|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help. |
 |
|
|
Thread Tools |
06-22-2008, 10:54 PM
|
#1 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 59
OS: XP
|
System effected by spyware VIRTUMONDE
I have been getting lot of popups to an extent that my machine just freezes and have to restart it.
Initially it was not able to even run PANDA scan as it kept on freezing. Adware and SPYBOT are able to detect and fix virtumonde and virtumonde.dll but popups still are there. Then,I had to restore my PC and atleast then was able to run the panda scan and follow the other steps as advised in initial thread. DSS log(main.txt)is as follows,the other log file didnot open and also attached is Hijack this and Panda ctive scan logfiles. Deckard's System Scanner v20071014.68 Run by asad on 2008-06-23 00:42:00 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as asad.exe) ------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:42:07 AM, on 6/23/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Maxtor\Sync\SyncServices.exe C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe C:\PROGRA~1\McAfee\MSC\mcpromgr.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\McAfee\MPF\MPFSrv.exe C:\PROGRA~1\McAfee\MPS\mps.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\McAfee\MPS\mpsevh.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\hkcmd.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\stsystra.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Athan\Athan.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MI3AA1~1\wcescomm.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\system32\wuauclt.exe C:\Documents and Settings\asad\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\asad.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=4060918 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll O2 - BHO: (no name) - {9C0D16B5-B440-4898-B57B-4BD0CB6F9784} - C:\WINDOWS\system32\khfCsqOG.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O2 - BHO: (no name) - {F86B11F3-0CE1-475F-9541-5329BF7B3597} - C:\WINDOWS\system32\nnnomJDs.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe" O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O15 - Trusted Zone: http://www.idoc-online.com (HKLM) O15 - Trusted Zone: http://www.idoc.bz (HKLM) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.otsegoclub.com/activex/AxisCamControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab O20 - Winlogon Notify: nnnomJDs - C:\WINDOWS\SYSTEM32\nnnomJDs.dll O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE -- End of file - 12491 bytes -- Files created between 2008-05-23 and 2008-06-23 ----------------------------- 2008-06-22 23:14:17 0 d-------- C:\WINDOWS\LastGood 2008-06-22 23:02:48 0 d-------- C:\Program Files\DVDFab 5 2008-06-22 23:02:17 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-06-22 21:08:40 746705 --ahs---- C:\WINDOWS\system32\vFeOrtwa.ini2 2008-06-22 19:04:40 741631 --ahs---- C:\WINDOWS\system32\PAJikUtv.ini2 2008-06-22 17:40:28 740104 --ahs---- C:\WINDOWS\system32\SCddLRqr.ini2 2008-06-22 16:05:56 740093 --ahs---- C:\WINDOWS\system32\JiOXwyxx.ini2 2008-06-22 02:18:28 2540 --a------ C:\WINDOWS\unins000.dat 2008-06-22 01:12:27 33792 --a------ C:\WINDOWS\system32\ddcYsRHY.dll 2008-06-22 01:12:15 750657 --ahs---- C:\WINDOWS\system32\GOqsCfhk.ini2 2008-06-22 01:12:11 322560 --a------ C:\WINDOWS\system32\khfCsqOG.dll 2008-06-22 01:03:19 24576 --a------ C:\WINDOWS\system32\nnnomJDs.dll 2008-06-22 01:01:12 0 d-------- C:\Program Files\Zipeg 2008-06-20 17:30:26 0 d-------- C:\Program Files\Maxtor 2008-06-20 17:30:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Maxtor 2008-06-20 17:29:27 0 d-------- C:\Program Files\MSXML 6.0 2008-06-20 17:28:59 0 d--hs---- C:\WINDOWS\ftpcache -- Find3M Report --------------------------------------------------------------- 2008-06-22 23:14:14 0 d-------- C:\Program Files\Panda Security 2008-06-22 23:02:45 0 d-------- C:\Program Files\SpywareBlaster 2008-06-22 23:02:21 0 d-------- C:\Program Files\Avi2Dvd 2008-06-22 10:41:06 0 d-------- C:\Documents and Settings\asad\Application Data\AdobeUM 2008-06-22 01:15:38 0 d-------- C:\Documents and Settings\asad\Application Data\Vso 2008-06-22 01:15:38 33 --a------ C:\Documents and Settings\asad\Application Data\pcouffin.log 2008-06-22 01:04:52 0 d-------- C:\Documents and Settings\asad\Application Data\uTorrent 2008-06-22 01:04:08 47360 --a------ C:\Documents and Settings\asad\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine> 2008-06-22 01:04:08 1144 --a------ C:\Documents and Settings\asad\Application Data\pcouffin.inf 2008-06-22 01:04:08 7887 --a------ C:\Documents and Settings\asad\Application Data\pcouffin.cat 2008-06-22 01:01:24 0 d-------- C:\Documents and Settings\asad\Application Data\com.zipeg 2008-06-17 12:29:15 0 d-------- C:\Program Files\AAP 2008-04-25 14:17:18 0 d-------- C:\Program Files\McAfee 2008-03-29 12:09:33 78864 --a------ C:\Documents and Settings\asad\Application Data\GDIPFONTCACHEV1.DAT 2008-03-26 23  17 3766 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys2008-03-26 23 16 88 -rahs---- C:\WINDOWS\system32\CA0E7B146C.sys-- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9C0D16B5-B440-4898-B57B-4BD0CB6F9784}] 06/22/2008 01:12 AM 322560 --a------ C:\WINDOWS\system32\khfCsqOG.