Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
Can anyone check out my hijack this, getting scewed by virtumonde Can anyone check out my hijack this, getting scewed by virtumonde
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Closed Thread
 
Thread Tools
Old 05-28-2008, 09:01 AM   #1 (permalink)
Registered User
 
Join Date: May 2008
Posts: 3
OS: XP


Can anyone check out my hijack this, getting scewed by virtumonde
I caught Virtumonde and Virtumonde dll.

--------------------------------------------------------------------------------

Well I have been infected with this nasty virus and can't seem to get rid of it. I ran a Mcafee virus scan, and it came out clean. Spydbot search and destroy found it but wasn't able to delete it. I have also run Vundofix 7.0, but it showed nothing. I know I am still infected because my system recover won't let me restore back to a later date, my windows update is turned off and I can't get it back on, and I have difficulty doing google searches. When and if a webpage loads I get an advertisment pop up for an antispyware or for dating websites. One thing I noticed that might help is doing a hijack this, so here is what I got. Any ideas?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:59 AM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\bin\HPOVDX05.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\PROGRA~1\McAfee\MSC\mcsvrcnt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: (no name) - {0CF5D165-517E-48B6-B3C7-3054A24F8BF6} - C:\WINDOWS\system32\wvUljhhI.dll (file missing)
O2 - BHO: (no name) - {330A7600-F4E8-4057-81FA-FE4161861D01} - C:\WINDOWS\system32\nnnnNDvv.dll (file missing)
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - c:\PROGRA~1\mcafee\msk\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] "C:\Program Files\D-Link\AirPlus G\AirGCFG.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [McENUI] "C:\PROGRA~1\McAfee\MHN\McENUI.exe" /hide
O4 - HKLM\..\Run: [java] PhotoShop CS3 Extended Keygen + Activation.exe
O4 - HKLM\..\Run: [882c3c20] rundll32.exe "C:\WINDOWS\system32\qwcjjjfq.dll",b
O4 - HKLM\..\Run: [BM8b1f0fbc] Rundll32.exe "C:\WINDOWS\system32\mtubmrke.dll",s
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\RunServices: [java] PhotoShop CS3 Extended Keygen + Activation.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA2463] command /c del "C:\WINDOWS\system32\khfCrRJB.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2886] cmd /c del "C:\WINDOWS\system32\khfCrRJB.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9262] command /c del "C:\WINDOWS\system32\nnnnNDvv.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9170] cmd /c del "C:\WINDOWS\system32\nnnnNDvv.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA728] command /c del "C:\WINDOWS\system32\khfCrRJB.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6527] cmd /c del "C:\WINDOWS\system32\khfCrRJB.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6084] command /c del "C:\WINDOWS\system32\nnnnNDvv.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8343] cmd /c del "C:\WINDOWS\system32\nnnnNDvv.dll_old"
O4 - HKCU\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: HP OfficeJet Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\Bin\HPOstr05.exe
O8 - Extra context menu item: &Search - ?p=ZKxdm030NTUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1206224553481
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1206224536746
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://scwp1-central.mnb.gd-ais.com...WhlCompMgr.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F1C78AA-2BF6-4A5D-A3A0-5234406C70DC}: NameServer = 68.100.16.30,68.100.16.25
O20 - Winlogon Notify: wvUljhhI - wvUljhhI.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0307051211969517) (0307051211969517mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\030705~1.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 10414 bytes

I think I was infected with virtumonde, because my spybot seems to pick it up everytime I run it without successfully eliminating it. I ran a Mcafee and that came out clean, but what happens is that google searching is almost impossible, my keyboard strokes arent all shown on the screen,, its almost as if certain letter are being eaten.
Overall my Comp is running very slow. I have followed all 5 steps and hope you can help out. I have attached a Panda active scan as described.

Here is the the attachment for the DSS, if it helps.
Attached Files
File Type: txt ActiveScan.txt (9.7 KB, 3 views)
File Type: txt extra.txt (11.7 KB, 5 views)
Last edited by amateur : 05-30-2008 at 04:44 PM. Reason: to retain 0-reply status
Chico21 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-31-2008, 12:05 PM   #2 (permalink)
Registered User
 
Join Date: May 2008
Posts: 3
OS: XP


Bump - Vitrumonde Virus - Computer slowed down
I think I was infected with virtumonde, because my spybot seems to pick it up everytime I run it without successfully eliminating it. I ran a Mcafee and that came out clean, but what happens is that google searching is almost impossible, my keyboard strokes arent all shown on the screen,, its almost as if certain letter are being eaten. I also ran a Vundofix and that showed no results. Overall my Comp is running very slow. I have followed all 5 steps and hope you can help out.

