Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde and Smitfraud infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virtumonde and Smitfraud infection

Unread postby Jhp » December 15th, 2008, 6:42 pm

I'm just about ready to throw this computer out the window. I've been trying to defeat these 2 guys for a while now, and I think it's time to turn to the experts. Here's my HJT log, please do whatever you can to prevent me from making this computer a hunk of metal :bom:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:30 PM, on 12/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\msnetwk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=0071211
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=0071211
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: (no name) - {1B93547F-5CE9-4E60-B3B8-15AE6B6F93B7} - (no file)
O2 - BHO: {6685c2f4-3b4e-8a9b-ff24-0d4c44d61593} - {39516d44-c4d0-42ff-b9a8-e4b34f2c5866} - C:\WINDOWS\system32\jypxse.dll
O2 - BHO: (no name) - {467B24BD-D8BF-453F-9DB2-B58CF8EC364F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5a4627ce-385a-4f3a-8a1e-8a80a3406117} - C:\WINDOWS\system32\fatalofi.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\iifcAsrQ.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {90F5A359-914F-40CF-B406-082EA7F8744D} - (no file)
O2 - BHO: (no name) - {95D2F4EE-5899-48A3-8562-474E31766D8F} - C:\WINDOWS\system32\fccAqRKD.dll
O2 - BHO: (no name) - {B3AA6D76-A5DA-4C05-9DC1-E061E0E4528C} - (no file)
O2 - BHO: (no name) - {B5F009B0-1266-4AF5-B6D5-E35FEC70E4BB} - (no file)
O2 - BHO: (no name) - {E0EF78AE-5534-40FC-866D-419739FEA10C} - (no file)
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [hamukuboye] Rundll32.exe "C:\WINDOWS\system32\yupujufo.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [hamukuboye] Rundll32.exe "C:\WINDOWS\system32\yupujufo.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [hamukuboye] Rundll32.exe "C:\WINDOWS\system32\yupujufo.dll",s (User 'NETWORK SERVICE')
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techto ... ntrols.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC46BC7F-E5D7-4F5B-A70B-3C2C37C1861C}: NameServer = 68.87.64.146,68.87.75.194
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\juyadewi.dll jypxse.dll
O20 - Winlogon Notify: iifcAsrQ - C:\WINDOWS\SYSTEM32\iifcAsrQ.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 10304 bytes
Jhp
Regular Member
 
Posts: 23
Joined: December 15th, 2008, 6:23 pm
Advertisement
Register to Remove

Re: Virtumonde and Smitfraud infection

Unread postby Shaba » December 18th, 2008, 4:55 am

Hi Jhp

We will begin with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde and Smitfraud infection

Unread postby Jhp » December 18th, 2008, 9:05 pm

Thanks so much for the reply! Lets beat this thing :)

ComboFix 08-12-18.01 - Jimmy 2008-12-18 19:43:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1000 [GMT -5:00]
Running from: c:\documents and settings\Jimmy\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Jimmy\Application Data\gadcom
c:\documents and settings\Jimmy\Application Data\gadcom\gadcom.exe
c:\documents and settings\Jimmy\Application Data\GetModule
c:\documents and settings\Jimmy\Local Settings\Temporary Internet Files\fbk.sts
c:\program files\GetModule
c:\program files\GetModule\GetModule31.exe
c:\windows\system32\abxxrgjk.dll
c:\windows\system32\AutoRun.inf
c:\windows\system32\cffxpjpv.ini
c:\windows\system32\cjrctins.ini
c:\windows\system32\czkgvi.dll
c:\windows\system32\ddwcgtgm.dll
c:\windows\system32\DKRqAccf.ini
c:\windows\system32\DKRqAccf.ini2
c:\windows\system32\dqucqp.dll
c:\windows\system32\egukuhuh.ini
c:\windows\system32\fccAqRKD.dll
c:\windows\system32\fxfxrppx.dll
c:\windows\system32\gqyyekkj.ini
c:\windows\system32\gztbfw.dll
c:\windows\system32\hopijlyr.dll
c:\windows\system32\hvkoxmcf.dll
c:\windows\system32\iifcAsrQ.dll
c:\windows\system32\isjbcdko.dll
c:\windows\system32\iunqsgjk.dll
c:\windows\system32\jfxkup.dll
c:\windows\system32\jibuvuna.dll
c:\windows\system32\jjdfqjen.ini
c:\windows\system32\jkkeyyqg.dll
c:\windows\system32\jypxse.dll
c:\windows\system32\lncjnq.dll
c:\windows\system32\lrnggpjm.dll
c:\windows\system32\mmngecgu.ini
c:\windows\system32\nejqfdjj.dll
c:\windows\system32\ntkocyfs.dll
c:\windows\system32\pmnlKedc.dll
c:\windows\system32\pomijowu.dll
c:\windows\system32\psnknhkv.dll
c:\windows\system32\qepbfk.dll
c:\windows\system32\rjunmwhs.dll
c:\windows\system32\rnsaip.dll
c:\windows\system32\rvxmprot.ini
c:\windows\system32\ryljipoh.ini
c:\windows\system32\sdiyghuy.dll
c:\windows\system32\shwmnujr.ini
c:\windows\system32\snitcrjc.dll
c:\windows\system32\svwfgmkn.dll
c:\windows\system32\tfvrsqhy.ini
c:\windows\system32\tmp.reg
c:\windows\system32\torpmxvr.dll
c:\windows\system32\ugcegnmm.dll
c:\windows\system32\vkhnknsp.ini
c:\windows\system32\vmravilc.dll
c:\windows\system32\vobnmuau.dll
c:\windows\system32\vomuganu.dll
c:\windows\system32\vpjpxffc.dll
c:\windows\system32\vqwxcsqi.dll
c:\windows\system32\wmbdwcut.dll
c:\windows\system32\wpv411228549770.cpx
c:\windows\system32\wzqjld.dll
c:\windows\system32\xpprxfxf.ini
c:\windows\system32\xumfkv.dll
c:\windows\system32\xvlaom.dll
c:\windows\system32\yehifuni.dll
c:\windows\system32\yhqsrvft.dll
c:\windows\system32\yhuaew.dll
c:\windows\system32\yuhgyids.ini
c:\windows\Tasks\nztymkor.job
c:\windows\wiaserviv.log