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F86B11F3-0CE1-475F-9541-5329BF7B3597}] 06/22/2008 01:03 AM 24576 --a------ C:\WINDOWS\system32\nnnomJDs.dll [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [09/29/2005 03:01 PM] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [12/13/2005 05:44 PM] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [12/13/2005 05:41 PM] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [12/13/2005 05:45 PM] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [12/19/2005 09:08 AM] "SigmatelSysTrayApp"="stsystra.exe" [03/24/2006 05:30 PM C:\WINDOWS\stsystra.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [03/08/2006 12:48 PM] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [12/09/2005 09:29 PM] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [06/10/2005 11:44 AM] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [06/10/2005 11:44 AM] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [12/13/2004 04:30 PM] "Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [12/07/2005 05:05 PM] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [09/24/2006 02:49 AM] "Athan"="C:\Program Files\Athan\Athan.exe" [09/06/2007 03:25 PM] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [09/09/2006 05:16 AM] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [05/31/2005 06:33 AM] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/11/2007 08:56 PM] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [11/07/2006 03:49 PM] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 05:25 AM] "CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [08/12/2004 03:51 PM] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 10:24 AM] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 10:23 AM] "mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [09/06/2007 02:53 PM] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/10/2004 06:00 AM] "H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [06/26/2006 05:13 PM] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [11/15/2007 10:23 AM] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [9/23/2005 11:05:26 PM] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [9/18/2006 5:33:17 PM] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM] VPN Client.lnk - C:\WINDOWS\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [5/8/2007 11:50:20 AM] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{F86B11F3-0CE1-475F-9541-5329BF7B3597}"= C:\WINDOWS\system32\nnnomJDs.dll [06/22/2008 01:03 AM 24576] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnomJDs] nnnomJDs.dll 06/22/2008 01:03 AM 24576 C:\WINDOWS\system32\nnnomJDs.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\khfCsqOG [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS] @="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] AutoRun\command- E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97c7b7e2-1e0a-11dd-8ab8-00038a000015}] AutoRun\command- G:\laucher.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd493963-7b3f-11db-88a8-00038a000015}] AutoRun\command- G:\starterfile.exe index.htm -- End of Deckard's System Scanner: finished at 2008-06-23 00:43:18 ------------ |
|
     |
|
06-24-2008, 11:28 PM
|
#2 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3
|
Re: System effected by spyware VIRTUMONDE
Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please visit this webpage for downloading and instructions for running the tool:
Go here ======> A guide and tutorial on using ComboFix <====== Go here Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use SP2 The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should get a prompt that says: The Recovery Console was successfully installed. Please continue as follows: (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. (2) Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please include the following reports for further review, and so we may continue cleansing the system: C:\ComboFix.txt New HijackThis log. Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Mal use can cause serious computer problems NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.
__________________
An Australian Member of  Eddy Last edited by Pancake : 06-24-2008 at 11:31 PM. |
|
|
|
|
06-25-2008, 06:13 PM
|
#3 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 59
OS: XP
|
Re: System effected by spyware VIRTUMONDE
Thanx 4 ur reply,my computer is a mess now,as I write from another PC.
First of all IE opens up but with errors,secondly I am not able to access techsupport forum page not even my e-mails as I keep getting errors. I have tried using Firefox but that also freezes the PC once I start browsing.I keep on getting some errors that ....... memory could not be read,click OK to terminate or cancel to DEBUG the program.In short I donot know what is going on. The only new change since the machine was effected by Virtumonde was the installation of windows SP3 and Reinstallation of IE. As I wirte I am in the process of restoring the PC to last known good configuration and then would give it a try,lets see if it works. As of now I have SP3 installed so what do I need to do in order to get combofix as you mentioned it to be used with SP2 only?? If restoration takes the windows back to SP2 then I would try running IE and following what you advised to download combofix.exe. Is there something else which could be done in case this problem is not solved. Thanx once again. |
|
|
|
|
06-25-2008, 06:41 PM
|
#4 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3
|
Re: System effected by spyware VIRTUMONDE
Just carry out my instructions in my post and read the Combofix tutorial and install recovery console if you need to.You will need the XP2 version.We can get you all back up and running again with the help of Combofix...
__________________
An Australian Member of Eddy |
|
|
|
|
06-25-2008, 07:17 PM
|
#5 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 59
OS: XP
|
Re: System effected by spyware VIRTUMONDE
I was able to restore to last known good config and hae downloaded combofix.exe,so far no problem with IE or PC freezing up.
As I have inserted the windows XP CD and in run field typed as follows E:\i386\winnt32.exe/cmdcons it gives an error that windows cannot find this file.pls advise what should be doe to install recovery console. |
|
|
|
|
06-25-2008, 07:26 PM
|
#6 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 59
OS: XP
|
Re: System effected by spyware VIRTUMONDE
just wanted to add that I did try microsoft website link but it don't give me the option of installing recovery console for Windows XP MEDIA CENTER version 2005,the only versions I see there are WINDOWS XP HOME or WINDOWS XP PROFESIONAL
|
|
|
|
|
06-25-2008, 07:41 PM
|
#7 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3
|
Re: System effected by spyware VIRTUMONDE
Your straying off the path.To save a lot of messing about download and run this and post the log....thats all you have to do.
http://subs.geekstogo.com/ComboFix.exe
__________________
An Australian Member of Eddy |
|
|
|
|
06-25-2008, 09:11 PM
|
#8 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 59
OS: XP
|
Re: System effected by spyware VIRTUMONDE
I dowloaded and ran Combofix.exe twice and after completing the process this program automatically deleted some files and rebooted the system twice by itself[/b],without creating any log files.
Should I run the Hijack this log file only or any other advice? Thanx |
|
|
|
|
06-25-2008, 09:34 PM
|
#9 (permalink) |
|
Security Team (ret.)
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,405
OS: XP Pro SP3
|
Re: System effected by spyware VIRTUMONDE
The file should be here... C:\ComboFix.txt
If not,run this.. Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt to here. Please attach extra.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt Click Upload. What DSS will do: Create a new System Restore point in Windows XP and Vista. Clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. Check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.
__________________
An Australian Member of Eddy |
|
|
|
|
06-25-2008, 09:40 PM
|
#10 (permalink) |
|
Registered User
Join Date: Oct 2007
Posts: 59
OS: XP
|
Re: System effected by spyware VIRTUMONDE
Downloaded and rerun combofix from the following link which worked Go here ======> A guide and tutorial on using ComboFix <====== Go here here are the log results from commbofix and HJT respectively ComboFix 08-06-20.4 - asad 2008-06-25 23:23:24.13 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.615 [GMT -4:00] Running from: C:\Documents and Settings\asad\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\asad\Application Data\inst.exe C:\Documents and Settings\kz\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\WINDOWS\BM4f9b196b.xml C:\WINDOWS\system32\ddcYsRHY.dll C:\WINDOWS\system32\GOqsCfhk.ini C:\WINDOWS\system32\GOqsCfhk.ini2 C:\WINDOWS\system32\iQWycMoq.ini C:\WINDOWS\system32\iQWycMoq.ini2 C:\WINDOWS\system32\JiOXwyxx.ini2 C:\WINDOWS\system32\jknmmUvw.ini2 C:\WINDOWS\system32\khfCsqOG.dll C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\PAJikUtv.ini2 C:\WINDOWS\system32\qoMcyWQi.dll C:\WINDOWS\system32\SCddLRqr.ini2 C:\WINDOWS\system32\UpMedia C:\WINDOWS\system32\vFeOrtwa.ini2 . ((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 ))))))))))))))))))))))))))))))) . 2008-06-25 22:24 . 2008-06-25 23:20 8,305 --a------ C:\WINDOWS\system32\Config.MPF 2008-06-25 22:23 . 2006-03-03 08:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll 2008-06-25 22:20 . 2007-11-22 06:44 201,320 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys 2008-06-25 22:20 . 2007-11-22 06:44 79,304 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys 2008-06-25 22:20 . 2007-12-02 12:51 40,488 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys 2008-06-25 22:20 . 2007-11-22 06:44 35,240 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys 2008-06-25 22:20 . 2007-11-22 06:44 33,832 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys 2008-06-25 22:19 . 2007-07-13 06:20 113,952 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys 2008-06-25 22:18 . 2008-06-25 22:18 <DIR> d-------- C:\Program Files\McAfee.com 2008-06-25 22:18 . 2008-06-25 22:20 <DIR> d-------- C:\Program Files\Common Files\McAfee 2008-06-24 22:02 . 2008-06-24 22:02 <DIR> d-------- C:\WINDOWS\system32\scripting 2008-06-24 22:02 . 2008-06-24 22:02 <DIR> d-------- C:\WINDOWS\l2schemas 2008-06-24 21:59 . 2008-06-24 21:59 <DIR> d-------- C:\WINDOWS\ServicePackFiles 2008-06-24 21:46 . 2004-07-17 11:35 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img 2008-06-24 21:45 . 2004-07-17 11:36 64,352 --------- C:\WINDOWS\system32\drivers\ativmc20.cod 2008-06-24 21:45 . 2006-12-28 15:01 19,569 --a------ C:\WINDOWS\003063_.tmp 2008-06-24 19:49 . 2008-06-25 20:07 <DIR> d----c--- C:\WINDOWS\ie7(2) 2008-06-24 00:57 . 2008-06-24 00:57 24 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat 2008-06-24 00:38 . 2008-06-25 19:57 226,840 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT.bck 2008-06-24 00:38 . 2008-06-25 19:57 1,224 --a------ C:\WINDOWS\system32\drivers\APPFLTR.CFG.bck 2008-06-24 00:23 . 2008-06-25 19:57 226,840 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT 2008-06-24 00:23 . 2008-06-24 00:23 281 --a------ C:\WINDOWS\system32\PavCPL.dat 2008-06-24 00:22 . 2008-06-24 00:42 <DIR> d-------- C:\WINDOWS\system32\PAV(2) 2008-06-23 00:41 . 2008-06-23 00:41 <DIR> d-------- C:\Deckard 2008-06-22 23:02 . 2008-06-22 23:02 <DIR> d-------- C:\WINDOWS\system32\ActiveScan 2008-06-22 23:02 . 2008-06-22 23:02 <DIR> d-------- C:\Program Files\DVDFab 5 2008-06-22 02:18 . 2008-06-23 21:15 6,724 --a------ C:\WINDOWS\unins000.dat 2008-06-22 01:03 . 2008-06-22 01:03 24,576 --a------ C:\WINDOWS\system32\nnnomJDs.dll 2008-06-22 01:01 . 2008-06-22 01:01 <DIR> d-------- C:\Program Files\Zipeg 2008-06-20 17:30 . 2008-06-20 17:30 <DIR> d-------- C:\Program Files\Maxtor 2008-06-20 17:30 . 2008-06-20 17:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Maxtor 2008-06-20 17:29 . 2008-06-20 17:29 <DIR> d-------- C:\Program Files\MSXML 6.0 2008-06-20 17:28 . 2008-06-20 17:28 <DIR> d--hs---- C:\WINDOWS\ftpcache 2008-06-11 10:16 . 2008-06-13 09:10 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys 2008-06-11 10:16 . 2008-06-13 09:10 272,128 --------- C:\WINDOWS\system32\dllcache\bthport.sys . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-26 02:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee 2008-06-26 02:23 --------- d-----w C:\Program Files\McAfee 2008-06-26 00:09 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-26 00:09 --------- d-----w C:\Program Files\Panda Security 2008-06-26 00:09 --------- d-----w C:\Program Files\Common Files\Panda Software 2008-06-24 03:10 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-23 03:02 --------- d-----w C:\Program Files\SpywareBlaster 2008-06-23 03:02 --------- d-----w C:\Program Files\Avi2Dvd 2008-06-23 02:59 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-06-22 14:41 --------- d-----w C:\Documents and Settings\asad\Application Data\AdobeUM 2008-06-22 05:15 --------- d-----w C:\Documents and Settings\asad\Application Data\Vso 2008-06-22 05:04 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys 2008-06-22 05:04 47,360 ----a-w C:\Documents and Settings\asad\Application Data\pcouffin.sys 2008-06-22 05:04 --------- d-----w C:\Documents and Settings\asad\Application Data\uTorrent 2008-06-22 05:01 --------- d-----w C:\Documents and Settings\asad\Application Data\com.zipeg 2008-06-17 16:29 --------- d-----w C:\Program Files\AAP 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-08 12:28 202,752 ------w C:\WINDOWS\system32\dllcache\rmcast.sys 2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll 2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz(2).dll 2008-05-07 04:55 1,288,192 ------w C:\WINDOWS\system32\dllcache\quartz.dll 2008-04-24 02:16 3,591,680 ------w C:\WINDOWS\system32\dllcache\mshtml.dll 2008-04-22 07:40 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe 2008-04-22 07:39 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe 2008-04-22 07:39 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe 2008-04-20 05:07 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll 2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin 2008-04-14 00:12 666,112 ----a-w C:\WINDOWS\system32\wininet(4).dll 2008-04-14 00:12 666,112 ----a-w C:\WINDOWS\system32\wininet(3).dll 2008-04-14 00:12 619,520 ----a-w C:\WINDOWS\system32\urlmon(3).dll 2008-04-14 00:12 37,888 ----a-w C:\WINDOWS\system32\url(3).dll 2008-04-14 00:12 276,480 ----a-w C:\WINDOWS\system32\webcheck(2).dll 2008-04-14 00:11 99,840 ----a-w C:\WINDOWS\system32\advpack(2).dll 2008-03-29 16:09 78,864 ----a-w C:\Documents and Settings\asad\Application Data\GDIPFONTCACHEV1.DAT 2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll 2008-03-27 08:12 151,583 ------w C:\WINDOWS\system32\dllcache\msjint40.dll 2008-03-27 03:06 3,766 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys 2007-11-07 05:58 622 ----a-w C:\Documents and Settings\asad\Application Data\wklnhst.dat 2007-03-08 21:09 87,608 ----a-w C:\Documents and Settings\asad\Application Data\ezpinst.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F86B11F3-0CE1-475F-9541-5329BF7B3597}] 2008-06-22 01:03 24576 --a------ C:\WINDOWS\system32\nnnomJDs.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360] "H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-26 17:13 1207080] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-12-13 17:44 98304] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-12-13 17:41 77824] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-12-13 17:45 118784] "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [2005-12-19 09:08 1347584] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 282624 C:\WINDOWS\stsystra.exe] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48 761947] "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 21:29 49152] "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856] "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 11:44 81920] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 16:30 58992] "Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 17:05 1537696] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-24 02:49 185784] "Athan"="C:\Program Files\Athan\Athan.exe" [2007-09-06 15:25 1003520] "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-09-09 05:16 196608] "dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2005-05-31 06:33 122941] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-11 20:56 282624] "MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 15:49 1121280] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784] "CitiVAN"="C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe" [2004-08-12 