Virtumonde, all reports included

MbooseMboose North Carolina
edited March 2008 in Spyware & Virus Removal
I have followed every step of http://icrontic.com/forum/showthread.php?t=43902, except for where it says not to get a firewall while my computer is infected and also not to update windows if I have service pack 2.

Reports are the active scan (the "panda" scan), Kaspersky scan and Hijackthis. I also have a Virtumondobegone report but it seems I can't attach more than three files. Let me know if it could be of any help.

Further, I know I have Virtumonde because Spybot S&D recognizes it as well as Ad-aware but neither remove it. Also, when I ran HJT the first time it hid some files, the "O2" files and I had to rename hjt.exe to scanner.exe.

Thanks for the help in advance =D

Comments

  • ThomasThomas
    edited March 2008
    Welcome to Icrontic Mboose,

    I'll need you to post those logs here in your request thread, so everyone that checks here can view them. Also just too difficult going back and forth between downloaded logs and the forum work being done. You can break them into parts or use separate posts here if needed.
  • MbooseMboose North Carolina
    edited March 2008
    Active Scan:

    Incident Status Location
    Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Matthew Booze\Cookies\matthew_booze@atdmt[1].txt
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Matthew Booze\Cookies\matthew_booze@bs.serving-sys[1].txt
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Matthew Booze\Cookies\matthew_booze@com[1].txt
    Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Matthew Booze\Cookies\matthew_booze@doubleclick[1].txt
    Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Matthew Booze\Cookies\matthew_booze@mediaplex[1].txt
    Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Matthew Booze\Cookies\matthew_booze@serving-sys[2].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Matthew Booze\Cookies\matthew_booze@tribalfusion[2].txt
    Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Matthew Booze\Desktop\VS\VirtumundoBeGone.exe


    Kaspersky:
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, March 16, 2008 9:52:09 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 16/03/2008
    Kaspersky Anti-Virus database records: 634534
    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true
    Scan Target - My Computer:
    C:\
    D:\
    Scan Statistics:
    Total number of scanned objects: 34424
    Number of viruses found: 3
    Number of infected objects: 14
    Number of suspicious objects: 0
    Duration of the scan process: 01:03:12
    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\Application Data\AOL OCP\AIM\Storage\data\redhondaricer90\localStorage\common.cls Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\History\History.IE5\MSHist012008031620080317\index.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\ntuser.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{290CB591-3B88-494B-810D-330C6B900D40}\RP74\A0070646.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
    C:\System Volume Information\_restore{290CB591-3B88-494B-810D-330C6B900D40}\RP76\A0070790.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{290CB591-3B88-494B-810D-330C6B900D40}\RP76\A0070873.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{290CB591-3B88-494B-810D-330C6B900D40}\RP76\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Fonts\a.zip/Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
    C:\WINDOWS\Fonts\a.zip ZIP: infected - 1 skipped
    C:\WINDOWS\Fonts\Setup.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{24F96D3E-12D0-4FCD-B3AB-05912FFF850A}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\axjyclab.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\iaxoqicr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\WINDOWS\system32\kmyshatr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\WINDOWS\system32\rjhdphsd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\WINDOWS\system32\rqrol.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\WINDOWS\system32\rqroljh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\system32\wjdbbhsl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\winlogon.exe Infected: not-a-virus:PSWTool.Win32.PassView.ag skipped
    Scan process completed.


    HJT:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:58:57 PM, on 3/16/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\PROGRA~1\Symantec\SAV8\vptray.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\AIM6\aim6.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
    C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\Scanner.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webmail.ncsu.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: {d5a869a1-39dc-7039-0e44-5322fa035e74} - {47e530af-2235-44e0-9307-cd931a968a5d} - C:\WINDOWS\system32\kmyshatr.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {D50C4A55-8E12-4631-8E39-EA6D810587FC} - C:\WINDOWS\system32\rqrol.dll
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SAV8\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [b09dd3ce] rundll32.exe "C:\WINDOWS\system32\iaxoqicr.dll",b
    O4 - HKLM\..\Run: [BMb3aee052] Rundll32.exe "C:\WINDOWS\system32\wjdbbhsl.dll",s
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199983418201
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    --
    End of file - 5529 bytes

    Sorry about not doing that before, I thought it'd save some room
  • ThomasThomas
    edited March 2008
    That's fine, and now we can see the infection showing there to make some moves on. Bit of a cart before the horse look, but we''ll do a swap on that now.


