Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Programs Restricted/no desktop/Virtumonde
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 3 1 23
 
LinkBack Thread Tools
Old 11-09-2008, 09:58 PM   #1 (permalink)
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Programs Restricted/no desktop/Virtumonde
Thanks in advance for your assistance.

Dell Dimension 2400 p4 2.8ghz 2gb ram
WinXP Home SP2

I have been attempting to help rescue a friends infected beyond belief PC. The goal is to get the system back to a point that a backup of important files can be done from the user account login.

Normal boot into the user account w/password ends with the display of users desktop wallpaper but nothing else... (no icons or start bar)
Unable to Ctrl Alt Del into Task Manager. Hard reset required.

Safemode bootup into admin is successful with black screen only result. Ctrl Alt Del does open Task Manager and gpupdate command resuscitates admins desktop icons and allows close to normal functionality. I managed to run ClamWin Portable Virus scanner and it cleaned many things. New Adaware would not run , message about administrator restricted. Spybot did install and run and cleaned many things, what is left either can't be removed due to it being in use, or reinstalls itself in the process of a reboot. The virtumonde.dll is one of those.

I have read the pre-steps to take and hope that I have followed the normal procedures.

Recovery Console installed and shows as an option in bootup.

Logfile of RSIT Copy/Pasted:

Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-11-09 23:30:45
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 60 GB (79%) free of 76 GB
Total RAM: 2046 MB (86% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:56 PM, on 11/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {A3799CB4-CC4D-4367-AEF0-307D6EF89F7F} - C:\WINDOWS\system32\mlljg.dll
O2 - BHO: {77d5fa4b-c08a-ba3b-ead4-cfb5778d0c4b} - {b4c0d877-5bfc-4dae-b3ab-a80cb4af5d77} - C:\WINDOWS\system32\kcbgtcnu.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\RunOnce: [SpybotDeletingA9519] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3804] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6806] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1350] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6171] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9339] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3251] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5520] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7408] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3607] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4519] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7788] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4326] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7234] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9965] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2754] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3024] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3495] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3896] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1707] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2619] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7137] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8943] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2491] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3178] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7475] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7240] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9395] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7743] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4622] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7347] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4538] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht"
O4 - HKCU\..\RunOnce: [SpybotDeletingB497] command /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1761] cmd /c del "C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3792] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3745] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2934] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3154] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1312] command /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4995] cmd /c del "C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5066] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6844] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9161] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1914] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5601] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3315] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8289] command /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2483] cmd /c del "C:\WINDOWS\SYSTEM32\mlljg.dll"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\npjpi160_05.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {F137B9BA-89EA-4B04-9C67-2074A9DF61FD} (Photo Upload Plugin Class) - http://cvs.pnimedia.com/upload/activ...v2.0.0.10.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{777B9D40-F35A-471A-A863-F6E7B3FC9751}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{861BEBB0-E147-491F-B363-309EEC201B53}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F1519AE-0148-44FB-9E19-8D4A8112F5C6}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - C:\WINDOWS\System32\ebkp.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxdc_device - Unknown owner - C:\WINDOWS\System32\lxdccoms.exe (file missing)
O23 - Service: TTUQNRGA - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TTUQNRGA.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 10337 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-07-07 1562448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll [2008-02-22 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3799CB4-CC4D-4367-AEF0-307D6EF89F7F}]
C:\WINDOWS\system32\mlljg.dll [2008-02-05 326240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b4c0d877-5bfc-4dae-b3ab-a80cb4af5d77}]
C:\WINDOWS\system32\kcbgtcnu.dll [2008-04-25 98880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2004-08-26 405504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA9519"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat []
"SpybotDeletingC3804"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat []
"SpybotDeletingA6806"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat []
"SpybotDeletingC1350"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat []
"SpybotDeletingA6171"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat []
"SpybotDeletingC9339"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat []
"SpybotDeletingA3251"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht []
"SpybotDeletingC5520"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht []
"SpybotDeletingA7408"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht []
"SpybotDeletingC3607"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht []
"SpybotDeletingA4519"=command /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk []
"SpybotDeletingC7788"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk []
"SpybotDeletingA4326"=command /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk []
"SpybotDeletingC7234"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk []
"SpybotDeletingA9965"=command /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk []
"SpybotDeletingC2754"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk []
"SpybotDeletingA3024"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingC3495"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotSnD"=C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 4891472]
"SpybotDeletingA3896"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingC1707"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingA2619"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingC7137"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingA8943"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingC2491"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
""= []
"GrpConv"=grpconv -o []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-07-07 2156368]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3178"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat []
"SpybotDeletingD7475"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA.dat []
"SpybotDeletingB7240"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat []
"SpybotDeletingD9395"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAau.dat []
"SpybotDeletingB7743"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat []
"SpybotDeletingD4622"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSA_kyf.dat []
"SpybotDeletingB7347"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht []
"SpybotDeletingD4538"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAAbout.mht []
"SpybotDeletingB497"=command /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht []
"SpybotDeletingD1761"=cmd /c del C:\Documents and Settings\All Users\Application Data\SeekmoSA\SeekmoSAEula.mht []
"SpybotDeletingB3792"=command /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk []
"SpybotDeletingD3745"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Reset Cursor.lnk []
"SpybotDeletingB2934"=command /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk []
"SpybotDeletingD3154"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Customer Support Center.lnk []
"SpybotDeletingB1312"=command /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk []
"SpybotDeletingD4995"=cmd /c del C:\Documents and Settings\All Users\Start Menu\Programs\Seekmo\Seekmo Uninstall Instructions.lnk []
"SpybotDeletingB5066"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingD6844"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingB9161"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingD1914"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingB5601"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingD3315"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingB8289"=command /c del C:\WINDOWS\SYSTEM32\mlljg.dll []
"SpybotDeletingD2483"=cmd /c del C:\WINDOWS\SYSTEM32\mlljg.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00d971c8]
C:\WINDOWS\system32\cnmhypvr.dll [2008-04-26 87104]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
C:\WINDOWS\BCMSMMSG.exe [2003-06-02 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM03ea4254]
C:\WINDOWS\system32\oxvqlkrv.dll [2008-04-26 106048]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe [2006-10-30 392832]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2005-05-13 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe [2003-05-08 49152]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2005-05-21 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe [2008-02-22 144784]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2004-03-06 151597]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Lan Utility.lnk]
C:\PROGRA~1\WIRELE~1\WLANUT~1.EXE [2003-01-13 266240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Otx83.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\MSIServer]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Otx83.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"NoDrives"=
"NoDriveAutoRun"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======List of files/folders created in the last 3 months======

2008-11-09 23:30:45 ----D---- C:\rsit
2008-11-09 23:26:29 ----D---- C:\Program Files\Trend Micro
2008-11-09 23:21:30 ----SHD---- C:\RECYCLER
2008-11-09 22:39:38 ----D---- C:\WINDOWS\temp
2008-11-09 22:39:36 ----A---- C:\ComboFix.txt
2008-11-09 22:26:30 ----A---- C:\Boot.bak
2008-11-09 22:26:11 ----RASHD---- C:\cmdcons
2008-11-09 22:19:55 ----A---- C:\WINDOWS\NIRCMD.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\zip.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\VFIND.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\SWSC.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\SWREG.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\sed.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\grep.exe
2008-11-09 22:19:54 ----A---- C:\WINDOWS\fdsv.exe
2008-11-09 22:19:46 ----D---- C:\WINDOWS\ERDNT
2008-11-09 22:19:46 ----D---- C:\Qoobox
2008-11-08 17:32:07 ----D---- C:\Documents and Settings\Administrator\Application Data\TrueCrypt
2008-11-08 16:19:30 ----D---- C:\Program Files\Spybot - Search & Destroy
2008-11-08 16:19:30 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 15:47:00 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2008-11-07 22:27:58 ----A---- C:\WINDOWS\gmer.ini
2008-11-07 22:27:55 ----A---- C:\WINDOWS\gmer_uninstall.cmd
2008-11-07 22:27:54 ----A---- C:\WINDOWS\gmer.exe
2008-11-07 22:27:54 ----A---- C:\WINDOWS\gmer.dll
2008-11-07 01:47:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-07 01:28:44 ----D---- C:\WINDOWS\pss
2008-11-07 00:43:42 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-07 00:23:07 ----D---- C:\Program Files\CCleaner
2008-11-05 22:41:12 ----D---- C:\WINDOWS\ERUNT
2008-11-05 22:35:14 ----D---- C:\SDFix
2008-11-05 22:30:12 ----D---- C:\ClamWinPortable
2008-11-05 22:28:29 ----A---- C:\WINDOWS\system32\hidserv.dll

======List of files/folders modified in the last 3 months======

2008-11-09 23:28:48 ----D---- C:\Downloads
2008-11-09 23:26:29 ----AD---- C:\Program Files
2008-11-09 22:39:40 ----SHD---- C:\WINDOWS\SYSTEM32
2008-11-09 22:39:40 ----D---- C:\WINDOWS\system32\DRIVERS
2008-11-09 22:39:38 ----AD---- C:\WINDOWS
2008-11-09 22:38:40 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-09 22:33:55 ----A---- C:\WINDOWS\system.ini
2008-11-09 22:33:06 ----SHD---- C:\System Volume Information
2008-11-09 22:33:06 ----D---- C:\WINDOWS\system32\Restore
2008-11-09 22:31:44 ----D---- C:\WINDOWS\system32\CONFIG
2008-11-09 22:29:19 ----D---- C:\WINDOWS\AppPatch
2008-11-09 22:29:19 ----D---- C:\Program Files\Common Files
2008-11-09 22:26:30 ----RASH---- C:\BOOT.INI
2008-11-09 18:33:38 ----A---- C:\WINDOWS\ModemLog_BCM V.92 56K Modem.txt
2008-11-08 17:54:28 ----A---- C:\WINDOWS\wininit.ini
2008-11-08 16:58:04 ----HD---- C:\WINDOWS\INF
2008-11-08 16:57:40 ----D---- C:\Program Files\LiveAntispy
2008-11-08 16:57:35 ----AD---- C:\Program Files\Lycos
2008-11-08 15:46:24 ----D---- C:\New Folder
2008-11-07 22:38:11 ----D---- C:\WINDOWS\Minidump
2008-11-07 01:32:12 ----A---- C:\WINDOWS\WIN.INI
2008-11-07 00:45:31 ----SHD---- C:\WINDOWS\Installer
2008-11-07 00:42:19 ----D---- C:\WINDOWS\TWAIN_32
2008-11-07 00:41:39 ----D---- C:\Program Files\Canon
2008-11-07 00:38:38 ----D---- C:\backups
2008-11-07 00:23:23 ----D---- C:\WINDOWS\Resources
2008-11-07 00:23:04 ----D---- C:\Memorex Vault
2008-11-06 01:00:11 ----D---- C:\WINDOWS\Debug
2008-11-06 00:27:25 ----D---- C:\Documents and Settings\All Users\Application Data\mralotun
2008-11-05 23:18:58 ----RD---- C:\WINDOWS\Web
2008-11-05 23:18:42 ----D---- C:\WINDOWS\system32\Client

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 cdrbsvsd;cdrbsvsd; C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 13566]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-04 14848]
R1 omci;OMCI WDM Device Driver; C:\WINDOWS\System32\DRIVERS\omci.sys [2002-11-08 17217]
R1 sscdbhk5;sscdbhk5; C:\WINDOWS\system32\drivers\sscdbhk5.sys [2003-07-14 5621]
R1 ssrtln;ssrtln; C:\WINDOWS\system32\drivers\ssrtln.sys [2003-07-14 23219]
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2005-03-07 14408]
R3 gmer;gmer; C:\WINDOWS\System32\DRIVERS\gmer.sys [2008-11-07 85969]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-04 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-04 36096]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\System32\DRIVERS\p3.sys [2004-08-04 42496]
S1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2002-08-29 12032]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0; C:\WINDOWS\System32\Drivers\usbscan.sys [2004-08-04 15104]
S2 drvnddm;drvnddm; C:\WINDOWS\system32\drivers\drvnddm.sys [2003-06-20 40448]
S2 IOPort;IOPort; \??\C:\WINDOWS\System32\DRIVERS\IOPORT.SYS []
S2 NwlnkIpx;NWLink IPX/SPX/NetBIOS Compatible Transport Protocol; C:\WINDOWS\System32\DRIVERS\nwlnkipx.sys [2004-08-04 88448]
S2 NwlnkNb;NWLink NetBIOS; C:\WINDOWS\System32\DRIVERS\nwlnknb.sys [2002-08-29 63232]
S2 NwlnkSpx;NWLink SPX/SPXII Protocol; C:\WINDOWS\System32\DRIVERS\nwlnkspx.sys [2002-08-29 55936]
S2 tfsnboio;tfsnboio; C:\WINDOWS\system32\dla\tfsnboio.sys [2003-08-06 25685]
S2 tfsncofs;tfsncofs; C:\WINDOWS\system32\dla\tfsncofs.sys [2003-08-06 34837]
S2 tfsndrct;tfsndrct; C:\WINDOWS\system32\dla\tfsndrct.sys [2003-08-06 4117]
S2 tfsndres;tfsndres; C:\WINDOWS\system32\dla\tfsndres.sys [2003-08-06 2233]
S2 tfsnifs;tfsnifs; C:\WINDOWS\system32\dla\tfsnifs.sys [2003-08-06 83284]
S2 tfsnopio;tfsnopio; C:\WINDOWS\system32\dla\tfsnopio.sys [2003-08-06 14229]
S2 tfsnpool;tfsnpool; C:\WINDOWS\system32\dla\tfsnpool.sys [2003-08-06 6357]
S2 tfsnudf;tfsnudf; C:\WINDOWS\system32\dla\tfsnudf.sys [2003-08-06 98068]
S2 tfsnudfa;tfsnudfa; C:\WINDOWS\system32\dla\tfsnudfa.sys [2003-08-06 100373]
S3 {6080A529-897E-4629-A488-ABA0C29B635E};Intel(R) Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2003-04-15 113504]
S3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel(R) Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2003-04-15 78752]
S3 ADM8211;Wireless PC Card; C:\WINDOWS\System32\DRIVERS\WLANPCI.sys [2003-01-27 86656]
S3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\WINDOWS\System32\DRIVERS\bcm4sbxp.sys [2003-05-23 43136]
S3 BCMModem;BCM V.92 56K Modem; C:\WINDOWS\System32\DRIVERS\BCMSM.sys [2003-06-02 1101696]
S3 EL90XBC;3Com EtherLink XL 90XB/C Adapter Driver; C:\WINDOWS\System32\DRIVERS\el90xbc5.sys [2001-08-17 66591]
S3 GoProto;GoProto Protocol Driver; C:\WINDOWS\system32\DRIVERS\goprot51.sys [2008-01-22 28672]
S3 i81x;i81x; C:\WINDOWS\System32\DRIVERS\i81xnt5.sys [2004-08-04 161020]
S3 iAimFP0;iAimFP0; C:\WINDOWS\System32\DRIVERS\wADV01nt.sys [2004-08-04 12415]
S3 iAimFP1;iAimFP1; C:\WINDOWS\System32\DRIVERS\wADV02NT.sys [2004-08-04 12127]
S3 iAimFP2;iAimFP2; C:\WINDOWS\System32\DRIVERS\wADV05NT.sys [2004-08-04 11775]
S3 iAimFP3;iAimFP3; C:\WINDOWS\System32\DRIVERS\wSiINTxx.sys [2004-08-04 12063]
S3 iAimFP4;iAimFP4; C:\WINDOWS\System32\DRIVERS\wVchNTxx.sys [2004-08-04 19455]
S3 iAimTV0;iAimTV0; C:\WINDOWS\System32\DRIVERS\wATV01nt.sys [2004-08-04 29311]
S3 iAimTV1;iAimTV1; C:\WINDOWS\System32\DRIVERS\wATV02NT.sys [2004-08-04 19551]
S3 iAimTV2;iAimTV2; C:\WINDOWS\System32\DRIVERS\wATV03nt.sys []
S3 iAimTV3;iAimTV3; C:\WINDOWS\System32\DRIVERS\wATV04nt.sys [2004-08-04 33599]
S3 iAimTV4;iAimTV4; C:\WINDOWS\System32\DRIVERS\wCh7xxNT.sys [2004-08-04 23615]
S3 ialm;ialm; C:\WINDOWS\System32\DRIVERS\ialmnt5.sys [2003-04-15 90907]
S3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
S3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2004-08-04 1897408]
S3 SDDMI2;SDDMI2; \??\C:\WINDOWS\system32\DDMI2.sys []
S3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-02-28 545024]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\System32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\System32\DRIVERS\wanatw4.sys []
S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver; \??\C:\PROGRA~1\WIRELE~1\WLANNDIS5.SYS []
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agp440.sys [2004-08-04 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\agpCPQ.sys [2004-08-04 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\alim1541.sys [2004-08-04 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\System32\DRIVERS\amdagp.sys [2004-08-04 43008]
S4 cbidf;cbidf; C:\WINDOWS\System32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\DRIVERS\intelide.sys [2004-08-04 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\sisagp.sys [2004-08-04 41088]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\System32\DRIVERS\viaagp.sys [2004-08-04 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2004-08-04 267776]
S2 lxdc_device;lxdc_device; C:\WINDOWS\System32\lxdccoms.exe -service []
S2 SimpTcp;Simple TCP/IP Services; C:\WINDOWS\System32\tcpsvcs.exe [2002-08-29 19456]
S2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-09-13 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-04-13 33632]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-04-13 68952]
S3 iPodService;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2005-05-13 327680]
S3 TTUQNRGA;TTUQNRGA; C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\TTUQNRGA.exe []
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------
Attached Files
File Type: txt rsitinfo_110908_1132.txt (17.5 KB, 1 views)
File Type: txt gmer_1109081120.txt (395.4 KB, 6 views)
bajanknight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Sponsored Links
Old 11-13-2008, 03:18 PM   #2 (permalink)
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Re: Programs Restricted/no desktop/Virtumonde
BUMP, please
bajanknight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 12:48 PM   #3 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,972
OS: WinXP and Vista


Re: Programs Restricted/no desktop/Virtumonde
Hello bajanknight and thank you for your patience.

Before we go any further, I'd like to see the C:\Combofix.txt as well as a current look at the system.

Instead of running rsit.exe, kindly us this too instead:

Download DDS and save it to your desktop.

Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.

For now, please just post the DDS.txt and the report generated when you ran ComboFix.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 05:03 PM   #4 (permalink)
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Re: Programs Restricted/no desktop/Virtumonde
Thanks for your help Ried,

Just so you know, I am not interested in keeping any of the application Software that might be on this machine, so we can loose as much of it as would be optimum.


ComboFix 08-11-07.01 - Administrator 2008-11-09 22:27:45.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1799 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WinXP_EN_HOM_BF.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\Tvm.log
c:\program files\Altnet
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\iso.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mbox.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_w95.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_x95.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pst.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sfx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.txt.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.xmd.cab
c:\program files\MyWay
c:\program files\MyWay\myBar\History\search
c:\program files\MyWay\myBar\Settings\prevcfg.htm
c:\program files\MyWay\myBar\Settings\settings.dat
c:\program files\MyWay\myBar\Settings\settings.htm
c:\program files\winupdates
c:\windows\BM03ea4254.txt
c:\windows\BM03ea4254.xml
c:\windows\cookies.ini
c:\windows\smdat32m.sys
c:\windows\system32\__c00160DE.dat
c:\windows\system32\__c00189E6.dat
c:\windows\system32\__c001E284.dat
c:\windows\system32\__c0048819.dat
c:\windows\system32\__c004C19B.dat
c:\windows\system32\__c007FDDE.dat
c:\windows\system32\__c0083504.dat
c:\windows\system32\__c008AF55.dat
c:\windows\system32\__c00AE885.exe
c:\windows\system32\__c00B8840.dat
c:\windows\system32\__c00C1414.dat
c:\windows\system32\__c00C322B.dat
c:\windows\system32\__c00DC8B6.exe
c:\windows\system32\__c00E797C.dat
c:\windows\system32\__c00EEB10.dat
c:\windows\system32\arcbhpap.ini
c:\windows\system32\bcnagfpm.ini
c:\windows\system32\bszip.dll
c:\windows\system32\datgeppv.ini
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drpbfjdw.ini
c:\windows\system32\fgrohnjr.ini
c:\windows\system32\fmbdgnbw.ini
c:\windows\SYSTEM32\gjllm.ini
c:\windows\SYSTEM32\gjllm.ini2
c:\windows\system32\gtrtgwqp.ini
c:\windows\system32\ixfagyqt.ini
c:\windows\system32\jsobtrin.ini
c:\windows\system32\knmtjpaj.ini
c:\windows\system32\lbsdywmo.ini
c:\windows\system32\lhajxjxs.ini
c:\windows\system32\logxhcco.ini
c:\windows\system32\loudmcji.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mqqmctmd.ini
c:\windows\system32\mwreiscx.ini
c:\windows\system32\namuwfws.ini
c:\windows\system32\owferbls.ini
c:\windows\system32\pdtcigyt.ini
c:\windows\system32\qnphsdci.ini
c:\windows\system32\rvpyhmnc.ini
c:\windows\system32\seusttsd.ini
c:\windows\system32\sgkjsnfr.ini
c:\windows\system32\srkcdpbp.ini
c:\windows\system32\tllxxvmd.ini
c:\windows\system32\typuwend.ini
c:\windows\system32\vbalqrtr.ini
c:\windows\system32\vhjutprc.ini
c:\windows\system32\wmxtkmuh.ini
c:\windows\system32\xpgnrboq.ini
c:\windows\system32\ynkbubfr.ini
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_JQVM465HMYGEBKPP6
-------\Service_Iprip
-------\Service_jqvm465hmygebkpp6


((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-08 17:32 . 2008-11-08 17:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TrueCrypt
2008-11-08 16:19 . 2008-11-08 16:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-08 16:19 . 2008-11-08 16:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 15:47 . 2008-11-08 15:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-07 22:27 . 2008-11-07 22:41 250 --a------ c:\windows\gmer.ini
2008-11-07 00:23 . 2008-11-07 00:23 <DIR> d-------- c:\program files\CCleaner
2008-11-05 22:41 . 2008-11-05 22:42 <DIR> d-------- c:\windows\ERUNT
2008-11-05 22:35 . 2008-11-07 00:23 <DIR> d-------- C:\SDFix
2008-11-05 22:30 . 2008-11-05 22:30 <DIR> d-------- C:\ClamWinPortable
2008-11-05 22:28 . 2004-08-04 02:56 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-11-05 22:28 . 2004-08-04 00:58 14,848 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-11-05 22:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 21:57 --------- d---a-w c:\program files\Lycos
2008-11-08 21:57 --------- d-----w c:\program files\LiveAntispy
2008-11-07 05:41 --------- d-----w c:\program files\Canon
2008-11-06 05:27 --------- d-----w c:\documents and settings\All Users\Application Data\mralotun
2004-06-13 14:45 36 ----a-w c:\documents and settings\LocalService\Application Data\tvmuknwrd.dll
2001-06-20 20:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
2004-08-04 07:56 4,096 --sha-w c:\windows\SYSTEM32\1112.dat
.

------- Sigcheck -------

2002-08-29 06:00 22016 e931e0a2b8bf0019db902e98d03662cb c:\windows\$NtServicePackUninstall$\userinit.exe
2004-08-04 02:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-27 18:09 24576 35929cc65abb63982c543369e83feb39 c:\windows\SYSTEM32\userinit.exe
2004-08-04 02:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\SYSTEM32\DLLCACHE\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3799CB4-CC4D-4367-AEF0-307D6EF89F7F}]
2008-02-05 12:21 326240 --------- c:\windows\system32\mlljg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b4c0d877-5bfc-4dae-b3ab-a80cb4af5d77}]
2008-04-25 07:08 98880 --a------ c:\windows\system32\kcbgtcnu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3178"="command" [X]
"SpybotDeletingD7475"="del" [X]
"SpybotDeletingB7240"="command" [X]
"SpybotDeletingD9395"="del" [X]
"SpybotDeletingB7743"="command" [X]
"SpybotDeletingD4622"="del" [X]
"SpybotDeletingB7347"="command" [X]
"SpybotDeletingD4538"="del" [X]
"SpybotDeletingB497"="command" [X]
"SpybotDeletingD1761"="del" [X]
"SpybotDeletingB3792"="command" [X]
"SpybotDeletingD3745"="del" [X]
"SpybotDeletingB2934"="command" [X]
"SpybotDeletingD3154"="del" [X]
"SpybotDeletingB1312"="command" [X]
"SpybotDeletingD4995"="del" [X]
"SpybotDeletingB5066"="command" [X]
"SpybotDeletingD6844"="del" [X]
"SpybotDeletingB9161"="command" [X]
"SpybotDeletingD1914"="del" [X]
"SpybotDeletingB5601"="command" [X]
"SpybotDeletingD3315"="del" [X]
"SpybotDeletingB8289"="command" [X]
"SpybotDeletingD2483"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA9519"="command" [X]
"SpybotDeletingC3804"="del" [X]
"SpybotDeletingA6806"="command" [X]
"SpybotDeletingC1350"="del" [X]
"SpybotDeletingA6171"="command" [X]
"SpybotDeletingC9339"="del" [X]
"SpybotDeletingA3251"="command" [X]
"SpybotDeletingC5520"="del" [X]
"SpybotDeletingA7408"="command" [X]
"SpybotDeletingC3607"="del" [X]
"SpybotDeletingA4519"="command" [X]
"SpybotDeletingC7788"="del" [X]
"SpybotDeletingA4326"="command" [X]
"SpybotDeletingC7234"="del" [X]
"SpybotDeletingA9965"="command" [X]
"SpybotDeletingC2754"="del" [X]
"SpybotDeletingA3024"="command" [X]
"SpybotDeletingC3495"="del" [X]
"SpybotDeletingA3896"="command" [X]
"SpybotDeletingC1707"="del" [X]
"SpybotDeletingA2619"="command" [X]
"SpybotDeletingC7137"="del" [X]
"SpybotDeletingA8943"="command" [X]
"SpybotDeletingC2491"="del" [X]
"GrpConv"="grpconv -o" [X]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 4891472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Otx83.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Lan Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Lan Utility.lnk
backup=c:\windows\pss\Wireless Lan Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00d971c8]
--a------ 2008-04-26 18:07 87104 c:\windows\SYSTEM32\cnmhypvr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM03ea4254]
--a------ 2008-04-26 07:02 106048 c:\windows\SYSTEM32\oxvqlkrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-10-30 11:01 392832 c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-13 23:20 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 10:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-21 23:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-03-06 03:47 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-06-02 06:00 122880 c:\windows\BCMSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Otx83;Otx83;c:\windows\system32\Drivers\Otx83.sys [2008-04-28 24448]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2004-08-04 15104]
S2 IOPort;IOPort;c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
S2 lxdc_device;lxdc_device;c:\windows\System32\lxdccoms.exe [ ]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 ADM8211;Wireless PC Card;c:\windows\system32\DRIVERS\WLANPCI.sys [2003-01-27 86656]
S3 TTUQNRGA;TTUQNRGA;c:\docume~1\ADMINI~1\LOCALS~1\Temp\TTUQNRGA.exe [ ]
S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver;c:\progra~1\WIRELE~1\WLANNDIS5.SYS [2002-12-25 15872]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)
Notify-__c001076A - c:\windows\System32\__c001076A.dat


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.dell4me.com/myway
R0 -: HKLM-Main,Search Bar =
O17 -: HKLM\CCS\Interface\{777B9D40-F35A-471A-A863-F6E7B3FC9751}: NameServer = 208.67.220.220,208.67.222.222
O17 -: HKLM\CCS\Interface\{861BEBB0-E147-491F-B363-309EEC201B53}: NameServer = 208.67.220.220,208.67.222.222
O17 -: HKLM\CCS\Interface\{9F1519AE-0148-44FB-9E19-8D4A8112F5C6}: NameServer = 208.67.220.220,208.67.222.222
O18 -: Handler: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - c:\windows\SYSTEM32\ebkp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 22:34:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-09 22:39:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 03:39:32

