:\WINDOWS\system32\DRIVERS\GPLUS_XP.sys [2004-10-25 12:38]
S3 ZSMC302;ViewSonic W2201 WebCam;C:\WINDOWS\system32\Drivers\usbvm302.sys [2005-01-13 18:06]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-17 17:43:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Microsoft Office\OFFICE11\MSOHTMED.EXE
.
**************************************************************************
.
Completion time: 2008-05-17 17:47:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-17 07:46:58

Pre-Run: 36,124,332,032 bytes free
Post-Run: 37,815,500,800 bytes free

280 --- E O F --- 2008-05-15 09:09:40



------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:35 PM, on 5/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\D-Link\AirPlusG+\AirPlus.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ViewSonic W2201 WebCam
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GUI] C:\D-Link\AirPlusG+\AirPlus.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: D-Link AirPlus G+ Wireless Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1206085306573
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1206117154390
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://johnny81.spaces.live.com/Phot...d/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8159 bytes
johnny81 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-17-2008, 01:54 AM   #6 (permalink)
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
 
Angelfire777's Avatar
 
Join Date: Oct 2006
Location: BC, Canada
Posts: 2,440
OS: XP


Re: Help Virtumundo - VBG and hijackthis logs
Hi,

Some optional uninstalls..

uTorrent
Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. I recommend that you remove this program from your system.

Full Tilt Poker
Poker programs such as this sometimes serve as vectors for malware to enter your system. I suggest you uninstall it especially if you're not using it.

*If you choose to remove those optionals, click start > control panel > add or remove programs > uninstall the optionals.


*Delete these files:

C:\WINDOWS\BMf7cc3dea.xml
C:\WINDOWS\system32\nnnnNGWm.dll.vir


*Delete these folders:

C:\VundoFix Backups

C:\Program Files\Full Tilt Poker <<only if you uninstalled full tilt poker
C:\Program files\utorrent <<only if you uninstalled utorrent
C:\Documents and Settings\user\Application Data\uTorrent <<only if you uninstalled utorrent

*Click start > run > copy and paste:

reg delete "HKLM\software\microsoft\shared tools\msconfig\startupreg\BMf7cc3dea" /f

press enter.

reg delete "HKLM\software\microsoft\shared tools\msconfig\startupreg\f4ff0e76" /f

press enter.

*Reboot your machine.

*I would like you to scan a file for me.

Please go HERE. Copy and paste the following file path in to the box.

C:\WINDOWS\DCEBoot.exe

Then click submit.

Please post the results to your next reply.

If Jotti is too busy, you can go HERE and do the same as above.


*Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.

*Please do an online scan with Kaspersky WebScanner

Warning: If you had kaspersky online scanner installed before 10-5-2007, please uninstall it as kaspersky released a new version. Previous version had a serious flaw which could result in a buffer overflow.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


*Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
  • Click Start > Control Panel
  • Click Add/Remove Programs
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove button.
  • Repeat as many times as necessary to remove all versions of Java.
  • Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6u6, and install it to your computer.

On your next reply, please include a
  • Fresh HijackThis log.
  • kaspersky scan log
  • jotti scan log
__________________
Proud member of UNITE and ASAP since 2006


If we have helped you, please consider donating.

The past won't be able to hurt you unless you keep on looking back at it.
Last edited by Angelfire777 : 05-17-2008 at 01:57 AM.
Angelfire777 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 05-18-2008, 05:32 AM   #7 (permalink)
Registered User
 
Join Date: May 2008
Posts: 4
OS: win xp


Re: Help Virtumundo - VBG and hijackthis logs
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:46 PM, on 5/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe
C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Logitech\GamePanel Software\LCD Manager\Applets\LCDPop3.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\D-Link\AirPlusG+\AirPlus.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Logitech\GamePanel Software\LCD Manager\LCDMon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Logitech\GamePanel Software\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE ViewSonic W2201 WebCam
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [GUI] C:\D-Link\AirPlusG+\AirPlus.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: D-Link AirPlus G+ Wireless Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1206085306573
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1206117154390
O16 - DPF: {7FC1B346-83E6-4774-8D20-1A6B09B0E737} (Windows Live Photo Upload Control) - http://johnny81.spaces.live.com/Phot...d/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...nt/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8114 bytes


--------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 18, 2008 10:29:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/05/2008
Kaspersky Anti-Virus database records: 782869
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\user\LOCALS~1\Temp\

Scan Statistics:
Total number of scanned objects: 21305
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:10:22

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{24DD483E-42E5-4BE6-9ADD-4FA479F0EE19}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped