Expert: Brian Benosky - 8/11/2008

Question
Hi Brian,
While browsing the internet the other day, I found a program called Chessmaster 10. I do not know if the program was freeware, a trial version, or if (after installing it) I would have had to pay money to buy it. What I do know is that after I finished downloading the program, and clicking the install application, I unleashed a virus onto my computer.

Symptoms - Immediately after clicking that application, I...
--> Did not get an InstallShield program for ChessMaster 10
--> and I Noticed
     a) Windows defender (or maybe it was norton
          antivirus) telling me something about a virus
          being detected. Seconds later, Windows defender
          got disabled.
     b) Windows explorer began to stall. And each time I
          restarted it, windows explorer would stall again.
     c) In addition, Spybot Search and destroy kept showing
          me that something was trying to alter my
          registry in a number of different places. I
          think that I accidently aloud one of those
          registries to change, however, for the rest of
          them I continously told Spybot S&D not to allow
          the changes to be made.
     d) The numerous registry key changes kept looping and
        popping up over and over again each time that I
        selected "do not allow change".  Like I said before
        these registry changes looked evil and nasty.

Sensing danger, I immediately turned off my computer and started it in safe-mode. I deleted everything inside of the Chessmaster 10 folder. Then I ran Spybot S&D and got only a single registry bad-thingy called "VirtueMond". I can give you the registry key that came with it should you desire to have that piece of information. I told spybot s&d to fix the problem. It did so successfully. I then used Disk-Cleanup to get rid of everything it recommended me to get rid of (including temp files).

After that, I ran a program called RegCleaner which promptly found around 900 problems with my registry and fixed all of them.

Then I restarted my computer in normal mode. The result? First off, I got an error saying "missing shared dll's
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\sharedDlls". Second off, I got the same very bad exact symptoms as when I first introduced the virus (windows explorer erroring out, constant attempts to evilly update my registry keys, etc). And so I restarted the computer in safe mode, then installed AVG anti-virus onto my computer. After running AVG, I found a few viruses/bad-stuff. Here is what the program placed in its vault....
Infection Type           Infection
PUP                        Adware Generic3.HBO
Infection                  Virus found win32/Heur
Infection                  Trojan Horse Generic10.AOEH
Infection                  Virus found win32/Heur

It also placed 5 other objects with an infection type of warning. For each of these issues in the vault, I can easily give you their file-paths should you desire me to.

Instead of running regcleaner for a second time, I ran "Eusing Free Registry Cleaner" which found that the number of bad-keys had increased to around 1,100. I told the program to fix those keys just as I had earlier on told RegCleaner to fix its around 900 bad keys. Next, I used Disk-Cleanup to get rid of everything it recommended me to get rid of (including temp files).

Then, I restarted my computer in regular mode. The results?
The symptoms improved! Hurrah! Now I was not getting a continous nag from spybot S&D asking me whether I wanted to a series of nasty registry key changes to occur.

But the problems were still not over. I have noticed that, while my computer runs at about the same speed as before the virues, every few minutes it breaks down in a period of slowness that lasts for a few seconds. Each time it does this, I hold my breath.

Windows Explorer is also slower. Especially when it comes to searching for files.

Also, when my computer starts up, I get an error with a title called RunDLL and with a message saying "Error Loading C\BENJAM~\AppData\Local\Temp\xxyyxvwv.dll. The specified module could not be found."


Lastly, I re-downloaded the ChessMaster 10 virus but this time I did not run any of its programs (knowing that that would re-awaken the virus). I did this so that I could look at the contents of the folder. What I found was not pretty.

in a folder called --> Chessmaster 10\Register\register\dll I found...
File Name                         File Type
ASYXFILT.DLL                      application extension
Comcat.dll                        application extension
comdlg32.dll                      application extension
comdlg32.oca                      OCA file
comdlg32.ocx                      ActiveX control
msinet.oca                        OCA file
msinet.ocx                        activeX control
msvbvm60.fll                      application extension
msxml3.dll                        application extension
msxml3a.dll                       application extension
msxml3r.dll                       application exentsion
oleaut32.dll                      application extension
olepro32.dll                      application extension
stdole2.tab                       tlb file
vb5db.dll                         application extension
xmlinst                           application
xmlparse.dll                      application extension
xmltok.dll                        application extension

I also found
in a folder called Chessmaster 10\OpenGL --> Kernel.dll
in a folder called Chessmaster 10\D3D --> Kernel.dll

I then deleted the Chessmaster 10, and ran an AVG virus check (nothing bad was reported).

While any of these files may or may not have been run when I first contracted the virus, the virus may have replaced some already-existing files containing the same names but with different contents. To be on the safe side, I want to find each file and replace it with what I know is a non-corrupt, non-mallicious, up-to-date file that I can find on the internet. The trouble is, I don't know what any of these files are used for and I don't know where I can find them. Could you show me where online I need to go to download the best versions of these files to replace the possibly bad ones that exist on my computer? And, for educational purposes, maybe you could tell me what a few of these files actually do... or why they are important?

(After re-reading this email, I realised that some (perhaps even all) of these programs could have simply been regular files that are used to run Chessmaster 10 (the real game) instead of the virus. I need you to assure me which ones of these files are likely to have been evil and to have replaced other files on my computer. And which ones of these files are likely to have simply been part of the actual Chessmaster 10 program)

My last concern deals with my history. I ran into another virus, the Zlob virus, a couple of months ago. Luckily, I got rid of most of it but my computer still remains a little... shaken. Could you give me a few tests to run in order to discover whether there is greater than a 95% chance that the Zlob virus is no longer lurking in the back-corners of my computer waiting to pounce again or to simply be mean every once in a while?

I know that my computer is no longer SEVERLY infected. But infected it still remains.

The last action that I took before writing this email was to run the dss program. At your request, here is the main.txt output.

Deckard's System Scanner v20071014.68
Run by Benjamin Shumway on 2008-08-11 01:46:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- Last 4 Restore Point(s) --
4: 2008-08-10 10:46:08 UTC - RP221 - Windows Defender Checkpoint
3: 2008-08-08 06:21:53 UTC - RP219 - Installed Java(TM) 6 Update 7
2: 2008-08-08 04:04:36 UTC - RP218 - Windows Update
1: 2008-08-08 04:04:02 UTC - RP217 - Scheduled Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-11 01:50:17
Platform: Windows Vista  (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\explorer.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\wuauclt.exe
C:\Users\Benjamin Shumway\Desktop\dss.exe
C:\Windows\System32\SearchFilterHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Presario...
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\system32\msconfig.exe" /auto
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [googletalk] C:\Users\Benjamin Shumway\AppData\Roaming\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\BENJAM~1\AppData\Local\Temp\xxyyxvwv.dll,c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Gmail Notifier.lnk = C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O4 - Global Startup: ToDo List - Shortcut.lnk = C:\Users\Benjamin Shumway\Desktop\ToDo List.txt
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\microsoft shared\Information Retrieval\msitss.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCSVCHST.EXE
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe


--
End of file - 12025 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 mchInjDrv (madCodeHook DLL injection driver) - \??\c:\windows\system32\drivers\mchinjdrv.sys
R1 VClone - c:\windows\system32\drivers\vclone.sys <Not Verified; Elaborate Bytes AG; Virtual CloneDrive>
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 HP Health Check Service - "c:\program files\hewlett-packard\hp health check\hphc_service.exe" <Not Verified; Hewlett-Packard; HP Health Check Service>
R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>

S3 LBTServ (Logitech Bluetooth Service) -


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-08-11 01:40:17       484 --a------ C:\Windows\Tasks\SDMsgUpdate (TE).job
2008-08-04 21:48:13       568 --a------ C:\Windows\Tasks\Norton Internet Security - Run Full System Scan - Benjamin Shumway.job