Pre-Run: 63,297,175,552 bytes free
Post-Run: 63,231,959,040 bytes free

WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

285

*******END*****************

Begin DDS

DDS (Version 1.0) - NTFSx86 MINIMAL
Run by Administrator at 19:47:20.73 on Sat 11/15/2008
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1804 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/myway
mSearch Bar =
BHO: {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {A3799CB4-CC4D-4367-AEF0-307D6EF89F7F} - c:\windows\system32\mlljg.dll
BHO: {b4c0d877-5bfc-4dae-b3ab-a80cb4af5d77} - c:\windows\system32\kcbgtcnu.dll
TB: {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - c:\program files\canon\easy-webprint\Toolband.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRunOnce: [SpybotDeletingB3178] command /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSA.dat"
uRunOnce: [SpybotDeletingD7475] cmd /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSA.dat"
uRunOnce: [SpybotDeletingB7240] command /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSAau.dat"
uRunOnce: [SpybotDeletingD9395] cmd /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSAau.dat"
uRunOnce: [SpybotDeletingB7743] command /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSA_kyf.dat"
uRunOnce: [SpybotDeletingD4622] cmd /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSA_kyf.dat"
uRunOnce: [SpybotDeletingB7347] command /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSAAbout.mht"
uRunOnce: [SpybotDeletingD4538] cmd /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSAAbout.mht"
uRunOnce: [SpybotDeletingB497] command /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSAEula.mht"
uRunOnce: [SpybotDeletingD1761] cmd /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSAEula.mht"
uRunOnce: [SpybotDeletingB3792] command /c del "c:\documents and settings\all users\start menu\programs\seekmo\Reset Cursor.lnk"
uRunOnce: [SpybotDeletingD3745] cmd /c del "c:\documents and settings\all users\start menu\programs\seekmo\Reset Cursor.lnk"
uRunOnce: [SpybotDeletingB2934] command /c del "c:\documents and settings\all users\start menu\programs\seekmo\Seekmo Customer Support Center.lnk"
uRunOnce: [SpybotDeletingD3154] cmd /c del "c:\documents and settings\all users\start menu\programs\seekmo\Seekmo Customer Support Center.lnk"
uRunOnce: [SpybotDeletingB1312] command /c del "c:\documents and settings\all users\start menu\programs\seekmo\Seekmo Uninstall Instructions.lnk"
uRunOnce: [SpybotDeletingD4995] cmd /c del "c:\documents and settings\all users\start menu\programs\seekmo\Seekmo Uninstall Instructions.lnk"
uRunOnce: [SpybotDeletingB5066] command /c del "c:\windows\system32\mlljg.dll"
uRunOnce: [SpybotDeletingD6844] cmd /c del "c:\windows\system32\mlljg.dll"
uRunOnce: [SpybotDeletingB9161] command /c del "c:\windows\system32\mlljg.dll"
uRunOnce: [SpybotDeletingD1914] cmd /c del "c:\windows\system32\mlljg.dll"
uRunOnce: [SpybotDeletingB5601] command /c del "c:\windows\system32\mlljg.dll"
uRunOnce: [SpybotDeletingD3315] cmd /c del "c:\windows\system32\mlljg.dll"
uRunOnce: [SpybotDeletingB8289] command /c del "c:\windows\system32\mlljg.dll"
uRunOnce: [SpybotDeletingD2483] cmd /c del "c:\windows\system32\mlljg.dll"
mRunOnce: [SpybotDeletingA9519] command /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSA.dat"
mRunOnce: [SpybotDeletingC3804] cmd /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSA.dat"
mRunOnce: [SpybotDeletingA6806] command /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSAau.dat"
mRunOnce: [SpybotDeletingC1350] cmd /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSAau.dat"
mRunOnce: [SpybotDeletingA6171] command /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSA_kyf.dat"
mRunOnce: [SpybotDeletingC9339] cmd /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSA_kyf.dat"
mRunOnce: [SpybotDeletingA3251] command /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSAAbout.mht"
mRunOnce: [SpybotDeletingC5520] cmd /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSAAbout.mht"
mRunOnce: [SpybotDeletingA7408] command /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSAEula.mht"
mRunOnce: [SpybotDeletingC3607] cmd /c del "c:\documents and settings\all users\application data\seekmosa\SeekmoSAEula.mht"
mRunOnce: [SpybotDeletingA4519] command /c del "c:\documents and settings\all users\start menu\programs\seekmo\Reset Cursor.lnk"
mRunOnce: [SpybotDeletingC7788] cmd /c del "c:\documents and settings\all users\start menu\programs\seekmo\Reset Cursor.lnk"
mRunOnce: [SpybotDeletingA4326] command /c del "c:\documents and settings\all users\start menu\programs\seekmo\Seekmo Customer Support Center.lnk"
mRunOnce: [SpybotDeletingC7234] cmd /c del "c:\documents and settings\all users\start menu\programs\seekmo\Seekmo Customer Support Center.lnk"
mRunOnce: [SpybotDeletingA9965] command /c del "c:\documents and settings\all users\start menu\programs\seekmo\Seekmo Uninstall Instructions.lnk"
mRunOnce: [SpybotDeletingC2754] cmd /c del "c:\documents and settings\all users\start menu\programs\seekmo\Seekmo Uninstall Instructions.lnk"
mRunOnce: [SpybotDeletingA3024] command /c del "c:\windows\system32\mlljg.dll"
mRunOnce: [SpybotDeletingC3495] cmd /c del "c:\windows\system32\mlljg.dll"
mRunOnce: [SpybotSnD] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA3896] command /c del "c:\windows\system32\mlljg.dll"
mRunOnce: [SpybotDeletingC1707] cmd /c del "c:\windows\system32\mlljg.dll"
mRunOnce: [SpybotDeletingA2619] command /c del "c:\windows\system32\mlljg.dll"
mRunOnce: [SpybotDeletingC7137] cmd /c del "c:\windows\system32\mlljg.dll"
mRunOnce: [SpybotDeletingA8943] command /c del "c:\windows\system32\mlljg.dll"
mRunOnce: [SpybotDeletingC2491] cmd /c del "c:\windows\system32\mlljg.dll"
mRunOnce: [<NO NAME>]
mRunOnce: [GrpConv] grpconv -o
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\npjpi160_05.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: {777B9D40-F35A-471A-A863-F6E7B3FC9751} = 208.67.220.220,208.67.222.222
TCP: {861BEBB0-E147-491F-B363-309EEC201B53} = 208.67.220.220,208.67.222.222
TCP: {9F1519AE-0148-44FB-9E19-8D4A8112F5C6} = 208.67.220.220,208.67.222.222
Handler: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - c:\windows\system32\ebkp.dll
SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - c:\windows\system32\upnpui.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Otx83;Otx83;c:\windows\system32\drivers\Otx83.sys
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys
S2 IOPort;IOPort;\??\c:\windows\system32\drivers\IOPORT.SYS
S2 lxdc_device;lxdc_device;c:\windows\system32\lxdccoms.exe -service
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\ViewpointService.exe"
S3 ADM8211;Wireless PC Card;c:\windows\system32\drivers\WLANPCI.sys
S3 TTUQNRGA;TTUQNRGA;c:\docume~1\admini~1\locals~1\temp\TTUQNRGA.exe
S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver;\??\c:\progra~1\wirele~1\WLANNDIS5.SYS

=============== Created Last 30 ================

2008-11-09 23:26 <DIR> --d----- c:\program files\Trend Micro
2008-11-09 22:26 <DIR> a-dshr-- C:\cmdcons
2008-11-09 22:19 161,792 a------- c:\windows\SWREG.exe
2008-11-09 22:19 98,816 a------- c:\windows\sed.exe
2008-11-08 17:32 <DIR> --d----- c:\docume~1\admini~1\applic~1\TrueCrypt
2008-11-08 16:19 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2008-11-08 16:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2008-11-08 15:47 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-07 22:27 250 a------- c:\windows\gmer.ini
2008-11-07 01:28 <DIR> --d----- c:\windows\pss
2008-11-07 00:23 <DIR> --d----- c:\program files\CCleaner
2008-11-05 22:41 <DIR> --d----- c:\windows\ERUNT
2008-11-05 22:35 <DIR> --d----- C:\SDFix
2008-11-05 22:30 <DIR> --d----- C:\ClamWinPortable
2008-11-05 22:28 14,848 a------- c:\windows\system32\drivers\kbdhid.sys
2008-11-05 22:28 21,504 a------- c:\windows\system32\hidserv.dll
2008-11-05 22:28 12,160 a------- c:\windows\system32\drivers\mouhid.sys

==================== Find3M ====================

2008-11-08 16:57 <DIR> --d----- c:\program files\LiveAntispy
2008-11-08 16:57 <DIR> a-d----- c:\program files\Lycos
2008-11-07 00:41 <DIR> --d----- c:\program files\Canon
2008-11-06 00:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\mralotun
2007-02-15 22:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Broderbund
2007-01-24 16:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Viewpoint
2006-07-23 17:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SSScanWizard
2006-07-23 17:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SSScanAppDataDir
2005-12-25 19:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\McAfee.com
2005-09-13 20:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Dell
2004-06-12 13:56 <DIR> --d----- c:\docume~1\admini~1\applic~1\Jasc Software Inc
2004-03-06 03:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
2004-08-04 02:56 4,096 a--sh--- c:\windows\system32\1112.dat

============= FINISH: 19:47:52.45 ===============
Last edited by bajanknight; 11-15-2008 at 05:09 PM.
bajanknight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 06:13 PM   #5 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,972
OS: WinXP and Vista


Re: Programs Restricted/no desktop/Virtumonde
You're welcome, bajanknight. : )

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


It's IMPORTANT to carry out the instructions in the sequence listed below.


***************************************************

Quote:
Spybot did install and run and cleaned many things, what is left either can't be removed due to it being in use, or reinstalls itself in the process of a reboot.
Astute observation. Fixes are reinstalling themselves (so to speak) upon reboot because TeaTimer is interfering.

Spybot's TeaTimer monitors registry changes and alerts when changes are made. These changes must be OK'd or denied manually as the alerts appear. As there are going to be numerous changes to the registry pulling out the infections onboard, the most practical thing to do is disable TeaTimer until we're through cleaning the system:

Using Internet Explorer, download ResetTeaTimer.bat.


Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

***************************************************

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

---------------------------------------------------------------------

Open notepad and copy/paste the text in the quote box below into it:

Quote:
File::
c:\windows\SYSTEM32\1112.dat
c:\windows\system32\mlljg.dll
c:\windows\system32\kcbgtcnu.dll
c:\windows\SYSTEM32\cnmhypvr.dll
c:\windows\SYSTEM32\oxvqlkrv.dll
c:\windows\system32\Drivers\Otx83.sys
c:\windows\SYSTEM32\ebkp.dll

Folder::
c:\program files\LiveAntispy

Driver::
MSIServer
Otx83.sys

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3178"=-
"SpybotDeletingD7475"=-
"SpybotDeletingB7240"=-
"SpybotDeletingD9395"=-
"SpybotDeletingB7743"=-
"SpybotDeletingD4622"=-
"SpybotDeletingB7347"=-
"SpybotDeletingD4538"=-
"SpybotDeletingB497"=-
"SpybotDeletingD1761"=-
"SpybotDeletingB3792"=-
"SpybotDeletingD3745"=-
"SpybotDeletingB2934"=-
"SpybotDeletingD3154"=-
"SpybotDeletingB1312"=-
"SpybotDeletingD4995"=-
"SpybotDeletingB5066"=-
"SpybotDeletingD6844"=-
"SpybotDeletingB9161"=-
"SpybotDeletingD1914"=-
"SpybotDeletingB5601"=-
"SpybotDeletingD3315"=-
"SpybotDeletingB8289"=-
"SpybotDeletingD2483"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA9519"=-
"SpybotDeletingC3804"=-
"SpybotDeletingA6806"=-
"SpybotDeletingC1350"=-
"SpybotDeletingA6171"=-
"SpybotDeletingC9339"=-
"SpybotDeletingA3251"=-
"SpybotDeletingC5520"=-
"SpybotDeletingA7408"=-
"SpybotDeletingC3607"=-
"SpybotDeletingA4519"=-
"SpybotDeletingC7788"=-
"SpybotDeletingA4326"=-
"SpybotDeletingC7234"=-
"SpybotDeletingA9965"=-
"SpybotDeletingC2754"=-
"SpybotDeletingA3024"=-
"SpybotDeletingC3495"=-
"SpybotDeletingA3896"=-
"SpybotDeletingC1707"=-
"SpybotDeletingA2619"=-
"SpybotDeletingC7137"=-
"SpybotDeletingA8943"=-
"SpybotDeletingC2491"=-
"GrpConv"=-
"SpybotSnD"=-
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt


Please return with the C:\ComboFix.txt for further review, along with an update on system behavior.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 06:42 PM   #6 (permalink)
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Re: Programs Restricted/no desktop/Virtumonde
ResetTeatimer.Bat completed and seemed to function as I would believe it was intended.

I dragged CFScript.txt over to Combofix and as soon as it appeared to have been done, Spybot started automatically, as I was madly trying to terminate it I closed another message window of which I didn't have a chance to see what was.

I do not see a new ComboFix.txt on C: ,
just the original one.

I went to add/remove spybot so it wouldn't interfere again and figured I better ask you first before I do.

I am in Safe mode for all these actions as it's the only thing I have access to, and did not see teatimer running in the tray, or anything else but the clock for that matter.
bajanknight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 06:44 PM   #7 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,972
OS: WinXP and Vista


Re: Programs Restricted/no desktop/Virtumonde
There are ways to disable TeaTimer but for expediency sake, yes--go ahead and uninstall Spybot. We can reinstall it when we're through
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 06:47 PM   #8 (permalink)
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Re: Programs Restricted/no desktop/Virtumonde
Spybot Uninstalled
Shall I CFScript to Combofix again?
bajanknight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 06:48 PM   #9 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,972
OS: WinXP and Vista


Re: Programs Restricted/no desktop/Virtumonde
No--let's see where we are first. The ComboFix.txt you see on the C:\ drive is always the most recent run. Please post the contents of that report.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 06:52 PM   #10 (permalink)
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Re: Programs Restricted/no desktop/Virtumonde
I don't think it overwrote it, that might have been the window I canceled out of?

