|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
06-17-2008, 01:31 AM
|
#1 (permalink) |
|
Registered User
Join Date: Jun 2008
Posts: 1
OS: XP
|
Virtumonde and Win32 Removal help, Please!
Hi there. I've recently contracted a few bad viruses/malware. I've been using spybot S&D and ad-aware to try and get rid of them, and now I can say that they are all likely gone except for "virtumonde.dll" and "win32.bho.df" These two are picked up by spybot, which attempts to remove them, however they return upon system restart. I'm sorry if this thread is similar to others but I couldn't fix the problem myself unfortunately. Any help would be much appreciated. Thank you. I've atacched the required logs. I'm running WinXP Pro by the way. Thanks again!
Deckard's System Scanner v20071014.68 Run by Dave on 2008-06-17 17:08:16 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 96: 2008-06-17 07:08:47 UTC - RP617 - Deckard's System Scanner Restore Point 95: 2008-06-17 00:49:01 UTC - RP616 - Software Distribution Service 3.0 94: 2008-06-17 00:10:30 UTC - RP615 - Software Distribution Service 3.0 93: 2008-06-16 12:56:44 UTC - RP614 - Restore Operation 92: 2008-06-16 12:30:04 UTC - RP613 - Restore Operation -- First Restore Point -- 1: 2008-06-14 00:43:03 UTC - RP522 - System Checkpoint Backed up registry hives. Performed disk cleanup. Percentage of Memory in Use: 86% (more than 75%). -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-06-17 17:11:28 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\WINDOWS\explorer.exe C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\Program Files\McAfee\MSC\mcmscsvc.exe C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe C:\Program Files\Intel\Wireless\Bin\1XConfig.exe C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe C:\Program Files\McAfee\VirusScan\Mcshield.exe C:\Program Files\McAfee\MPF\MpfSrv.exe C:\Program Files\McAfee\MSK\msksrver.exe C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\McAfee.com\Agent\mcagent.exe C:\Program Files\Windows Media Player\wmpnetwk.exe C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\WINDOWS\system32\alg.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe C:\WINDOWS\stsystra.exe C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\system32\DLA\DLACTRLW.EXE C:\Program Files\HP\HP Software Update\hpwuSchd2.exe C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Logitech\QuickCam\Quickcam.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\NetWaiting\netwaiting.exe C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe C:\Program Files\McAfee\VirusScan\mcsysmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Dave\Desktop\dss.exe R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www1.ap.dell.com/content/defa...=au&l=en&s=gen R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing) O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll O2 - BHO: (no name) - {5166B60A-EF8D-469F-8CDC-353D4EDAFF2B} - C:\WINDOWS\system32\fccBRJYq.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\DLA\DLASHX_W.DLL O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: (no name) - {97AC9846-CC79-412B-B026-EFA86EFB717A} - C:\WINDOWS\system32\ljJCtrop.dll (file missing) O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file) O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [549d7519] rundll32.exe "C:\WINDOWS\system32\cgqejcht.dll",b O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [BM57ae4685] Rundll32.exe "C:\WINDOWS\system32\aisjwmvp.dll",s O4 - HKLM\..\RunOnce: [IERESETATTRIB] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes O4 - HKLM\..\RunOnce: [IERESETICONS] %SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\iereseticons.exe O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing) O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O15 - Trusted Zone: https://us.mcafee.com (HKCU) O15 - Trusted Zone: https://www.update.microsoft.com (HKCU) O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} () - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1164244270015 O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/...ploader4_5.cab O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab O16 - DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} (ChessControl Class) - http://zone.msn.com/bingame/zpagames...p.cab56961.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL O20 - AppInit_DLLs: C:\WINDOWS\system32\__c0048D61.dat O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\Program Files\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\McProxy\McProxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\Mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MpfSrv.exe O23 - Service: McAfee Anti-Spam Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\msksrver.