Solved Trojan Vundo

Hi Juliet

Machine has been running sweet ever since about your 3rd post
A bit gutted to see Panda scan came up with over 50 baddies
Hopefully it's no biggie !!

Logs as requested...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:32 p.m., on 14/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B20610F-D864-49E5-BE89-694B5379BE6B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {ECAEDF43-3386-4496-84E1-E552CC48ECB8} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [320d18a1] rundll32.exe "C:\WINDOWS\system32\ygmelsys.dll ",b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.kol.co.nz
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {96EEC7FF-106A-47F3-90D6-B4BB754AA40E} (POLi Pay Online) - https://nztxn.paywithpoli.com/ewcustomer/POLiPayOnline.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4004673-4AD4-44AB-89BC-FCCC626FD816}: NameServer = 210.55.12.1 210.55.12.2
O20 - Winlogon Notify: pmnmlljk - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8323 bytes

 

Part 3


;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-10-14 19:58:11
PROTECTIONS: 1
MALWARE: 18
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Norton Antivirus 2007 12.8.0.4 No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\DAD\Cookies\dad@atdmt[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\DAD\Cookies\dad@tribalfusion[2].txt
00397125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000106.DLL
00397125 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000105.DLL
00399487 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000107.DLL
00399487 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000101.DLL
00399487 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000102.DLL
00399487 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000103.DLL
00399487 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000104.DLL
00399487 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000119.DLL
00403127 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP2\A0000497.DLL
00403127 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vuyees.dll.vir
00403127 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fajldpyi.dll.vir
00403127 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP2\A0000480.DLL
00403171 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ugldmuwx.dll.vir
00403171 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP2\A0000495.DLL
00403845 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kkhkth.dll.vir
00403845 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\wdhhcoao.dll.vir
00403845 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\yxdpgx.dll.vir
00403845 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP2\A0000498.DLL
00403845 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sjrehsyq.dll.vir
00403845 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP2\A0000501.DLL
00403845 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP2\A0000492.DLL
00403845 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP2\A0000486.DLL
00404328 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\jkkHwxYO.dll.vir
00404328 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP2\A0000484.DLL
00411976 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP2\A0000493.DLL
00411976 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\slkyzs.dll.vir
00411976 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rewjclog.dll.vir
00411976 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP2\A0000490.DLL
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP5\A0000959.EXE
01895148 Malicious Packer SecRisk No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gmwehhah.dll.vir
01895148 Malicious Packer SecRisk No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\rowsokyw.dll.vir
01895148 Malicious Packer SecRisk No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ykkqngeg.dll.vir
01895148 Malicious Packer SecRisk No 0 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP5\A0000930.DLL
01895148 Malicious Packer SecRisk No 0 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP5\A0000931.DLL
01895148 Malicious Packer SecRisk No 0 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP5\A0000932.DLL
01895148 Malicious Packer SecRisk No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\yyhvhiwe.dll.vir
01895148 Malicious Packer SecRisk No 0 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP5\A0000934.DLL
01895148 Malicious Packer SecRisk No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sdhcpytc.dll.vir
01895148 Malicious Packer SecRisk No 0 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP5\A0000933.DLL
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP5\A0000940.SYS
03738686 Generic Malware Virus/Trojan No 0 No No C:\Documents and Settings\DAD\Desktop\ComboFix.exe[32788R22FWJFW\catchme.cfexe]
03738686 Generic Malware Virus/Trojan No 0 No No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP3\A0000850.EXE[32788R22FWJFW\catchme.cfexe]
03800512 Generic Malware Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000275.DLL
03800512 Generic Malware Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000276.DLL
03800512 Generic Malware Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000272.DLL
03800512 Generic Malware Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000273.DLL
03800512 Generic Malware Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000277.DLL
03800512 Generic Malware Virus/Trojan No 0 Yes Yes C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000274.DLL
03830090 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\iiedhcyh.dll.vir
03830090 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP2\A0000483.DLL
03830090 Spyware/Virtumonde Spyware No 1 Yes No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\vlpqoniq.dll.vir
03830090 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP2\A0000496.DLL
03858066 Trj/Downloader.MDW Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000279.DLL
03858066 Trj/Downloader.MDW Virus/Trojan No 1 Yes Yes C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000278.DLL
03858844 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000094.DLL
03860575 Spyware/Virtumonde Spyware No 1 Yes No C:\System Volume Information\_restore{1A2FE54D-9D26-4B44-ADCA-479EBEE5A642}\RP1\A0000088.DLL
;===================================================================================================================================================================================
SUSPECTS
Sent Location X
;===================================================================================================================================================================================
No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\awwioihu.dll.vir X
No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\ghexqe.dll.vir X
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description X
;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