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSUPDATE
-------\Legacy_NPF
-------\Legacy_NTNDIS
-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2008-11-19 to 2008-12-19 )))))))))))))))))))))))))))))))
.

2008-12-18 16:39 . 2008-12-18 16:39 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-18 16:39 . 2008-12-18 16:39 1,409 --a------ c:\windows\QTFont.for
2008-12-17 17:49 . 2008-12-17 17:49 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-16 18:34 . 2007-12-11 09:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Roxio
2008-12-16 18:34 . 2007-12-11 09:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-12-16 18:34 . 2008-12-16 18:34 <DIR> d-------- c:\documents and settings\Administrator
2008-12-13 10:27 . 2008-12-13 10:27 <DIR> d-------- c:\program files\Common Files\Thraex Software
2008-12-10 17:10 . 2008-12-10 17:10 <DIR> d-------- C:\VundoFix Backups
2008-12-08 17:00 . 2008-12-08 17:00 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2008-11-29 12:23 . 2008-11-29 12:23 <DIR> d-------- c:\program files\GodzHellClient
2008-11-19 18:33 . 2008-11-19 18:33 <DIR> d-------- C:\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-19 00:56 --------- d-----w c:\program files\Steam
2008-12-18 21:08 31 ----a-w c:\documents and settings\Jimmy\jagex_runescape_preferences.dat
2008-12-17 22:49 --------- d-----w c:\program files\Java
2008-12-15 21:18 --------- d-----w c:\program files\World of Warcraft
2008-12-09 23:41 --------- d-----w c:\program files\Trend Micro
2008-12-04 18:41 --------- d-----w c:\program files\AV Vcs 6.0 DIAMOND
2008-11-23 15:48 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-11-13 02:11 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-12 21:23 --------- d-----w c:\program files\MSBuild
2008-11-12 21:20 --------- d-----w c:\program files\Reference Assemblies
2008-11-12 21:17 --------- d-----w c:\documents and settings\Jimmy\Application Data\Sony Setup
2008-11-12 20:54 --------- d-----w c:\documents and settings\Jimmy\Application Data\gtk-2.0
2008-11-04 04:32 --------- d-----w c:\documents and settings\All Users\Application Data\SwiftKit
2008-11-03 21:41 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-02 23:24 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-11-02 23:24 --------- d-----w c:\program files\Windows Live
2008-11-02 23:22 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-02 23:21 2,400,784 ----a-w C:\WLinstaller.exe
2008-11-01 17:05 --------- d-----w c:\program files\HyCam2
2008-11-01 17:04 668,488 ----a-w C:\HC2Setup.exe
2008-10-28 21:35 --------- d-----w c:\documents and settings\Jimmy\Application Data\Sony
2008-10-28 21:34 --------- d-----w c:\program files\Vstplugins
2008-10-28 21:34 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2008-10-28 21:33 --------- d-----w c:\program files\Sony
2008-10-28 21:31 147,544,835 ----a-w C:\vegas70e_enu.exe
2008-10-25 21:28 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 20:40 --------- d-----w c:\program files\Panda Security
2008-10-23 00:30 --------- d-----w c:\program files\RegCleaner
2008-10-23 00:18 553,687 ----a-w C:\regcleaner.exe
2008-10-22 22:48 --------- d-----w c:\documents and settings\NetworkService\Application Data\Skype
2008-10-22 20:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-22 20:39 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-22 20:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-22 20:34 --------- d-----w c:\program files\Lavasoft
2008-10-22 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-22 19:42 --------- d-----w c:\program files\Common Files\Logishrd
2008-10-22 00:44 --------- d-----w c:\program files\Common Files\SureThing Shared
2008-10-22 00:38 --------- d-----w c:\program files\Windows Live Safety Center
2008-10-22 00:37 --------- d-----w c:\program files\Common Files\AOL
2008-10-22 00:30 --------- d-----w c:\program files\CCleaner
2008-10-22 00:27 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 00:27 --------- d-----w c:\documents and settings\Jimmy\Application Data\Malwarebytes
2008-10-22 00:27 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-22 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2008-10-21 01:00 --------- d-----w c:\documents and settings\NetworkService\Application Data\HPAppData
2008-10-07 20:43 61,588 -c--a-w c:\windows\BricoPackUninst.cmd
2008-10-07 20:43 5,417 -c--a-w c:\windows\BricoPackFoldersDelete.cmd
2008-10-02 23:40 7,127,451 ----a-w C:\Zip.zip
2008-07-22 14:35 0 -csh--w c:\program files\desktoq.ini
2005-12-03 04:58 1,982,464 ----a-w c:\program files\Vistab2.msstyles
2008-07-22 14:25 14,080 --sha-w c:\windows\system32\mssjfilejf.dll
2008-07-22 14:25 20,192 --sha-w c:\windows\system32\vcrxfileju.dll
.