Here are my Activescan.txt and below that my extra.txt

ANALYSIS: 2008-05-29 08:07:39
PROTECTIONS: 1
MALWARE: 16
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
McAfee VirusScan Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@trafficmp[2].txt
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@trafficmp[3].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@atdmt[3].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@atdmt[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@tribalfusion[2].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@tribalfusion[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@azjmp[2].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@ad.yieldmanager[3].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@ad.yieldmanager[2].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@media.adrevolver[3].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@media.adrevolver[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@zedo[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@adrevolver[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Cookies\andrew@adrevolver[3].txt
00593211 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{48665636-E724-4272-B4A9-277A38669D42}\RP20\A0003215.exe
02917204 W32/Gaobot.OXI.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{7CC41151-1B38-43C4-9C72-F15660133BA9}\RP357\A0033769.exe
02917204 W32/Gaobot.OXI.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{7CC41151-1B38-43C4-9C72-F15660133BA9}\RP358\A0034196.exe
02917204 W32/Gaobot.OXI.worm Virus/Worm No 1 Yes No C:\System Volume Information\_restore{7CC41151-1B38-43C4-9C72-F15660133BA9}\RP353\A0031894.exe
02990293 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{7CC41151-1B38-43C4-9C72-F15660133BA9}\RP357\A0033545.exe
02990293 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{7CC41151-1B38-43C4-9C72-F15660133BA9}\RP358\A0033966.exe
02990293 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{7CC41151-1B38-43C4-9C72-F15660133BA9}\RP358\A0033948.exe
02992309 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{7CC41151-1B38-43C4-9C72-F15660133BA9}\RP353\A0032052.dll
02994240 Application/FunWeb HackTools No 0 Yes No C:\System Volume Information\_restore{7CC41151-1B38-43C4-9C72-F15660133BA9}\RP342\A0027551.SCR
02994240 Application/FunWeb HackTools No 0 Yes No C:\System Volume Information\_restore{7CC41151-1B38-43C4-9C72-F15660133BA9}\RP342\A0027536.scr
;===================================================================================================================================================================================
SUSPECTS
Sent Location !
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description !
;===================================================================================================================================================================================
170904 HIGH MS07-043 !
120815 HIGH MS06-022 !
;===================================================================================================================================================================================


And here is the extra.txt

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.53GHz
Percentage of Memory in Use: 46%
Physical Memory (total/avail): 1022.98 MiB / 545.54 MiB
Pagefile Memory (total/avail): 2461.71 MiB / 1829.34 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1931.07 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 55.83 GiB total, 31.34 GiB free.
D: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - WDC WD600BB-75CAA0 - 55.87 GiB - 2 partitions
\PARTITION0 - Unknown - 39.19 MiB
\PARTITION1 (bootable) - Installable File System - 55.83 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.