Anyway, here it is

**Edited due to Log post instead of combofix.txt ....

ComboFix 08-11-07.01 - Administrator 2008-11-09 22:27:45.1 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1799 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\WinXP_EN_HOM_BF.EXE
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\Tvm.log
c:\program files\Altnet
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.rvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\cran.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\dbx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\emalware.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\iso.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\java.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mbox.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_97.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_w95.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mdx_x95.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\mime.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pdf.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\pst.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\rup.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sdx.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\sfx.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\unpack.ivd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\update.txt.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.cvd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\ve.xmd.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.cab
c:\program files\Altnet\My Altnet Shares\Bullguard Protection\zip.xmd.cab
c:\program files\MyWay
c:\program files\MyWay\myBar\History\search
c:\program files\MyWay\myBar\Settings\prevcfg.htm
c:\program files\MyWay\myBar\Settings\settings.dat
c:\program files\MyWay\myBar\Settings\settings.htm
c:\program files\winupdates
c:\windows\BM03ea4254.txt
c:\windows\BM03ea4254.xml
c:\windows\cookies.ini
c:\windows\smdat32m.sys
c:\windows\system32\__c00160DE.dat
c:\windows\system32\__c00189E6.dat
c:\windows\system32\__c001E284.dat
c:\windows\system32\__c0048819.dat
c:\windows\system32\__c004C19B.dat
c:\windows\system32\__c007FDDE.dat
c:\windows\system32\__c0083504.dat
c:\windows\system32\__c008AF55.dat
c:\windows\system32\__c00AE885.exe
c:\windows\system32\__c00B8840.dat
c:\windows\system32\__c00C1414.dat
c:\windows\system32\__c00C322B.dat
c:\windows\system32\__c00DC8B6.exe
c:\windows\system32\__c00E797C.dat
c:\windows\system32\__c00EEB10.dat
c:\windows\system32\arcbhpap.ini
c:\windows\system32\bcnagfpm.ini
c:\windows\system32\bszip.dll
c:\windows\system32\datgeppv.ini
c:\windows\system32\drivers\fad.sys
c:\windows\system32\drpbfjdw.ini
c:\windows\system32\fgrohnjr.ini
c:\windows\system32\fmbdgnbw.ini
c:\windows\SYSTEM32\gjllm.ini
c:\windows\SYSTEM32\gjllm.ini2
c:\windows\system32\gtrtgwqp.ini
c:\windows\system32\ixfagyqt.ini
c:\windows\system32\jsobtrin.ini
c:\windows\system32\knmtjpaj.ini
c:\windows\system32\lbsdywmo.ini
c:\windows\system32\lhajxjxs.ini
c:\windows\system32\logxhcco.ini
c:\windows\system32\loudmcji.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\mqqmctmd.ini
c:\windows\system32\mwreiscx.ini
c:\windows\system32\namuwfws.ini
c:\windows\system32\owferbls.ini
c:\windows\system32\pdtcigyt.ini
c:\windows\system32\qnphsdci.ini
c:\windows\system32\rvpyhmnc.ini
c:\windows\system32\seusttsd.ini
c:\windows\system32\sgkjsnfr.ini
c:\windows\system32\srkcdpbp.ini
c:\windows\system32\tllxxvmd.ini
c:\windows\system32\typuwend.ini
c:\windows\system32\vbalqrtr.ini
c:\windows\system32\vhjutprc.ini
c:\windows\system32\wmxtkmuh.ini
c:\windows\system32\xpgnrboq.ini
c:\windows\system32\ynkbubfr.ini
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Legacy_JQVM465HMYGEBKPP6
-------\Service_Iprip
-------\Service_jqvm465hmygebkpp6


((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-08 17:32 . 2008-11-08 17:32 <DIR> d-------- c:\documents and settings\Administrator\Application Data\TrueCrypt
2008-11-08 16:19 . 2008-11-08 16:19 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-08 16:19 . 2008-11-08 16:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 15:47 . 2008-11-08 15:47 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-11-07 22:27 . 2008-11-07 22:41 250 --a------ c:\windows\gmer.ini
2008-11-07 00:23 . 2008-11-07 00:23 <DIR> d-------- c:\program files\CCleaner
2008-11-05 22:41 . 2008-11-05 22:42 <DIR> d-------- c:\windows\ERUNT
2008-11-05 22:35 . 2008-11-07 00:23 <DIR> d-------- C:\SDFix
2008-11-05 22:30 . 2008-11-05 22:30 <DIR> d-------- C:\ClamWinPortable
2008-11-05 22:28 . 2004-08-04 02:56 21,504 --a------ c:\windows\SYSTEM32\hidserv.dll
2008-11-05 22:28 . 2004-08-04 00:58 14,848 --a------ c:\windows\SYSTEM32\DRIVERS\kbdhid.sys
2008-11-05 22:28 . 2001-08-17 13:48 12,160 --a------ c:\windows\SYSTEM32\DRIVERS\mouhid.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 21:57 --------- d---a-w c:\program files\Lycos
2008-11-08 21:57 --------- d-----w c:\program files\LiveAntispy
2008-11-07 05:41 --------- d-----w c:\program files\Canon
2008-11-06 05:27 --------- d-----w c:\documents and settings\All Users\Application Data\mralotun
2004-06-13 14:45 36 ----a-w c:\documents and settings\LocalService\Application Data\tvmuknwrd.dll
2001-06-20 20:19 40,960 ----a-w c:\program files\ACMonitor_X83.exe
2004-08-04 07:56 4,096 --sha-w c:\windows\SYSTEM32\1112.dat
.