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe -- End of file - 17169 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 APPDRV - c:\windows\system32\drivers\appdrv.sys <Not Verified; Dell Inc; Application Driver> R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.1.0.1) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.1.0.1> R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service> R2 NICCONFIGSVC - c:\program files\dell\nicconfigsvc\nicconfigsvc.exe <Not Verified; Dell Inc.; NicConfigSvc> R2 RegSrvc - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; RegSrvc Module> R2 WLANKEEPER - c:\program files\intel\wireless\bin\wlkeeper.exe <Not Verified; Intel® Corporation; SSOFSet Service> R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution> -- Device Manager: Disabled ---------------------------------------------------- Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A} Description: Nokia 6300 Device ID: ROOT\WPD\0000 Manufacturer: Nokia Name: Nokia 6300 PNP Device ID: ROOT\WPD\0000 Service: WUDFRd -- Scheduled Tasks ------------------------------------------------------------- 2008-06-17 13:53:03 450 --ah----- C:\WINDOWS\Tasks\MSK_ABImport_Daily_Dave.job 2008-06-15 11:13:42 338 --a------ C:\WINDOWS\Tasks\McDefragTask.job 2008-06-04 19:26:05 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job 2008-06-01 21  35 334 --a------ C:\WINDOWS\Tasks\McQcTask.job-- Files created between 2008-05-17 and 2008-06-17 ----------------------------- 2008-06-17 14:14:43 0 d-------- C:\WINDOWS\LastGood 2008-06-17 14:14:21 0 d-------- C:\Program Files\Panda Security 2008-06-16 23:01:00 0 d-------- C:\WINDOWS\system32\CatRoot_bak 2008-06-16 22:59:43 0 d-------- C:\WINDOWS\LastGood(2).Tmp 2008-06-16 15:28:19 0 d-------- C:\VundoFix Backups 2008-06-16 15:00:46 0 d-------- C:\Program Files\QuickTime 2008-06-16 14:10:00 1160 --a------ C:\WINDOWS\mozver.dat 2008-06-16 10:17:00 0 --a------ C:\WINDOWS\nsreg.dat 2008-06-16 10:16:00 0 d-------- C:\Documents and Settings\Dave\Application Data\Mozilla 2008-06-15 23:34:48 81408 --a------ C:\WINDOWS\system32\cgqejcht.dll 2008-06-15 23:31:48 90112 --a------ C:\WINDOWS\system32\aisjwmvp.dll 2008-06-15 22:43:24 513877 --ahs---- C:\WINDOWS\system32\portCJjl.ini2 2008-06-15 21:19:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-15 20:02:51 0 d-------- C:\Program Files\Windows Desktop Search 2008-06-15 14:53:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft 2008-06-15 14:52:38 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard 2008-06-15 10:48:13 0 d-------- C:\Program Files\Microsoft Works 2008-06-15 10:47:48 0 d-------- C:\Program Files\MSBuild 2008-06-15 10:32:26 0 d-------- C:\Program Files\Microsoft Visual Studio 8 2008-06-15 10:27:27 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help 2008-06-14 22:46:10 89600 --a------ C:\WINDOWS\system32\qhnwukgn.dll 2008-06-14 13:29:22 25088 --a------ C:\WINDOWS\system32\iifEVLeb.dll 2008-06-14 13:20:49 25088 --a------ C:\WINDOWS\system32\urqQkiiI.dll 2008-06-14 13:17:25 25088 --a------ C:\WINDOWS\system32\wvUljGvW.dll 2008-06-14 13:16:33 25088 --a------ C:\WINDOWS\system32\nnnkHXpP.dll 2008-06-14 13:15:23 25088 --a------ C:\WINDOWS\system32\opnkhHbB.dll 2008-06-14 13:13:34 25088 --a------ C:\WINDOWS\system32\geBtTKAr.dll 2008-06-14 12:29:37 0 d--h----- C:\WINDOWS\SHELLNEW 2008-06-14 12:29:36 0 d-------- C:\Program Files\Microsoft ActiveSync 2008-06-14 12:25:51 25088 --a------ C:\WINDOWS\system32\xxyxWPgE(2).dll 2008-06-14 11:47:58 0 d-------- C:\Program Files\PowerISO 2008-06-14 10:53:01 25088 --a------ C:\WINDOWS\system32\awttuVnn.dll 2008-06-14 10:42:46 25088 --a------ C:\WINDOWS\system32\wvUnOEUM.dll 2008-06-14 10:42:40 544826 --ahs---- C:\WINDOWS\system32\qYJRBccf.ini2 2008-06-14 10:42:01 25088 --a------ C:\WINDOWS\system32\xxyxWNGA.dll 2008-06-14 10:39:28 25088 --a------ C:\WINDOWS\system32\qoMdeDtt.dll 2008-06-14 10:38:39 25088 --a------ C:\WINDOWS\system32\awtrOhEu.dll 2008-06-14 10:37:21 25088 --a------ C:\WINDOWS\system32\mlJCUOhh.dll 2008-06-08 19:36:08 0 d-------- C:\Program Files\Sonic Foundry 2008-06-07 20:03:29 0 d-------- C:\Program Files\WinSCP 2008-05-29 16:31:47 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe -- Find3M Report --------------------------------------------------------------- 2008-06-16 23:57:24 0 d-------- C:\Program Files\McAfee 2008-06-15 22:01:01 0 d-------- C:\Program Files\Lavasoft 2008-06-15 14:52:38 0 d-------- C:\Program Files\Common Files 2008-06-07 20:28:09 600 --a------ C:\Documents and Settings\Dave\Application Data\winscp.rnd 2008-06-06 23:16:14 0 d-------- C:\Documents and Settings\Dave\Application Data\SiteAdvisor 2008-05-29 16:31:56 0 d-------- C:\Program Files\Common Files\Adobe 2008-05-29 16:28:29 0 d-------- C:\Documents and Settings\Dave\Application Data\AdobeUM 2008-05-29 13:40:45 0 d-------- C:\Program Files\SiteAdvisor 2008-05-14 00:46:26 0 d-------- C:\Program Files\McAfee.com 2008-05-14 00:39:37 0 d-------- C:\Program Files\Common Files\McAfee 2008-05-13 12:25:23 0 d-------- C:\Documents and Settings\Dave\Application Data\Skype 2008-05-13 09:31:15 0 d-------- C:\Documents and Settings\Dave\Application Data\skypePM 2008-05-07 15:32:30 0 d-------- C:\Program Files\Apple Software Update 2008-05-01 17:41:46 0 d-------- C:\Documents and Settings\Dave\Application Data\NetMedia Providers 2008-04-08 20:28:55 664 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-03-20 12:29:34 77457 --a------ C:\Documents and Settings\Dave\Application Data\NMM-MetaData.db 2008-03-19 19:47:00 1845248 --ah----- C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System> -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}] 26/11/2007 10:46 AM 324936 --a------ c:\PROGRA~1\mcafee\msk\mcapbho.