    To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

    Download ComboFix.exe from here to your desktop.

    Then disable your net access, and click the downloaded file to run the repair.

    When starting ComboFix will cause your computer's internal speakers to produce two beeps, and during the start process display two warnings. These are intended to discourage people who are not getting help in the forum from just experimenting with tools they do not understand. Just to inform you so you will understand that the procedures are expected, and okay.

    ComboFix will also change the drive autoplay settings there as it's own added security measure. When we have completed all repairs here we will return the default Windows settings.


    A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop, however given the infection there ComboFix will likely cause a reboot in order to complete it's repairs.

    (ComboFix will also disable any screensaver settings made, so know that at some point when we complete repairs you will need to reset your screensaver)

    Re-enable net access, and post back the C:\ComboFix.txt log as well as a new HijackThis log please.
  • MbooseMboose North Carolina
    edited March 2008
    HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:41:51 PM, on 3/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
    C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\PROGRA~1\Symantec\SAV8\vptray.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\Program Files\AIM6\aim6.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Trend Micro\HijackThis\Scanner.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webmail.ncsu.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SAV8\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199983418201
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    --
    End of file - 5130 bytes



    Combatfix:

    ComboFix 08-03-17.1 - Matthew Booze 2008-03-17 20:32:20.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1140 [GMT -4:00]
    Running from: C:\Documents and Settings\Matthew Booze\Desktop\ComboFix.exe
    * Created a new restore point
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\WINDOWS\BMb3aee052.xml
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\pskt.ini
    C:\WINDOWS\system32\axjyclab.dll
    C:\WINDOWS\system32\kmyshatr.dll
    C:\WINDOWS\system32\rjhdphsd.dll
    C:\WINDOWS\system32\wjdbbhsl.dll
    .
    ((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
    .
    2008-03-17 17:31 . 2008-03-17 17:31 <DIR> d
    C:\WINDOWS\Sun
    2008-03-17 11:36 . 2008-03-17 11:36 <DIR> d--h
    C:\WINDOWS\PIF
    2008-03-16 22:51 . 2008-03-16 22:51 <DIR> d
    C:\Program Files\Malwarebytes' Anti-Malware
    2008-03-16 22:51 . 2008-03-16 22:51 <DIR> d
    C:\Documents and Settings\Matthew Booze\Application Data\Malwarebytes
    2008-03-16 22:51 . 2008-03-16 22:51 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-03-16 21:09 . 2008-03-16 21:24 <DIR> d
    C:\WINDOWS\system32\NtmsData
    2008-03-16 20:23 . 2008-03-16 20:23 <DIR> d
    C:\WINDOWS\system32\Kaspersky Lab
    2008-03-16 20:23 . 2008-03-16 20:23 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-03-16 19:54 . 2008-03-16 20:07 <DIR> d
    C:\WINDOWS\system32\ActiveScan
    2008-03-16 19:54 . 2008-03-16 19:54 30,590 --a
    C:\WINDOWS\system32\pavas.ico
    2008-03-16 19:54 . 2008-03-16 19:54 2,550 --a
    C:\WINDOWS\system32\Uninstall.ico
    2008-03-16 19:54 . 2008-03-16 19:54 1,406 --a
    C:\WINDOWS\system32\Help.ico
    2008-03-16 19:49 . 2008-03-16 19:49 <DIR> d
    C:\Program Files\SpywareBlaster
    2008-03-16 18:33 . 2008-03-16 18:33 <DIR> d
    C:\Program Files\Trend Micro
    2008-03-16 18:31 . 2008-03-16 18:31 54,156 --ah
    C:\WINDOWS\QTFont.qfn
    2008-03-16 18:31 . 2008-03-16 18:31 1,409 --a
    C:\WINDOWS\QTFont.for
    2008-03-16 17:00 . 2008-03-16 17:00 <DIR> d
    C:\VundoFix Backups
    2008-03-16 04:06 . 2008-03-17 03:41 <DIR> d
    C:\Program Files\Windows Live Safety Center
    2008-03-16 02:23 . 2008-03-16 02:24 306 --a
    C:\WINDOWS\wininit.ini
    2008-03-16 01:39 . 2008-03-16 01:39 <DIR> d
    C:\Program Files\Spybot - Search & Destroy
    2008-03-16 01:39 . 2008-03-16 01:48 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-03-16 01:15 . 2008-03-16 02:27 <DIR> d
    C:\WINDOWS\SxsCaPendDel
    2008-03-16 00:54 . 2008-03-16 00:54 <DIR> d
    C:\Program Files\Lavasoft
    2008-03-16 00:54 . 2008-03-16 00:54 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-03-16 00:53 . 2008-03-16 00:53 <DIR> d