-- Files created between 2008-07-11 and 2008-08-11 -----------------------------

2008-08-11 01:16:28         0 d-------- C:\Program Files\Trend Micro
2008-08-10 20:34:53         0 d-------- C:\Program Files\Creative Labs
2008-08-10 20:29:11         0 d-------- C:\Program Files\EidosNet
2008-08-10 20:29:11         0 d-------- C:\Program Files\Eidos Interactive
2008-08-10 20:27:27    306688 --a------ C:\Windows\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-08-10 20:25:16         0 d-------- C:\Users\All Users\Icon Constructor 3
2008-08-10 20:24:53         0 d-------- C:\Program Files\Icon Constructor 3
2008-08-10 16:29:23         0 d--h----- C:\$AVG8.VAULT$
2008-08-10 16:06:07         0 d-------- C:\Windows\system32\drivers\Avg
2008-08-10 16:06:02         0 d-------- C:\Program Files\AVG
2008-08-10 16:06:01         0 d-------- C:\Users\All Users\avg8
2008-08-09 04:17:07         0 d-------- C:\Program Files\Devious Codeworks
2008-08-09 01:55:21     86016 --a------ C:\Windows\unvise32.exe <Not Verified; MindVision Software; Installer VISE>
2008-08-09 01:55:15         0 d-------- C:\Program Files\CCGM
2008-08-08 00:09:26         0 d-------- C:\Program Files\Pcsx
2008-08-07 23:37:07         0 d-------- C:\Program Files\pSX_1_13
2008-08-06 23:59:16         0 d-------- C:\PSP
2008-08-05 17:53:02         0 d-------- C:\Program Files\Bethesda Softworks
2008-08-05 08:42:29         0 d-------- C:\Program Files\7-Zip
2008-07-23 21:10:31         0 d-------- C:\Program Files\Apple Software Update
2008-07-15 00:43:29        56 --ah----- C:\Users\All Users\ezsidmv.dat
2008-07-15 00:40:34         0 d-------- C:\Program Files\Skype
2008-07-15 00:40:33         0 d-------- C:\Program Files\Common Files\Skype
2008-07-15 00:39:53         0 d-------- C:\Users\All Users\Skype
2008-07-14 00:22:32         0 d-------- C:\Program Files\coolpro2


-- Find3M Report ---------------------------------------------------------------

2008-08-11 01:39:50         0 d-------- C:\Users\Benjamin Shumway\AppData\Roaming\Skype
2008-08-11 01:39:43         0 d-------- C:\Users\Benjamin Shumway\AppData\Roaming\skypePM
2008-08-11 01:39:22      2606 --a------ C:\Users\Benjamin Shumway\AppData\Roaming\.googlewebacchosts
2008-08-11 01:38:27     57436 --a------ C:\Users\Benjamin Shumway\AppData\Roaming\nvModes.001
2008-08-11 01:27:11         0 d-------- C:\Users\Benjamin Shumway\AppData\Roaming\uTorrent
2008-08-10 21:22:49     57436 --a------ C:\Users\Benjamin Shumway\AppData\Roaming\nvModes.dat
2008-08-10 19:49:52         0 d-------- C:\Users\Benjamin Shumway\AppData\Roaming\Mozilla
2008-08-10 16:29:23         0 d-------- C:\Program Files\DAEMON Tools Lite
2008-08-10 15:35:32         0 d-------- C:\Users\Benjamin Shumway\AppData\Roaming\OpenOffice.org2
2008-08-09 01:55:42     27648 --ah----- C:\Users\Benjamin Shumway\AppData\Roaming\rbselectfolder450.dll
2008-08-09 01:55:42     64512 --ah----- C:\Users\Benjamin Shumway\AppData\Roaming\rbap450.dll
2008-08-09 01:55:42     26112 --ah----- C:\Users\Benjamin Shumway\AppData\Roaming\MBSRegistrationPlugin.dll
2008-08-09 01:55:42    116224 --ah----- C:\Users\Benjamin Shumway\AppData\Roaming\MBSJPEGDecompressionPlugin.dll
2008-08-09 01:55:42     95744 --ah----- C:\Users\Benjamin Shumway\AppData\Roaming\MBSJPEGCompressionPlugin.dll
2008-08-07 14:30:43         0 d-------- C:\Program Files\Google
2008-07-29 08:25:41      1980 --a------ C:\Users\Benjamin Shumway\AppData\Roaming\wklnhst.dat
2008-07-15 00:40:33         0 d-------- C:\Program Files\Common Files
2008-07-14 00:24:15         0 d-------- C:\Users\Benjamin Shumway\AppData\Roaming\Syntrillium
2008-07-10 04:24:22         0 d-------- C:\Users\Benjamin Shumway\AppData\Roaming\Orbit
2008-07-09 03:11:08       174 --ahs---- C:\Program Files\desktop.ini
2008-07-04 00:53:08         0 d-------- C:\Program Files\Battle for Wesnoth 1.4
2008-07-03 00:03:05         0 d-------- C:\Users\Benjamin Shumway\AppData\Roaming\Real
2008-07-03 00:01:41         0 d-------- C:\Program Files\Common Files\xing shared
2008-07-03 00:01:30         0 d-------- C:\Program Files\Common Files\Real
2008-07-03 00:01:06         0 d-------- C:\Program Files\Real
2008-06-14 20:46:44         0 d-------- C:\Program Files\Symantec


