Troj/Virtum-Gem removal? - Free Antivirus Forum

Troj/Virtum-Gem removal?

BullGuard Antivirus Forum > Virus Removal > Removal Help > Troj/Virtum-Gem removal?

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

nzoes
New Member

Date Joined Dec 2007
Total Posts : 4

Posted 12-19-2007 7:59 (GMT +1)

My computer has been acting odd as of late. I ran the anti-virus my company buys in bulk Sophos Anti-Virus, and it found a program located in the system32 file called gebyw.dll and called it a Troj/Virtum-Gem. I had Sophos "clean-up" the file, but it was still there. After doing a little research I downloaded avenger and attempted to remove the file. Everyday the file shows up under a new name in the system32 file. The first three days I tried to remove it with Avenger, but it keeps coming back.
I do not think I've properly downloaded Avenger, it is in a Windows /unzipped/Avenger file.

I would like to get this little "gem" off my computer. I don't know how.

Thank you for your time,

Nastassia

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 12-20-2007 8:16 (GMT +1)

Hi Nastassia cool

Click here - ->> Before posting a log

After You have run the scan tools -

Reboot normally

Post Hijackthis log along with AVG Anti-Spyware log, C: Rootlog TXT, C: combofix txt in this topic

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

nzoes
New Member

Date Joined Dec 2007
Total Posts : 4

Posted 1-3-2008 8:26 (GMT +1)

(second scan done)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:09:02 AM 1/3/2008

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo -> Adware.Generic : Ignored.
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe -> Not-A-Virus.Adware.PurityScan : Ignored.
C:\WINDOWS\system32\fccbcaw.dll -> Not-A-Virus.Adware.Virtumonde : Ignored.
C:\WINDOWS\system32\hggfcdd.dll -> Not-A-Virus.Adware.Virtumonde : Ignored.
C:\WINDOWS\system32\qomnkjk.dll -> Not-A-Virus.Adware.Virtumonde : Ignored.
C:\WINDOWS\system32\qomnmki.dll -> Not-A-Virus.Adware.Virtumonde : Ignored.
C:\WINDOWS\system32\tuvuvtq.dll -> Not-A-Virus.Adware.Virtumonde : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@247realmedia.txt -> TrackingCookie.247realmedia : Ignored.
:mozilla.11:C:\Documents and Settings\Administrator.UNMG-PDC\Application Data\Mozilla\Firefox\Profiles\phuaemut.default\cookies.txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@2o7.txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@amsterdamprinting.122.2o7.txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@honfurniture.122.2o7.txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@microsoftwlmailmkt.112.2o7.txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@msnportal.112.2o7.txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@quill.112.2o7.txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@waterfrontmedia.112.2o7.txt -> TrackingCookie.2o7 : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@adbrite.txt -> TrackingCookie.Adbrite : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@ads.addynamix.txt -> TrackingCookie.Addynamix : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@rotator.adjuggler.txt -> TrackingCookie.Adjuggler : Ignored.
:mozilla.10:C:\Documents and Settings\Administrator.UNMG-PDC\Application Data\Mozilla\Firefox\Profiles\phuaemut.default\cookies.txt -> TrackingCookie.Adobe : Ignored.
:mozilla.12:C:\Documents and Settings\Administrator.UNMG-PDC\Application Data\Mozilla\Firefox\Profiles\phuaemut.default\cookies.txt -> TrackingCookie.Adobe : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@www.adobe.txt -> TrackingCookie.Adobe : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@adrevolver.txt -> TrackingCookie.Adrevolver : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@media.adrevolver.txt -> TrackingCookie.Adrevolver : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@adtech.txt -> TrackingCookie.Adtech : Ignored.
C:\Documents and Settings\jbitsoie\Cookies\jbitsoie@advertising.txt -> TrackingCookie.Advertising : Ignored.
C:\Documents and Settings\jib\Cookies\jib@advertising.txt -> TrackingCookie.Advertising : Ignored.
C:\Documents and Settings\jib\Cookies\jib@servedby.advertising.txt -> TrackingCookie.Advertising : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@advertising.txt -> TrackingCookie.Advertising : Ignored.
C:\Documents and Settings\jbitsoie\Cookies\jbitsoie@atdmt.txt -> TrackingCookie.Atdmt : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@atdmt.txt -> TrackingCookie.Atdmt : Ignored.
C:\Documents and Settings\labuser\Cookies\labuser@atdmt.txt -> TrackingCookie.Atdmt : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@bluestreak.txt -> TrackingCookie.Bluestreak : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@ads.bridgetrack.txt -> TrackingCookie.Bridgetrack : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@burstnet.txt -> TrackingCookie.Burstnet : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@casalemedia.txt -> TrackingCookie.Casalemedia : Ignored.
C:\Documents and Settings\jib\Cookies\jib@data.coremetrics.txt -> TrackingCookie.Coremetrics : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@data.coremetrics.txt -> TrackingCookie.Coremetrics : Ignored.
C:\Documents and Settings\jib\Cookies\jib@doubleclick.txt -> TrackingCookie.Doubleclick : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@doubleclick.txt -> TrackingCookie.Doubleclick : Ignored.
C:\Documents and Settings\labuser\Cookies\labuser@doubleclick.txt -> TrackingCookie.Doubleclick : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@adopt.euroclick.txt -> TrackingCookie.Euroclick : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@as-eu.falkag.txt -> TrackingCookie.Falkag : Ignored.
C:\Documents and Settings\jbitsoie\Cookies\jbitsoie@fastclick.txt -> TrackingCookie.Fastclick : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@fastclick.txt -> TrackingCookie.Fastclick : Ignored.
C:\Documents and Settings\jbitsoie\Cookies\jbitsoie@findwhat.txt -> TrackingCookie.Findwhat : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@fortunecity.txt -> TrackingCookie.Fortunecity : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@ehg-groupernetworks.hitbox.txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@ehg-nbif.hitbox.txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@ehg-newegg.hitbox.txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@ehg-paperdirect.hitbox.txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@hitbox.txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@phg.hitbox.txt -> TrackingCookie.Hitbox : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@counter.hitslink.txt -> TrackingCookie.Hitslink : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@sales.liveperson.txt -> TrackingCookie.Liveperson : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@server.iad.liveperson.txt -> TrackingCookie.Liveperson : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@mediaplex.txt -> TrackingCookie.Mediaplex : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@auto.search.msn.txt -> TrackingCookie.Msn : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@ie.search.msn.txt -> TrackingCookie.Msn : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@search.msn.txt -> TrackingCookie.Msn : Ignored.
:mozilla.14:C:\Documents and Settings\jmcmahon\Application Data\Mozilla\Firefox\Profiles\2p8ary9k.default\cookies.txt -> TrackingCookie.Netflame : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@overture.txt -> TrackingCookie.Overture : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@perf.overture.txt -> TrackingCookie.Overture : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@ads.pointroll.txt -> TrackingCookie.Pointroll : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@pro-market.txt -> TrackingCookie.Pro-market : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@questionmarket.txt -> TrackingCookie.Questionmarket : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@realmedia.txt -> TrackingCookie.Realmedia : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@stats1.reliablestats.txt -> TrackingCookie.Reliablestats : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@revsci.txt -> TrackingCookie.Revsci : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@edge.ru4.txt -> TrackingCookie.Ru4 : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@bs.serving-sys.txt -> TrackingCookie.Serving-sys : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@serving-sys.txt -> TrackingCookie.Serving-sys : Ignored.
C:\Documents and Settings\Administrator.UNMG-PDC\Cookies\administrator@statcounter.txt -> TrackingCookie.Statcounter : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@statcounter.txt -> TrackingCookie.Statcounter : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@anat.tacoda.txt -> TrackingCookie.Tacoda : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@tacoda.txt -> TrackingCookie.Tacoda : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@tradedoubler.txt -> TrackingCookie.Tradedoubler : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@trafficmp.txt -> TrackingCookie.Trafficmp : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@tribalfusion.txt -> TrackingCookie.Tribalfusion : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@reduxads.valuead.txt -> TrackingCookie.Valuead : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@valueclick.txt -> TrackingCookie.Valueclick : Ignored.
:mozilla.22:C:\Documents and Settings\Administrator.UNMG-PDC\Application Data\Mozilla\Firefox\Profiles\phuaemut.default\cookies.txt -> TrackingCookie.Webtrends : Ignored.
C:\Documents and Settings\Administrator.UNMG-PDC\Cookies\administrator@m.webtrends.txt -> TrackingCookie.Webtrends : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@m.webtrends.txt -> TrackingCookie.Webtrends : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@statse.webtrendslive.txt -> TrackingCookie.Webtrendslive : Ignored.
C:\Documents and Settings\jbitsoie\Cookies\jbitsoie@ad.yieldmanager.txt -> TrackingCookie.Yieldmanager : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@ad.yieldmanager.txt -> TrackingCookie.Yieldmanager : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@yieldmanager.txt -> TrackingCookie.Yieldmanager : Ignored.
C:\Documents and Settings\jmcmahon\Cookies\jmcmahon@zedo.txt -> TrackingCookie.Zedo : Ignored.