    C:\Program Files\Common Files\Wise Installation Wizard
    2008-03-15 23:34 . 2008-03-16 00:36 <DIR> d
    C:\Documents and Settings\All Users\Application Data\SITEguard
    2008-03-15 23:29 . 2008-03-15 23:29 <DIR> d
    C:\Program Files\Common Files\iS3
    2008-03-15 23:29 . 2008-03-16 01:14 <DIR> d
    C:\Documents and Settings\All Users\Application Data\STOPzilla!
    2008-03-15 23:04 . 2008-03-16 18:32 1,367,892 ---hs---- C:\WINDOWS\system32\tylltyhn.ini
    2008-03-15 23:01 . 2008-03-15 23:24 <DIR> d-a
    C:\Documents and Settings\All Users\Application Data\TEMP
    2008-03-15 18:57 . 2008-03-15 19:01 <DIR> d
    C:\Program Files\QuickTime
    2008-03-15 18:57 . 2008-03-15 18:57 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-03-15 18:55 . 2008-03-15 18:55 <DIR> d
    C:\Program Files\Apple Software Update
    2008-03-15 18:55 . 2008-03-15 18:55 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Apple
    2008-03-15 18:53 . 2008-03-15 18:53 63 --a
    C:\WINDOWS\system32\b09dc140
    2008-03-15 18:52 . 2008-03-15 18:52 147,456 --a
    C:\WINDOWS\system32\vbzip10.dll
    2008-03-15 18:49 . 2008-03-15 21:13 <DIR> d
    C:\Temp
    2008-03-15 18:48 . 2008-03-15 18:48 44,544 --a
    C:\WINDOWS\system32\rqroljh.dll.vir
    2008-03-15 18:34 . 2008-03-15 23:26 <DIR> d
    C:\Documents and Settings\Matthew Booze\Application Data\LimeWire
    2008-03-15 18:31 . 2008-02-22 02:33 69,632 --a
    C:\WINDOWS\system32\javacpl.cpl
    2008-03-15 18:30 . 2008-03-15 23:28 <DIR> d
    C:\Program Files\Java
    2008-03-15 18:30 . 2008-03-15 18:30 <DIR> d
    C:\Program Files\Common Files\Java
    2008-03-15 18:29 . 2008-03-15 21:26 <DIR> d
    C:\Program Files\LimeWire
    2008-03-11 21:18 . 2008-03-11 21:18 <DIR> d
    C:\Program Files\MSECache
    2008-03-10 11:55 . 2008-03-10 11:55 <DIR> d
    C:\Program Files\D-Link AirPlus Xtreme G
    2008-03-10 11:55 . 2004-05-12 04:47 351,840 -ra
    C:\WINDOWS\system32\drivers\ar5211.sys
    2008-03-10 11:55 . 2003-10-17 19:29 351,776 --a
    C:\WINDOWS\system32\drivers\ar52119x.sys
    2008-03-10 11:55 . 2008-03-10 11:55 11,861 --a
    C:\WINDOWS\system32\drivers\mdc8021x.sys
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-16 02:52
    d
    w C:\Program Files\CyberLink
    2008-03-16 01:28
    d
    w C:\Program Files\Common Files\AVSMedia
    2008-03-16 01:28
    d
    w C:\Program Files\AVS4YOU
    2008-03-15 22:24
    d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-13 17:24
    d
    w C:\Program Files\World of Warcraft
    2008-03-10 15:54
    d
    w C:\Program Files\Common Files\InstallShield
    2008-02-16 02:05
    d
    w C:\Documents and Settings\Matthew Booze\Application Data\Move Networks
    2008-01-25 03:09
    d
    w C:\Documents and Settings\Matthew Booze\Application Data\Talkback
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vptray"="C:\PROGRA~1\Symantec\SAV8\vptray.exe" [2004-03-24 00:56 90224]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6112:TCP"= 6112:TCP:Blizzard Downloader
    R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38]
    R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 22:58]
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-03-15 22:56:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************
    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-17 20:36:30
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    DLLs Loaded Under Running Processes
    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\NavLogon.dll
    .
    Other Running Processes
    .
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\System32\SCardSvr.exe
    C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
    C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\Program Files\AIM6\aolsoftware.exe
    .
    **************************************************************************
    .
    Completion time: 2008-03-17 20:38:58 - machine was rebooted [Matthew Booze]
    ComboFix-quarantined-files.txt 2008-03-18 00:38:34
    .
    2008-03-12 16:25:37 --- E O F ---
  • ThomasThomas
    edited March 2008
    That did some rmovals. Let's continue. The logs show you have Viewpoint installed there. Many people ask the question posted Here ("How does Viewpoint software get installed?"), and often decide that answer is not enough. If you did not install Viewpoint yourself on this system you may want to remove all Viewpoint software through Add/Remove Programs. Here is their main web page, where they tell folks all about how to advertise to us users.


    Be sure to continue to temporarily disable any protective software when running the scan tools we use here.


    Open notepad (go to Start, Run, type notepad and press Enter) and copy/paste the text in the codebox below into it:
    File::
C:\WINDOWS\system32\tylltyhn.ini
C:\WINDOWS\system32\b09dc140
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\rqroljh.dll.vir
Folder::
C:\Temp

    Save this to your desktop as "CFScript"

    (include the "quotation marks" with the name)


    You should now have both ComboFix and that CFScript on the desktop. Just left click/hold on the CFScript file, and drag it into ComboFix to start the scan.

    ComboFix will now run as it did before. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

    A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.


    Also again go here and run the Kaspersky online scan, and post back the log it creates (it requires IE) so we can get an after view of things.

    To use the scan, once the download has completed click Scan Settings, then make sure the "extended option" is checked (leave all others as they are) and click OK. Then click My Computer to begin the scan. Save the Report as a text file and post that back here.

    To save it as a text file, still with the page in Internet Explorer, go to the top of the page and select File - Save As... Then make sure in the "Save as type" drop down you change it to "Text File(*.txt)".

    Post back that log along with the ComboFix.txt and a new HijackThis log please.
  • MbooseMboose North Carolina
    edited March 2008
    HJT:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:44:07 PM, on 3/17/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
    C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
    C:\PROGRA~1\Symantec\SAV8\vptray.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\Scanner.exe
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.webmail.ncsu.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SAV8\vptray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199983418201
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
    --
    End of file - 4897 bytes



    Combatfix:

    ComboFix 08-03-17.1 - Matthew Booze 2008-03-17 22:29:12.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1148 [GMT -4:00]
    Running from: C:\Documents and Settings\Matthew Booze\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Matthew Booze\Desktop\CFScript
    * Created a new restore point
    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    FILE ::
    C:\WINDOWS\system32\b09dc140
    C:\WINDOWS\system32\rqroljh.dll.vir
    C:\WINDOWS\system32\tylltyhn.ini
    C:\WINDOWS\system32\vbzip10.dll
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\Temp
    C:\WINDOWS\system32\b09dc140
    C:\WINDOWS\system32\rqroljh.dll.vir
    C:\WINDOWS\system32\tylltyhn.ini
    C:\WINDOWS\system32\vbzip10.dll
    .
    ((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
    .
    2008-03-17 17:31 . 2008-03-17 17:31 <DIR> d
    C:\WINDOWS\Sun
    2008-03-17 11:36 . 2008-03-17 11:36 <DIR> d--h
    C:\WINDOWS\PIF
    2008-03-16 22:51 . 2008-03-16 22:51 <DIR> d
    C:\Program Files\Malwarebytes' Anti-Malware
    2008-03-16 22:51 . 2008-03-16 22:51 <DIR> d
    C:\Documents and Settings\Matthew Booze\Application Data\Malwarebytes
    2008-03-16 22:51 . 2008-03-16 22:51 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-03-16 21:09 . 2008-03-16 21:24 <DIR> d
    C:\WINDOWS\system32\NtmsData
    2008-03-16 20:23 . 2008-03-16 20:23 <DIR> d
    C:\WINDOWS\system32\Kaspersky Lab
    2008-03-16 20:23 . 2008-03-16 20:23 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-03-16 19:54 . 2008-03-16 20:07 <DIR> d
    C:\WINDOWS\system32\ActiveScan
    2008-03-16 19:54 . 2008-03-16 19:54 30,590 --a
    C:\WINDOWS\system32\pavas.ico
    2008-03-16 19:54 . 2008-03-16 19:54 2,550 --a
    C:\WINDOWS\system32\Uninstall.ico
    2008-03-16 19:54 . 2008-03-16 19:54 1,406 --a
    C:\WINDOWS\system32\Help.ico
    2008-03-16 19:49 . 2008-03-16 19:49 <DIR> d
    C:\Program Files\SpywareBlaster
    2008-03-16 18:33 . 2008-03-16 18:33 <DIR> d
    C:\Program Files\Trend Micro
    2008-03-16 18:31 . 2008-03-16 18:31 54,156 --ah
    C:\WINDOWS\QTFont.qfn
    2008-03-16 18:31 . 2008-03-16 18:31 1,409 --a
    C:\WINDOWS\QTFont.for
    2008-03-16 17:00 . 2008-03-16 17:00 <DIR> d
    C:\VundoFix Backups
    2008-03-16 04:06 . 2008-03-17 03:41 <DIR> d
    C:\Program Files\Windows Live Safety Center
    2008-03-16 02:23 . 2008-03-16 02:24 306 --a
    C:\WINDOWS\wininit.ini
    2008-03-16 01:39 . 2008-03-16 01:39 <DIR> d
    C:\Program Files\Spybot - Search & Destroy
    2008-03-16 01:39 . 2008-03-16 01:48 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2008-03-16 01:15 . 2008-03-16 02:27 <DIR> d
    C:\WINDOWS\SxsCaPendDel
    2008-03-16 00:54 . 2008-03-16 00:54 <DIR> d
    C:\Program Files\Lavasoft
    2008-03-16 00:54 . 2008-03-16 00:54 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Lavasoft
    2008-03-16 00:53 . 2008-03-16 00:53 <DIR> d
    C:\Program Files\Common Files\Wise Installation Wizard
    2008-03-15 23:34 . 2008-03-16 00:36 <DIR> d
    C:\Documents and Settings\All Users\Application Data\SITEguard
    2008-03-15 23:29 . 2008-03-15 23:29 <DIR> d
    C:\Program Files\Common Files\iS3
    2008-03-15 23:29 . 2008-03-16 01:14 <DIR> d
    C:\Documents and Settings\All Users\Application Data\STOPzilla!
    2008-03-15 23:01 . 2008-03-15 23:24 <DIR> d-a
    C:\Documents and Settings\All Users\Application Data\TEMP
    2008-03-15 18:57 . 2008-03-15 19:01 <DIR> d
    C:\Program Files\QuickTime
    2008-03-15 18:57 . 2008-03-15 18:57 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-03-15 18:55 . 2008-03-15 18:55 <DIR> d
    C:\Program Files\Apple Software Update
    2008-03-15 18:55 . 2008-03-15 18:55 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Apple
    2008-03-15 18:34 . 2008-03-15 23:26 <DIR> d
    C:\Documents and Settings\Matthew Booze\Application Data\LimeWire
    2008-03-15 18:31 . 2008-02-22 02:33 69,632 --a
    C:\WINDOWS\system32\javacpl.cpl
    2008-03-15 18:30 . 2008-03-15 23:28 <DIR> d
    C:\Program Files\Java
    2008-03-15 18:30 . 2008-03-15 18:30 <DIR> d
    C:\Program Files\Common Files\Java
    2008-03-15 18:29 . 2008-03-15 21:26 <DIR> d
    C:\Program Files\LimeWire
    2008-03-11 21:18 . 2008-03-11 21:18 <DIR> d
    C:\Program Files\MSECache
    2008-03-10 11:55 . 2008-03-10 11:55 <DIR> d
    C:\Program Files\D-Link AirPlus Xtreme G
    2008-03-10 11:55 . 2004-05-12 04:47 351,840 -ra
    C:\WINDOWS\system32\drivers\ar5211.sys
    2008-03-10 11:55 . 2003-10-17 19:29 351,776 --a
    C:\WINDOWS\system32\drivers\ar52119x.sys
    2008-03-10 11:55 . 2008-03-10 11:55 11,861 --a
    C:\WINDOWS\system32\drivers\mdc8021x.sys
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-18 02:15
    d
    w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2008-03-16 02:52
    d
    w C:\Program Files\CyberLink
    2008-03-16 01:28
    d
    w C:\Program Files\Common Files\AVSMedia
    2008-03-16 01:28
    d
    w C:\Program Files\AVS4YOU
    2008-03-15 22:24
    d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-13 17:24
    d
    w C:\Program Files\World of Warcraft
    2008-03-10 15:54
    d
    w C:\Program Files\Common Files\InstallShield
    2008-02-16 02:05
    d
    w C:\Documents and Settings\Matthew Booze\Application Data\Move Networks
    2008-01-25 03:09
    d
    w C:\Documents and Settings\Matthew Booze\Application Data\Talkback
    2008-01-07 15:12 83,208 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "vptray"="C:\PROGRA~1\Symantec\SAV8\vptray.exe" [2004-03-24 00:56 90224]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-1.12.0-enUS-downloader.exe"=
    "C:\\Program Files\\World of Warcraft\\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6112:TCP"= 6112:TCP:Blizzard Downloader
    R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys [2005-04-21 22:58]
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-03-15 22:56:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************
    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-17 22:30:11
    Windows 5.1.2600 Service Pack 2 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    DLLs Loaded Under Running Processes
    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\WINDOWS\system32\NavLogon.dll
    .
    Completion time: 2008-03-17 22:30:55
    ComboFix-quarantined-files.txt 2008-03-18 02:30:26
    ComboFix2.txt 2008-03-18 00:38:59
    .
    2008-03-12 16:25:37 --- E O F ---


    Kaspersky:
    KASPERSKY ONLINE SCANNER REPORT
    Monday, March 17, 2008 11:43:42 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 18/03/2008
    Kaspersky Anti-Virus database records: 636434
    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true
    Scan Target - My Computer:
    C:\
    D:\
    Scan Statistics:
    Total number of scanned objects: 33122
    Number of viruses found: 2
    Number of infected objects: 12
    Number of suspicious objects: 0
    Duration of the scan process: 00:57:57
    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\ntuser.dat Object is locked skipped
    C:\Documents and Settings\Matthew Booze\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\axjyclab.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\kmyshatr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\rjhdphsd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\rqroljh.dll.vir.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\wjdbbhsl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{290CB591-3B88-494B-810D-330C6B900D40}\RP74\A0070646.exe Infected: Trojan-Downloader.Win32.VB.dck skipped
    C:\System Volume Information\_restore{290CB591-3B88-494B-810D-330C6B900D40}\RP76\A0070790.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{290CB591-3B88-494B-810D-330C6B900D40}\RP76\A0070873.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{290CB591-3B88-494B-810D-330C6B900D40}\RP78\A0071985.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{290CB591-3B88-494B-810D-330C6B900D40}\RP78\A0071986.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{290CB591-3B88-494B-810D-330C6B900D40}\RP78\A0071987.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{290CB591-3B88-494B-810D-330C6B900D40}\RP78\A0071988.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{290CB591-3B88-494B-810D-330C6B900D40}\RP79\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    Scan process completed.
  • ThomasThomas
    edited March 2008
    Looks cleaned up - Kaspersky just found normally locked system functions, items held harmless for now in System Restore we will clear shortly and ComboFix's Qoobox quarantined files. Before we do some clean up of what we added are there any issues remaining we need to address there?
  • MbooseMboose North Carolina
    edited March 2008
    Not really, I was a little bothered when Kaspersky said it caught a few things but it's good to hear that they aren't serious. I greatly appreciate your help with this so far.
  • ThomasThomas
    edited March 2008
    All that remains then is cleaning up here.