FW: McAfee Personal Firewall v (McAfee)
AV: McAfee VirusScan v (McAfee)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\America Online 9.0a\\waol.exe"="C:\\Program Files\\America Online 9.0a\\waol.exe:*:Enabled:America Online 9.0a"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Loader"
"C:\\Program Files\\Common Files\\AOL\\1155843733\\ee\\aolsoftware.exe"="C:\\Program Files\\Common Files\\AOL\\1155843733\\ee\\aolsoftware.exe:*:Enabled:AOL Services"
"C:\\Program Files\\Common Files\\AOL\\1155843733\\ee\\aim6.exe"="C:\\Program Files\\Common Files\\AOL\\1155843733\\ee\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe:*:Enabled:AIM"
"C:\\Program Files\\Azureus\\Azureus.exe"="C:\\Program Files\\Azureus\\Azureus.exe:*:Enabled:Azureus"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ANDREW-GL5ET4EX
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Andrew.ANDREW-GL5ET4EX
LOGONSERVER=\\ANDREW-GL5ET4EX
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ANDREW~2.AND\LOCALS~1\Temp
TMP=C:\DOCUME~1\ANDREW~2.AND\LOCALS~1\Temp
USERDOMAIN=ANDREW-GL5ET4EX
USERNAME=Andrew
USERPROFILE=C:\Documents and Settings\Andrew.ANDREW-GL5ET4EX
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Andrew.ANDREW-GL5ET4EX (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3Com HomeConnect PC Digital Video --> C:\WINDOWS\USRUNIN.EXE
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AIM 6 --> C:\Program Files\AIM6\uninst.exe
AirPlus G --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{2B7E4354-0492-460A-BDB1-1F59EE141025}
ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
Azureus --> C:\Program Files\Azureus\Uninstall.exe
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Creative WebCam NX Ultra Driver (1.01.03.0112) --> C:\WINDOWS\CtDrvIns.exe -uninstall -script Pd1120.uns -unsext NT -plugin P1120Pin.dll -pluginres P1120Pin.crl
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
HP OfficeJet Series 600 (Remove Only) --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP OfficeJet Series 600\uninst.dll"
Intel(R) PRO Ethernet Adapter and Software --> Prounstl.exe
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
McAfee SecurityCenter --> C:\Program Files\McAfee\MSC\mcuninst.exe
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Standard Edition 2003 --> MsiExec.exe /I{91120409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
NVIDIA Display Driver --> C:\WINDOWS\System32\nvudisp.exe Uninstall C:\WINDOWS\System32\nvdisp.nvu,NVIDIA Display Driver
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\System32\QuickTime\Uninstall.log
RTC Client API v1.2 --> MsiExec.exe /X{44CDBD1B-89FB-4E02-8319-2A4C550F664A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
VideoLAN VLC media player 0.8.2 --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Whale Communications' Client Components v3.1.3 --> rundll32.exe C:\WINDOWS\DOWNLO~1\whlmgr.dll,UnInstall 3.1.0 31 0 1 3.1.3
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type1084 / Error
Event Submitted/Written: 05/28/2008 06:52:36 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1069 / Success
Event Submitted/Written: 05/28/2008 03:40:52 PM
Event ID/Source: 12001 / usnjsvc
Event Description:


Event Record #/Type1058 / Success
Event Submitted/Written: 05/28/2008 01:56:35 PM
Event ID/Source: 12001 / usnjsvc
Event Description:


Event Record #/Type1053 / Error
Event Submitted/Written: 05/28/2008 09:02:03 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application SpybotSD.exe, version 1.5.2.20, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type1052 / Error
Event Submitted/Written: 05/28/2008 09:01:09 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type7054 / Error
Event Submitted/Written: 05/28/2008 07:45:15 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type7053 / Error
Event Submitted/Written: 05/28/2008 07:44:59 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type7047 / Error
Event Submitted/Written: 05/28/2008 07:08:18 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1058" attempting to start the service wuauserv with arguments ""
in order to run the server:
{E60687F7-01A1-40AA-86AC-DB1CBF673334}

Event Record #/Type7032 / Error
Event Submitted/Written: 05/28/2008 07:03:42 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} did not register with DCOM within the required timeout.

Event Record #/Type7029 / Error
Event Submitted/Written: 05/28/2008 07:03:15 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The AOL Connectivity Service service failed to start due to the following error:
%%3



-- End of Deckard's System Scanner: finished at 2008-05-29 08:24:32 ------------
Chico21 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 05-31-2008, 12:55 PM   #3 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 3,216
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Re: Can anyone check out my hijack this, getting scewed by virtumonde
Hello and welcome to TSF.

I see some references in the logs to cracks & keygens as well as p2p file sharing programs, which are sure ways to get infected.

I'd recommend you remove LimeWire and Azureus via Add or Remove Programs in Control Panel.

============================

You've posted the extra.txt, which is good. But what we really would like to see is the main.txt also produced by DSS (Deckard's System Scanner). Please post that in your next reply.
__________________
My services are free. However, you can donate to TSF to help keep it running and prospering.
ASAP

Last edited by amateur : 05-31-2008 at 01:01 PM.
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Closed Thread

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 01:30 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2008, Tech Support Forum

Search Engine Friendly URLs by vBSEO

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82