PrimaryCriddle
Members-
Posts
9 -
Joined
-
Last visited
Reputation
0 Neutral-
ClientMan & GameVance infections
PrimaryCriddle replied to PrimaryCriddle's topic in Resolved Malware Removal Logs
OK, here goes. I uninstalled StopZilla. I was only grasping at straws at possible solutions. I have you now! All of the items including the two startup items are fixed. Drivers32 key: Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 Class Name: <NO CLASS> Last Write Time: 4/23/2009 - 7:58 PM Value 0 Name: midimapper Type: REG_SZ Data: midimap.dll Value 1 Name: msacm.imaadpcm Type: REG_SZ Data: imaadp32.acm Value 2 Name: msacm.msadpcm Type: REG_SZ Data: msadp32.acm Value 3 Name: msacm.msg711 Type: REG_SZ Data: msg711.acm Value 4 Name: msacm.msgsm610 Type: REG_SZ Data: msgsm32.acm Value 5 Name: msacm.trspch Type: REG_SZ Data: tssoft32.acm Value 6 Name: vidc.cvid Type: REG_SZ Data: iccvid.dll Value 7 Name: vidc.I420 Type: REG_SZ Data: msh263.drv Value 8 Name: vidc.iv31 Type: REG_SZ Data: ir32_32.dll Value 9 Name: vidc.iv32 Type: REG_SZ Data: ir32_32.dll Value 10 Name: vidc.iv41 Type: REG_SZ Data: ir41_32.ax Value 11 Name: vidc.iyuv Type: REG_SZ Data: iyuv_32.dll Value 12 Name: vidc.mrle Type: REG_SZ Data: msrle32.dll Value 13 Name: vidc.msvc Type: REG_SZ Data: msvidc32.dll Value 14 Name: vidc.uyvy Type: REG_SZ Data: msyuv.dll Value 15 Name: vidc.yuy2 Type: REG_SZ Data: msyuv.dll Value 16 Name: vidc.yvu9 Type: REG_SZ Data: tsbyuv.dll Value 17 Name: vidc.yvyu Type: REG_SZ Data: msyuv.dll Value 18 Name: wavemapper Type: REG_SZ Data: msacm32.drv Value 19 Name: msacm.msg723 Type: REG_SZ Data: msg723.acm Value 20 Name: vidc.M263 Type: REG_SZ Data: msh263.drv Value 21 Name: vidc.M261 Type: REG_SZ Data: msh261.drv Value 22 Name: msacm.msaudio1 Type: REG_SZ Data: msaud32.acm Value 23 Name: msacm.sl_anet Type: REG_SZ Data: sl_anet.acm Value 24 Name: msacm.iac2 Type: REG_SZ Data: C:\WINDOWS\system32\iac25_32.ax Value 25 Name: vidc.iv50 Type: REG_SZ Data: ir50_32.dll Value 26 Name: msacm.l3acm Type: REG_SZ Data: C:\WINDOWS\system32\l3codeca.acm Value 27 Name: wave Type: REG_SZ Data: serwvdrv.dll Value 28 Name: wave1 Type: REG_SZ Data: wdmaud.drv Value 29 Name: midi Type: REG_SZ Data: wdmaud.drv Value 30 Name: mixer Type: REG_SZ Data: wdmaud.drv Value 31 Name: aux Type: REG_SZ Data: C:\WINDOWS\system32\..\mdkxo.brq Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server Class Name: <NO CLASS> Last Write Time: 8/16/2005 - 9:38 AM Key Name: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP Class Name: <NO CLASS> Last Write Time: 8/16/2005 - 9:38 AM Value 0 Name: wave Type: REG_SZ Data: rdpsnd.dll Value 1 Name: mixer Type: REG_SZ Data: rdpsnd.dll Value 2 Name: MaxBandwidth Type: REG_DWORD Data: 0x56b9 Value 3 Name: wavemapper Type: REG_SZ Data: msacm32.drv Value 4 Name: EnableMP3Codec Type: REG_DWORD Data: 0x1 Value 5 Name: midimapper Type: REG_SZ Data: midimap.dll And lastly there was a new regedit created. I think that was it. Thank you soooooooo much for your help! I at least feel we are making progress. -Craig -
I am in sorry need of help. Malwarebytes is loaded, but I can not update the definitions as it says I am not connected to the Internet (which I am). It (or they) seem to get more and more intelligent as I originally could get MB to update but thought it got infected so I tried to uninstall and reinstall. I'm back to the default definitions and can't get further. In my "enthusiasm", I did see a post about StopZilla and ran a scan with that. This is how I got the ClientMan and GameVance info. I did not go further as instructed without someone's help. I've screwed up enough!! Attached are the two logs you requested along with the log from 5/11 (I thought I was good to go after that) with a new definition file that found what it did. MB log today: Malwarebytes' Anti-Malware 1.36 Database version: 1945 Windows 5.1.2600 Service Pack 3 5/18/2009 10:58:30 AM mbam-log-2009-05-18 (10-58-30).txt Scan type: Quick Scan Objects scanned: 89250 Time elapsed: 6 minute(s), 27 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) MB log with found infections 5/11: Malwarebytes' Anti-Malware 1.36 Database version: 2083 Windows 5.1.2600 Service Pack 3 5/11/2009 11:28:34 PM mbam-log-2009-05-11 (23-28-34).txt Scan type: Full Scan (C:\|) Objects scanned: 31293 Time elapsed: 6 hour(s), 1 minute(s), 35 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 6 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\TypeLib\{cd24eb02-9831-4838-99d0-726d411b1328} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{f20da564-9254-49fe-a678-cc3cef172252} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\cdmyidd.securitytoolbar.1 (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{a26503fe-b3b8-4910-a9dc-9cbd25c6b8d6} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Documents and Settings\Craig\Local Settings\Application Data\CyberDefender\cdmyidd.dll (Trojan.BHO) -> Quarantined and deleted successfully. HiJackThis today: Scan saved at 11:03:25 AM, on 5/18/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16827) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Creative\Shared Files\CTDevSrv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\MozyHome\mozybackup.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PSIService.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\STOPzilla!\STOPzilla.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Dell\Media Experience\DMXLauncher.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\System32\DLA\DLACTRLW.EXE C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Creative\Software Update 3\SoftAuto.exe C:\Program Files\Digital Line Detect\DLG.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\MozyHome\mozystat.exe C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe C:\WINDOWS\explorer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061109 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sfgate.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061109 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [softAuto.exe] "C:\Program Files\Creative\Software Update 3\SoftAuto.exe" O4 - Startup: _uninst_is-COJNM.exe.bat O4 - Startup: _uninst_is-OUTGG.exe.bat O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Digital Line Detect.lnk = ? O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing) O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe O23 - Service: MozyHome Backup Service (mozybackup) - Mozy, Inc. - C:\Program Files\MozyHome\mozybackup.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe -- End of file - 11368 bytes
-
Trojan.bho strikes
PrimaryCriddle replied to PrimaryCriddle's topic in Resolved Malware Removal Logs
Close this post. I've just read your instructions on how to use your help and will do it properly with a new topic. Thanks. -
Trojan.bho strikes
PrimaryCriddle replied to PrimaryCriddle's topic in Resolved Malware Removal Logs
Sorry about the multiple posts. My bad-I've got to quit random clicking! I see the section on removing specific viruses and found the couple I have, but I can't update the virus definitions with these in place. Is there some way to manually add a file (copy onto a disc and physically moving it to the infected machine) to get the latest definitions? -
Trojan.bho strikes
PrimaryCriddle replied to PrimaryCriddle's topic in Resolved Malware Removal Logs
-
Trojan.bho strikes
PrimaryCriddle replied to PrimaryCriddle's topic in Resolved Malware Removal Logs
-
In reading these couple of posts, it looks like I CAN be helped! I have been infected by a couple of things that certainly seem to be gaining intelligence. I can no longer update Malwarebytes as it looks like I can not connect to you. I am on another computer just to communicate. It appears like a Windows update when shutting down that reinfects whatever it does. Malwarebytes was the only package that found all of the registry key infections, but now that I can't update the definitions, I'm really hosed. Is the ComboFix solution a possibility?