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5166B60A-EF8D-469F-8CDC-353D4EDAFF2B}] C:\WINDOWS\system32\fccBRJYq.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{97AC9846-CC79-412B-B026-EFA86EFB717A}] C:\WINDOWS\system32\ljJCtrop.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [14/10/2005 10:49 PM] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [14/10/2005 10:46 PM] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [14/10/2005 10:50 PM] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [04/08/2004 07:00 AM] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [04/08/2004 07:00 AM] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 07:00 AM] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [04/08/2004 07:00 AM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 03:25 AM] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [29/11/2005 06:56 AM] "@"="" [] "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [30/10/2004 04:59 PM] "SigmatelSysTrayApp"="stsystra.exe" [10/09/2005 01:19 AM C:\WINDOWS\stsystra.exe] "DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [03/05/2006 03:12 AM] "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [01/09/2005 07:24 PM] "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [27/07/2004 06:50 PM] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [27/07/2004 06:50 PM] "DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [07/11/2005 04:20 AM] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50 AM] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [08/05/2007 04:24 PM] "PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [18/06/2007 03:10 PM] "LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/10/2007 03:33 PM] "LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/10/2007 03:37 PM] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36 AM] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [01/11/2007 07:12 PM] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [25/08/2007 07:57 AM] "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [27/10/2006 12:47 AM] "549d7519"="C:\WINDOWS\system32\cgqejcht.dll" [15/06/2008 11:34 PM] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50 AM] "BM57ae4685"="C:\WINDOWS\system32\aisjwmvp.dll" [15/06/2008 11:31 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [10/09/2003 04:24 AM] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [12/11/2006 08:48 PM] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 07:00 AM] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [28/01/2008 11:43 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce] "IERESETATTRIB"=%SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\system32\ieudinit.exe -ResetFileAttributes "IERESETICONS"=%SystemRoot%\system32\cmd.exe /d /q /c %SystemRoot%\iereseticons.exe [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/04/2008 3:38:16 AM] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [4/03/2006 4:52:02 AM] dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [1/03/2007 10:49:48 AM] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [19/02/2006 4:21:22 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless] C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 07/09/2004 06:08 PM 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "appinit_dlls"=C:\WINDOWS\system32\__c0048D61.dat [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\ljJCtrop [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc] @="" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{978c9447-a4a9-11db-b0e8-0014229b2c4e}] AutoRun\command- F:\RunGame.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c3c7da8c-a4a1-11db-b0e7-0014229b2c4e}] AutoRun\command- E:\RunGame.exe *Newly Created Service* - RKPAVPROC -- Hosts ----------------------------------------------------------------------- 127.0.0.1 www.007guard.com 127.0.0.1 007guard.com 127.0.0.1 008i.com 127.0.0.1 www.008k.com 127.0.0.1 008k.com 127.0.0.1 www.00hq.com 127.0.0.1 00hq.com 127.0.0.1 010402.com 127.0.0.1 www.032439.com 127.0.0.1 032439.com 8724 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2008-06-17 17:13:26 ------------ Last edited by drobuck23 : 06-17-2008 at 01:32 AM. Reason: spelling |
|
     
|
|
06-20-2008, 12:10 PM
|
#2 (permalink) |
|
Moderator/Analyst, Security Team ; Rangemaster, TSF Academy
Join Date: Oct 2006
Posts: 2,823
OS: XP
|
Re: Virtumonde and Win32 Removal help, Please!
Hi, welcome to tsf!
If you still need assistance, please post a fresh main.txt log
__________________
Proud member of UNITE and ASAP since 2006  If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it. |
|
|
|
|
| Thread Tools | |
|
|