Part 3

ComboFix 08-10-12.01 - DAD 2008-10-14 18:12:19.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.47 [GMT 13:00]
Running from: C:\Documents and Settings\DAD\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DAD\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\gmwehhah.dll
C:\WINDOWS\system32\rowsokyw.dll
C:\WINDOWS\system32\sdhcpytc.dll
C:\WINDOWS\system32\ygmelsys.dll
C:\WINDOWS\system32\ykkqngeg.dll
C:\WINDOWS\system32\yyhvhiwe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\mtc2
C:\WINDOWS\system32\gmwehhah.dll
C:\WINDOWS\system32\mC02
C:\WINDOWS\system32\rowsokyw.dll
C:\WINDOWS\system32\sdhcpytc.dll
C:\WINDOWS\system32\ykkqngeg.dll
C:\WINDOWS\system32\yyhvhiwe.dll

.
((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 )))))))))))))))))))))))))))))))
.

2008-10-13 21:02 . 2008-10-13 21:02 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-10-13 18:34 . 2008-10-13 18:34 <DIR> d-------- C:\_OTMoveIt
2008-10-13 03:10 . 2008-10-13 03:10 <DIR> d-------- C:\Program Files\Panda Security
2008-10-13 03:10 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-10-13 02:48 . 2008-10-13 02:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-10-13 02:48 . 2008-10-13 02:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-10-12 14:23 . 2008-10-12 14:23 <DIR> d-------- C:\Documents and Settings\DAD\Application Data\Malwarebytes
2008-10-12 14:22 . 2008-10-12 14:22 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-10-12 14:22 . 2008-10-12 14:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-10-12 14:22 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-10-12 14:22 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-10-11 17:14 . 2008-10-11 17:14 <DIR> d-------- C:\rsit
2008-10-08 19:41 . 2008-10-14 17:23 2,432 --a------ C:\logfile
2008-10-02 18:01 . 2008-10-02 18:01 <DIR> d--hs---- C:\FOUND.009
2008-10-02 06:16 . 2008-10-03 10:51 153 --a------ C:\WINDOWS\wininit.ini
2008-09-30 19:39 . 2008-09-30 19:39 <DIR> d--hs---- C:\FOUND.008
2008-09-28 19:56 . 2008-09-28 19:56 <DIR> d--hs---- C:\FOUND.007
2008-09-28 14:22 . 2008-09-28 14:22 <DIR> d-------- C:\Temp
2008-09-24 15:49 . 2008-09-24 15:49 <DIR> d-------- C:\WINDOWS\UbiSoft
2008-09-18 14:15 . 2008-09-18 14:15 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-09-18 14:13 . 2008-09-18 14:13 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-09-18 11:53 . 2008-09-18 11:53 <DIR> d-------- C:\Program Files\NOS
2008-09-18 11:53 . 2008-09-18 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NOS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-12 06:28 --------- d-----w C:\Documents and Settings\DAD\Application Data\Big Fish Games
2008-07-18 09:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 09:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 09:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 09:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 09:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 09:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 09:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 09:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 09:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 09:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 09:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 09:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 09:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 09:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 09:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-12-26 06:40 4,862,248 ----a-w C:\Program Files\LimeWireWin.exe
2007-04-08 01:38 5,640,784 ----a-w C:\Program Files\winamp52_full.exe
.

((((((((((((((((((((((((((((( snapshot@2008-10-13_19.50.28.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-03-15 05:19:28 1,476,992 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 05:06:36 1,480,232 ----a-w C:\WINDOWS\system32\LegitCheckControl.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-30 68856]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp "= "Alaunch" [X]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 53096]
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SiSPower "= "SiSPower.dll" [2005-07-13 C:\WINDOWS\system32\SiSPower.dll]
"SoundMan "= "SOUNDMAN.EXE" [2005-12-14 C:\WINDOWS\soundman.exe]
"SMSERIAL "= "sm56hlpr.exe" [2005-06-06 C:\WINDOWS\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2006-02-15 262144]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 65588]
Kodak EasyShare software.lnk - C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-09-19 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmlljk]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.SP55 "= SP5X_32.DLL
"VIDC.SP56 "= SP5X_32.DLL
"VIDC.SP57 "= SP5X_32.DLL
"VIDC.SP58 "= SP5X_32.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\System32\\lexpps.exe "=
"C:\\WINDOWS\\System32\\dpvsetup.exe "=
"C:\\WINDOWS\\system32\\sessmgr.exe "=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe "=
"C:\\Program Files\\Messenger\\MSMSGS.EXE "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4970:UDP "= 4970:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"4971:UDP "= 4971:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"4973:UDP "= 4973:UDP:Windows Media Format SDK (IEXPLORE.EXE)

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 28544]
S2 Ca533av;Icatch(IV) Video Camera Device;C:\WINDOWS\system32\Drivers\Ca533av.sys [ ]
S3 USBCamera;Icatch(IV) Still Camera Device;C:\WINDOWS\system32\Drivers\Bulk533.sys [ ]
S3 USBSHGX;SHARP GSM GPRS USB Driver 2.0.0;C:\WINDOWS\system32\DRIVERS\usbgx_2.sys [2004-03-25 24144]
.
Contents of the 'Scheduled Tasks' folder

2008-10-03 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - DAD.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2007-05-23 12:13]
.
- - - - ORPHANS REMOVED - - - -

BHO-{2B20610F-D864-49E5-BE89-694B5379BE6B} - (no file)
BHO-{ECAEDF43-3386-4496-84E1-E552CC48ECB8} - (no file)



**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 18:17:56
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\imapi.exe
.
**************************************************************************
.
Completion time: 2008-10-14 18:23:19 - machine was rebooted [DAD]
ComboFix-quarantined-files.txt 2008-10-14 05:22:50
ComboFix2.txt 2008-10-13 06:51:36

Pre-Run: 27,796,242,432 bytes free
Post-Run: 27,791,360,000 bytes free

171 --- E O F --- 2008-09-10 07:03:48

 

I noticed that you have ask me to fix this a couple of times....

whenever I do a boot I always get this error at startup

does this mean anything to our problem ?

cheers, j

 

It's not, it's bad files held in quarantine and system restore points and we're about to take care of that now.

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close every window that is open later in the fix.


Download ResetTeaTimer.bat http://downloads.subratam.org/ResetTeaTimer.bat
by right-clicking on the link, and choosing Save As. Save it to your desktop, or
somewhere you can find it easily.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

# Open Spybot Search & Destroy.
# In the Mode menu click "Advanced mode" if not already selected.
# Choose "Yes" at the Warning prompt.
# Expand the "Tools" menu.
# Click "Resident ".
# Uncheck the "Resident "TeaTimer" (Protection of overall system settings)
active." box.
# In the File menu click "Exit" to exit Spybot Search & Destroy.

* See this link for a tutorial http://russelltexas.com/malware/teatimer.htm



NEXT**
Please then reboot your computer in Safe Mode by doing the following
:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows
  icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

Open HijackThis, Click Do a system scan only, checkmark these (If found). Then close all other windows and browsers except HijackThis and press fix checked.

O2 - BHO: (no name) - {2B20610F-D864-49E5-BE89-694B5379BE6B} - (no file)
O2 - BHO: (no name) - {ECAEDF43-3386-4496-84E1-E552CC48ECB8} - (no file)
O4 - HKLM\..\Run: [320d18a1] rundll32.exe \ "C:\WINDOWS\system32\ygmelsys.dll\ ",b


The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
(Description: System Tray icon for the Realtek AC97 Audio Sound Manager for AC97 onboard audio. Available via Start -> Settings-> Control Panel. Removing this entry will free up a small amount of system resources. )

O4 - HKLM\..\Run: [SunJavaUpdateSched] \ "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe\ "
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \ "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe\ "
(Description: Adobe reader startup - unnecessarily uses system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
(Description: Microsoft Office Startup Assistant. This program loads some Microsoft Office components into memory, even if you're not currently using MS Office. Removing this unnecessary program will free up a considerable amount of system resources. )






Next, launch Notepad, (Start > Run, type in: notepad) copy and paste next present in the CODE box below in it:
(don't forget to copy and paste REGEDIT4)

Code:

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnmlljk]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "320d18a1 "=-

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop. It should look like this:
Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK ". You should receive a message that it was successful. You may delete the file afterwards


Now please reboot your machine, tell me if the error message still appears now.




Don't miss or skip this next step, this will remove the bad files from quarantine and Clears System Restore cache and creates a new Restore point

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Next open OTMoveIt, then click on "CleanUp! ".
If you receive a warning from your Firewall please allow
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present.
They are not needed anymore, so OTMoveIt will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.
Then reboot your computer.


Please post back and let me know what issues remain.

 

Hi Juliet,

Hi think I am clean, all errors, shady web sites, Virus warnings have all gone !!!

What do ya reakon ?

j

 

I reckon you be good to go, good job!


Below are recommendations to protect your computer.

Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3.0 The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 3, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Slow Computer? Check here first; it may not be malware
http://www.castlecops.com/postitle175256-0-0-.html
Free Antivirus-AntiSpyware-Firewall Software


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware

 

Hi Juliet,
Awesome job !!
It's been great working with you, thankyou for your time and patience, I will run through your last list suggestions and I will try to surf safely.
Once again to you and your team..
Cheers
j

 

Glad we could help.