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
08/24/2007 07:51 PM   316784   --a------   c:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
04/11/2008 06:07 PM   116088   --a------   C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
08/10/2008 04:06 PM   2055960   --a------   C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [09/15/2007 02:29 AM]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [10/25/2007 01:36 AM]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [12/14/2007 03:42 AM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [10/09/2007 07:21 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [10/09/2007 07:21 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [10/09/2007 07:21 PM]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" []
"MSConfig"="C:\Windows\system32\msconfig.exe" [11/02/2006 03:45 AM]
"Norton Ghost 12.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [03/28/2007 08:41 PM]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [10/27/2006 12:47 AM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07/03/2008 12:00 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/10/2008 04:06 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/2008 01:43 PM]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [11/02/2006 06:35 AM]
"googletalk"="C:\Users\Benjamin Shumway\AppData\Roaming\Google\Google Talk\googletalk.exe" [01/01/2007 03:22 PM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 06:36 AM]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [05/30/2008 03:54 PM]
"cmds"="C:\Users\BENJAM~1\AppData\Local\Temp\xxyyxvwv.dll,c" []

C:\Users\Benjamin Shumway\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [4/5/2008 2:42:09 PM]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Gmail Notifier.lnk - C:\Program Files\Google\Gmail Notifier\gnotify.exe [7/15/2005 3:48:33 PM]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [5/12/2008 11:49:59 AM]
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [7/9/2007 11:24:38 PM]
ToDo List - Shortcut.lnk - C:\Users\Benjamin Shumway\Desktop\ToDo List.txt [3/31/2008 5:06:20 PM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
"C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]

[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirtualCloneDrive]
"C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WAWifiMessage]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalSystemNetworkRestricted   hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc EMDMgmt TabletInputService wlansvc WPDBusEnum


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2819c828-13ff-11dd-85de-001e68149d19}]
AutoRun\command- LinksysConnectPC.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ade54bf-e340-11dc-a893-001e68149d19}]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f761ac28-f13d-11dc-8029-001e68149d19}]

*Newly Created Service* - COMHOST

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI



-- Hosts -----------------------------------------------------------------------

127.0.0.1   www.007guard.com
127.0.0.1   007guard.com
127.0.0.1   008i.com
127.0.0.1   www.008k.com
127.0.0.1   008k.com
127.0.0.1   www.00hq.com
127.0.0.1   00hq.com
127.0.0.1   010402.com
127.0.0.1   www.032439.com
127.0.0.1   032439.com

7899 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-11 01:52:38 ------------






Thank you so much for your cooperation, your insight, and most of all your time. As I am a freshman majoring in computer science I look up to you like a child looks up to an adult. Your knowledge of Software Development surpasses mine to such a degree that your capabilities put me in a state of total awe, inspiration, and (to some extent) jelousness.

Excitedly awaiting to hear your reply,
A true fan,
~Benjamin

Answer
Hi Ben

I'm sorry for not getting back to you straight away.  There is a bit of a crisis here which has prevented me from taking the time to answer you in full.  I wish everyone would give me the information which you supplied.  It makes my job easier.  Let's start by fixing some running entries.  Open Hijackthis and click to do a scan only.  Place a check mark in the box next to the following items, then close all open windows and click the Fix Checked button:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - (no file)
O3 - Toolbar: Internet Service - {51D81DD5-55B7-497F-95DB-D356429BB54E} - (no file)
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\BENJAM~1\AppData\Local\Temp\xxyyxvwv.dll,c
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.ieservicegate.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)

After fixing, restart and send me a fresh HJT scan and let me know if the "Error Loading C\BENJAM~\AppData\Local\Temp\xxyyxvwv.dll. The specified module could not be found." still comes up.  That file is indicative of Vundo/Virtumonde trojans.  As it is running in temp folder, it would be a good idea to click Start, then type cleanmgr in the Start Search box.  I will try to answer your follow-up as soon as possible.

Brian