------- Sigcheck -------

2002-08-29 06:00 22016 e931e0a2b8bf0019db902e98d03662cb c:\windows\$NtServicePackUninstall$\userinit.exe
2004-08-04 02:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\ServicePackFiles\i386\userinit.exe
2008-04-27 18:09 24576 35929cc65abb63982c543369e83feb39 c:\windows\SYSTEM32\userinit.exe
2004-08-04 02:56 24576 39b1ffb03c2296323832acbae50d2aff c:\windows\SYSTEM32\DLLCACHE\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3799CB4-CC4D-4367-AEF0-307D6EF89F7F}]
2008-02-05 12:21 326240 --------- c:\windows\system32\mlljg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b4c0d877-5bfc-4dae-b3ab-a80cb4af5d77}]
2008-04-25 07:08 98880 --a------ c:\windows\system32\kcbgtcnu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB3178"="command" [X]
"SpybotDeletingD7475"="del" [X]
"SpybotDeletingB7240"="command" [X]
"SpybotDeletingD9395"="del" [X]
"SpybotDeletingB7743"="command" [X]
"SpybotDeletingD4622"="del" [X]
"SpybotDeletingB7347"="command" [X]
"SpybotDeletingD4538"="del" [X]
"SpybotDeletingB497"="command" [X]
"SpybotDeletingD1761"="del" [X]
"SpybotDeletingB3792"="command" [X]
"SpybotDeletingD3745"="del" [X]
"SpybotDeletingB2934"="command" [X]
"SpybotDeletingD3154"="del" [X]
"SpybotDeletingB1312"="command" [X]
"SpybotDeletingD4995"="del" [X]
"SpybotDeletingB5066"="command" [X]
"SpybotDeletingD6844"="del" [X]
"SpybotDeletingB9161"="command" [X]
"SpybotDeletingD1914"="del" [X]
"SpybotDeletingB5601"="command" [X]
"SpybotDeletingD3315"="del" [X]
"SpybotDeletingB8289"="command" [X]
"SpybotDeletingD2483"="del" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA9519"="command" [X]
"SpybotDeletingC3804"="del" [X]
"SpybotDeletingA6806"="command" [X]
"SpybotDeletingC1350"="del" [X]
"SpybotDeletingA6171"="command" [X]
"SpybotDeletingC9339"="del" [X]
"SpybotDeletingA3251"="command" [X]
"SpybotDeletingC5520"="del" [X]
"SpybotDeletingA7408"="command" [X]
"SpybotDeletingC3607"="del" [X]
"SpybotDeletingA4519"="command" [X]
"SpybotDeletingC7788"="del" [X]
"SpybotDeletingA4326"="command" [X]
"SpybotDeletingC7234"="del" [X]
"SpybotDeletingA9965"="command" [X]
"SpybotDeletingC2754"="del" [X]
"SpybotDeletingA3024"="command" [X]
"SpybotDeletingC3495"="del" [X]
"SpybotDeletingA3896"="command" [X]
"SpybotDeletingC1707"="del" [X]
"SpybotDeletingA2619"="command" [X]
"SpybotDeletingC7137"="del" [X]
"SpybotDeletingA8943"="command" [X]
"SpybotDeletingC2491"="del" [X]
"GrpConv"="grpconv -o" [X]
"SpybotSnD"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2008-07-07 4891472]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Otx83.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Lan Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Wireless Lan Utility.lnk
backup=c:\windows\pss\Wireless Lan Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\00d971c8]
--a------ 2008-04-26 18:07 87104 c:\windows\SYSTEM32\cnmhypvr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM03ea4254]
--a------ 2008-04-26 07:02 106048 c:\windows\SYSTEM32\oxvqlkrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EasyLinkAdvisor]
--a------ 2006-10-30 11:01 392832 c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2005-05-13 23:20 278528 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
--a------ 2003-05-08 10:00 49152 c:\program files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2005-05-21 23:12 98304 c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 c:\program files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-03-06 03:47 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-06-02 06:00 122880 c:\windows\BCMSMMSG.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R0 Otx83;Otx83;c:\windows\system32\Drivers\Otx83.sys [2008-04-28 24448]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\Drivers\usbscan.sys [2004-08-04 15104]
S2 IOPort;IOPort;c:\windows\System32\DRIVERS\IOPORT.SYS [1998-11-27 6144]
S2 lxdc_device;lxdc_device;c:\windows\System32\lxdccoms.exe [ ]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 ADM8211;Wireless PC Card;c:\windows\system32\DRIVERS\WLANPCI.sys [2003-01-27 86656]
S3 TTUQNRGA;TTUQNRGA;c:\docume~1\ADMINI~1\LOCALS~1\Temp\TTUQNRGA.exe [ ]
S3 WLANNDIS5;WLANNDIS5 NDIS Protocol Driver;c:\progra~1\WIRELE~1\WLANNDIS5.SYS [2002-12-25 15872]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)
Notify-__c001076A - c:\windows\System32\__c001076A.dat


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.dell4me.com/myway
R0 -: HKLM-Main,Search Bar =
O17 -: HKLM\CCS\Interface\{777B9D40-F35A-471A-A863-F6E7B3FC9751}: NameServer = 208.67.220.220,208.67.222.222
O17 -: HKLM\CCS\Interface\{861BEBB0-E147-491F-B363-309EEC201B53}: NameServer = 208.67.220.220,208.67.222.222
O17 -: HKLM\CCS\Interface\{9F1519AE-0148-44FB-9E19-8D4A8112F5C6}: NameServer = 208.67.220.220,208.67.222.222
O18 -: Handler: ebk - {1E411CE8-FE8B-4973-B8E0-6EA2CC3C6B06} - c:\windows\SYSTEM32\ebkp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-09 22:34:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-09 22:39:36 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-10 03:39:32

Pre-Run: 63,297,175,552 bytes free
Post-Run: 63,231,959,040 bytes free

WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

285
Last edited by bajanknight; 11-15-2008 at 06:58 PM. Reason: Edited due to Log post instead of combofix.txt
bajanknight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 06:57 PM   #11 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,972
OS: WinXP and Vista


Re: Programs Restricted/no desktop/Virtumonde
It looks that way.

Go ahead and run that CFScript again. Post the Combofix.txt when finished.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 07:03 PM   #12 (permalink)
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Re: Programs Restricted/no desktop/Virtumonde
Combofix.exe on desktop seemed to have disappeared, should I reinstall?
bajanknight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 07:05 PM   #13 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,972
OS: WinXP and Vista


Re: Programs Restricted/no desktop/Virtumonde
Yes, download a fresh copy from here --> http://download.bleepingcomputer.com/sUBs/ComboFix.exe
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 07:11 PM   #14 (permalink)
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Re: Programs Restricted/no desktop/Virtumonde
Should I delete the contents of the c:/combofix folder before placing the new combofix.exe on the desktop?
bajanknight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 07:18 PM   #15 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,972
OS: WinXP and Vista


Re: Programs Restricted/no desktop/Virtumonde
It should work ok without deleting that folder. If ComboFix gives you an error in downloading, then yes, delete the ComboFix folder. However--do not delete the Qoobox folder--that folder is important until we're sure we're through with the cleaning.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 07:29 PM   #16 (permalink)
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Re: Programs Restricted/no desktop/Virtumonde
I am confused with your last reply.

The way I get things to the messed up computer is by ferrying it over on a USB drive from my working computer.

I download to my working computer, I copy and paste ComboFix.exe to my USB Drive, move usb drive over to other computer, copy and paste ComboFix.exe to desktop.

The contents of the old ComboFix folder are:
nircmd.com
XPRD.NFO

I have renamed the folder Old_ComBofix and created a empty folder ComboFix in its place.

Shall I drag the CFScript over now?
Then post the Comboscript.txt?
bajanknight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 07:33 PM   #17 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,972
OS: WinXP and Vista


Re: Programs Restricted/no desktop/Virtumonde
Ok, please do not create a new empty ComboFix folder. Delete that one you just created.

After you copy the freshly downloaded ComboFix.exe to the desktop drag and drop the CFScript I gave you and let it run.

The log produced will be ComboFix.txt. Post the contents of that report.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 07:38 PM   #18 (permalink)
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Re: Programs Restricted/no desktop/Virtumonde
Have pop up window that states:

Version_08-11-07.01
Current date is Sat 11/15/2008. ComboFix has expired

Click 'Yes' to run in REDUCED FUNCTIONALITY mode

Click 'No' to exit.
bajanknight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 07:57 PM   #19 (permalink)
I helped the forums.
 
bajanknight's Avatar
 
Join Date: Nov 2008
Location: Florida
Posts: 34
OS: win xp home sp2


Send a message via MSN to bajanknight
Re: Programs Restricted/no desktop/Virtumonde
Do I click Yes and run in Reduced Functionality?
bajanknight is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 11-15-2008, 08:00 PM   #20 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 23,972
OS: WinXP and Vista


Re: Programs Restricted/no desktop/Virtumonde
In this case, we do not want Reduced Functionality Mode. Before you received that message, did you see a prompt to update Combofix?

Did you download a fresh copy of ComboFix?
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
 
Page 1 of 3 1 23

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 03:10 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84