    Kaspersky, if you don't plan to use it again, uninstalls through Add/Remove Programs.


    The autoplay functions there were blocked as part of the procedures we did here. You can return those to the Windows default settings at this time by doing the following step, if you wish. This will allow autoplay for all drives such as CD-ROM and external drives.
    REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveAutoRun"=dword:0000000
"NoDriveTypeAutoRun"=dword:00000095
    Open Notepad and copy and paste the above text (inside the box) into the text file. Now go to File > Save As and call it autofix.reg. Where it says "Files of Type", select All Files and click on Save. Exit Notepad, double-click on the file and ok the prompt asking if you wish to merge the file with your registry.


    You can also at this time delete the files/folders of the tools we used. To assist with some of that download OTMoveIt2 and save the file to your desktop. This will help by automatically removing some of the tools we used.

    Please double-click OTMoveIt.exe to run it and click on Cleanup (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator"). When you do this list of malware removal programs will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so. After the list has downloaded, you'll be asked if you want to begin cleanup process? Select Yes.

    OTMoveIt will search for and delete/uninstall all the tools that we have used to fix your problems and all their backup folders and then delete itself when you next reboot. At the end of the run you will receive a prompt to reboot, but save that for the next step.


    Then reset the System Restore. To do this, right-click My Computer and select Properties. Click the System Restore tab in the window that appears, and check the box that says "Turn off System Restore on all drives" and click Apply.

    You will be asked if you are sure, click Yes. This will delete the restore points. Then click OK in the Properties window and reboot your computer.

    When your desktop appears, right-click My Computer and select Properties once more. Uncheck the "Turn off System Restore..." box and click Apply. OK.

    In addition, I like to recommend reviewing the information Here to make sure you stay malware free.
  • MbooseMboose North Carolina
    edited March 2008
    Thank you so much Thomas! I really really appreciate you helping me with this and if I ever have another problem with a virus this will be the first place I turn to for help.

    Are there any other logs you need? I read where you sometimes ask that people post more logs after the infection has been cleaned. If so I will post them as promptly as possible.

    Thanks again!

    Also, I often times get a blue screen and the file that's always associated with it is ar5211.sys, I believe it to be due in part to my D-Link wireless card. I know this forum is not the place for this but I was wondering if perhaps you could point me in any kind of direction to figure out a solution. If you can't that's fine too, you have certainly done enough for me :)
  • ThomasThomas
    edited March 2008
    That's all for our work here, and I was glad to be of assistance. As a BSOD related to a specific driver file really can suggest a need to update drivers, why not post a request at the Icrontic Drivers & Utilities forum for some good ideas on that.
  • TroganTrogan London, UK
    edited March 2008
    Glad we could be of assistance! The help you received here was free.

    This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

    If you are not the user who started this thread, you must start your own Thread instead (grin)
    _______________________________
    Have we helped you with any issues you have had with your PC's or other items? If so, you can now help us by Joining Team 93 and fold for a cure.
Sign In or Register to comment.