::Report end

HijackThis

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.unm.edu/cp/home/displaylogin
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [80fb352f] rundll32.exe "C:\WINDOWS\system32\uthakhup.dll",b
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125084573656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125085212453
O16 - DPF: {8601F281-659E-4336-900D-FEA0DD4ECF9E} (Reportctl Class) - https://compass.act.org/eCompass/controls/ReportCom.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) - https://www5.unm.edu/jinitiator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gallup.unm.edu
O17 - HKLM\Software\..\Telephony: DomainName = gallup.unm.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gallup.unm.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gallup.unm.edu
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)

nzoes
New Member

Date Joined Dec 2007
Total Posts : 4

Posted 1-4-2008 8:06 (GMT +1)

logs of Friday at noon
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:03:54 AM 1/4/2008

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo -> Adware.Generic : Ignored.
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe -> Not-A-Virus.Adware.PurityScan : Ignored.
C:\WINDOWS\system32\fccbcaw.dll -> Not-A-Virus.Adware.Virtumonde : Ignored.
C:\WINDOWS\system32\hggfcdd.dll -> Not-A-Virus.Adware.Virtumonde : Ignored.
C:\WINDOWS\system32\qomnkjk.dll -> Not-A-Virus.Adware.Virtumonde : Ignored.
C:\WINDOWS\system32\qomnmki.dll -> Not-A-Virus.Adware.Virtumonde : Ignored.
C:\WINDOWS\system32\tuvuvtq.dll -> Not-A-Virus.Adware.Virtumonde : Ignored.

::Report end

HJT

Logfile of HijackThis v1.99.1
Scan saved at 11:47:46 AM, on 1/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://my.unm.edu/cp/home/displaylogin
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Mixersel] C:\Program Files\Realtek\InstallShield\mixersel.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [80fb352f] rundll32.exe "C:\WINDOWS\system32\lpljknpm.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125084573656
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1125085212453
O16 - DPF: {8601F281-659E-4336-900D-FEA0DD4ECF9E} (Reportctl Class) - https://compass.act.org/eCompass/controls/ReportCom.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) - https://www5.unm.edu/jinitiator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = gallup.unm.edu
O17 - HKLM\Software\..\Telephony: DomainName = gallup.unm.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = gallup.unm.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = gallup.unm.edu
O20 - AppInit_DLLs: C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-7-2008 4:53 (GMT +1)

Please post combofix log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

nzoes
New Member

Date Joined Dec 2007
Total Posts : 4

Posted 1-8-2008 6:27 (GMT +1)

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2005-08-26 12:47:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomnkjk]
qomnkjk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Sophos\SOPHOS~1\SOPHOS~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljjh.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

R1 SAVOnAccessControl;SAVOnAccessControl;C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys [2007-11-16 08:59]
R1 SAVOnAccessFilter;SAVOnAccessFilter;C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys [2007-11-16 08:59]
S3 HPFXBULK;HPFXBULK;C:\WINDOWS\system32\drivers\hpfxbulk.sys [2006-06-12 15:36]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-21 05:00:01 C:\WINDOWS\Tasks\daily.job"
- C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe'{3C3BA6B7-BE4D-47F1-AA03-AA683FC63938}
"2005-08-26 17:16:37 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
"2005-08-26 17:16:38 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-08 10:24:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Sophos Message Router]
"ImagePath"="\"C:\Program Files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
Completion time: 2008-01-08 10:26:21
ComboFix-quarantined-files.txt 2008-01-08 17:26:18
.
2007-10-11 15:06:35 --- E O F ---

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 16319

Posted 1-11-2008 9:21 (GMT +1)

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

and save to the desktop.

Close all other browser windows.

Important-> Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /killall

When finished, it will produce a logfile located at C:\ComboFix.txt.

Post the contents of that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Fuse
New Member

Date Joined Apr 2008
Total Posts : 1

Posted 4-21-2008 10:57 (GMT +1)

Touch... I wanted to thank you for this solution.

Forum Information

Currently it is Saturday, November 21, 2009 3:23 PM (GMT +1)
There are a total of 73.033 posts in 17.116 threads.
In the last 3 days there were 14 new threads and 70 reply posts. View Active Threads