15:51 192512] "dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 10:24 16384] "DellSupportCenter"="C:\Program Files\Dell Support Center\bin\sprtcmd.exe" [2007-11-15 10:23 202544] "mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2007-09-06 14:53 169264] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696] Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-09-18 17:33:17 24576] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360] VPN Client.lnk - C:\WINDOWS\Installer\{6DC47739-3BB0-4494-A43D-193BF54070AE}\Icon3E5562ED7.ico [2007-05-08 11:50:20 6144] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{F86B11F3-0CE1-475F-9541-5329BF7B3597}"= C:\WINDOWS\system32\nnnomJDs.dll [2008-06-22 01:03 24576] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnomJDs] nnnomJDs.dll 2008-06-22 01:03 24576 C:\WINDOWS\system32\nnnomJDs.dll [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Documents and Settings\\asad\\Desktop\\utorrent.exe"= "C:\\Program Files\\FrostWire\\FrostWire.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= R2 Maxtor Sync Service;Maxtor Service;"C:\Program Files\Maxtor\Sync\SyncServices.exe" [2007-09-28 12:24] R2 sprtsvc_dellsupportcenter;SupportSoft Sprocket Service (dellsupportcenter);C:\Program Files\Dell Support Center\bin\sprtsvc.exe [2007-11-15 10:23] R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2007-03-03 21:42] S2 0267201214446784mcinstcleanup;McAfee Application Installer Cleanup (0267201214446784);C:\DOCUME~1\asad\LOCALS~1\Temp\026720~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}] \Shell\AutoRun\command - E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{97c7b7e2-1e0a-11dd-8ab8-00038a000015}] \Shell\AutoRun\command - G:\laucher.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{dd493963-7b3f-11db-88a8-00038a000015}] \Shell\AutoRun\command - G:\starterfile.exe index.htm . Contents of the 'Scheduled Tasks' folder "2008-06-26 02:19:09 C:\WINDOWS\Tasks\McDefragTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe' "2008-06-26 02:19:07 C:\WINDOWS\Tasks\McQcTask.job" - c:\PROGRA~1\mcafee\mqc\QcConsol.exe . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-25 23:28:41 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\nnnomJDs.dll . Completion time: 2008-06-25 23:32:35 ComboFix-quarantined-files.txt 2008-06-26 03:32:27 ComboFix2.txt 2008-01-05 18:13:49 Pre-Run: 11,673,792,512 bytes free Post-Run: 11,656,110,080 bytes free 203 --- E O F --- 2008-06-23 05:32:39 HJT log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:33:31 PM, on 6/25/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\System32\GEARSec.exe C:\Program Files\Maxtor\Sync\SyncServices.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\McAfee\MPF\MPFSrv.exe C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe C:\Program Files\Dell Support Center\bin\sprtsvc.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\dllhost.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\WLTRAY.exe C:\WINDOWS\stsystra.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\PowerISO\PWRISOVM.EXE C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe C:\Program Files\Dell Support Center\bin\sprtcmd.exe C:\WINDOWS\system32\ctfmon.exe C:\PROGRA~1\MI3AA1~1\wcescomm.exe C:\PROGRA~1\MI3AA1~1\rapimgr.exe C:\Program Files\Digital Line Detect\DLG.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...us&ibd=4060918 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: CitiUS Shared Browser Helper Object - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O2 - BHO: (no name) - {F86B11F3-0CE1-475F-9541-5329BF7B3597} - C:\WINDOWS\system32\nnnomJDs.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Athan] C:\Program Files\Athan\Athan.exe O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe" O4 - HKCU\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: VPN Client.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O15 - Trusted Zone: http://www.idoc-online.com (HKLM) O15 - Trusted Zone: http://www.idoc.bz (HKLM) O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/download...2/axofupld.cab O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.com/download/SOPCORE.CAB O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.otsegoclub.com/activex/AxisCamControl.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_m |