------- Sigcheck -------

2007-06-13 05:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2008-04-13 19:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2007-06-13 05:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-12-11 1410296]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Google Update"="c:\documents and settings\Jimmy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-16 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-09 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-06 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-17 136600]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"nwiz"="nwiz.exe" [2007-06-06 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-06-06 c:\windows\system32\nvhotkey.dll]

c:\documents and settings\Jimmy\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]
TransBar.lnk - c:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-11 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\SRCDS\\srcds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\source dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\jimmyjhp\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\insurgency\\hl2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-23 28544]
R2 MS NtSvr;MS NtSvr(MS NetWork Services);c:\windows\system32\msnetwk.exe [2008-07-10 167989]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-11-08 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-11-08 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2007-11-08 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-11-08 566872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-12-25 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2007-11-08 280392]
S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys []
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-18 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Jimmy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-16 19:29]

2008-12-19 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2007-09-26 08:53]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1B93547F-5CE9-4E60-B3B8-15AE6B6F93B7} - (no file)
BHO-{1D03BF11-3729-4CDF-8C1A-4B0AFD45326A} - (no file)
BHO-{467B24BD-D8BF-453F-9DB2-B58CF8EC364F} - (no file)
BHO-{55af58ab-9339-400d-9c9c-1a83e921e47f} - (no file)
BHO-{5a4627ce-385a-4f3a-8a1e-8a80a3406117} - c:\windows\system32\pomijowu.dll
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
BHO-{90F5A359-914F-40CF-B406-082EA7F8744D} - (no file)
BHO-{96719b7c-ae33-4fa4-bc27-d06f357a6800} - c:\windows\system32\czkgvi.dll
BHO-{B3AA6D76-A5DA-4C05-9DC1-E061E0E4528C} - (no file)
BHO-{B5F009B0-1266-4AF5-B6D5-E35FEC70E4BB} - (no file)
BHO-{D84D0C23-346A-4BC2-B3A9-1CA2C1414903} - c:\windows\system32\fccAqRKD.dll
BHO-{E0EF78AE-5534-40FC-866D-419739FEA10C} - (no file)
HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe
ShellExecuteHooks-{0035B7B8-D7A2-456A-AE04-EB9ABF822FE4} - (no file)
ShellExecuteHooks-{00556B12-E883-4899-BD2E-1B6F926757E7} - c:\docume~1\Jimmy\LOCALS~1\Temp\buindexs.dll
ShellExecuteHooks-{E8606370-4F7A-4C2F-A39C-EDCDCC177924} - c:\windows\system32\
ShellExecuteHooks-{004883F7-40D7-462A-B449-302C887C148F} - C:\W
ShellExecuteHooks-{C51C4AFB-2A3A-6C2E-BA41-C10F02760731} - c:\docume~1\Jimmy\LOCALS~1\Temp\xptwpsylgfile.dll
Notify-iifcAsrQ - (no file)


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {EC46BC7F-E5D7-4F5B-A70B-3C2C37C1861C} = 68.87.64.146,68.87.75.194

c:\program files\Common Files\supportsoft\bin\tgctlsi.dll - c:\windows\Downloaded Program Files\sprtexternal.dll
O16 -: {42D06124-98A2-47EC-8098-3778B58CE7D5}
hxxps://actsvr.comcastonline.com/techto ... ntrols.cab
c:\windows\Downloaded Program Files\sprtexternal.inf
FF - ProfilePath - c:\documents and settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\3mkdxskb.default\
FF - prefs.js: browser.search.selectedEngine - Zybez Item Database
FF - prefs.js: browser.startup.homepage - hxxp://www.zybez.net/
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 19:55:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(992)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2008-12-18 20:02:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-19 01:02:46

Pre-Run: 23,162,118,144 bytes free
Post-Run: 23,076,966,400 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

339 --- E O F --- 2008-11-14 01:39:32

*********************************************************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:04:05 PM, on 12/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\msnetwk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&cli ... bd=0071211
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jimmy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techto ... ntrols.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC46BC7F-E5D7-4F5B-A70B-3C2C37C1861C}: NameServer = 68.87.64.146,68.87.75.194
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9543 bytes
Jhp
Regular Member
 
Posts: 23
Joined: December 15th, 2008, 6:23 pm

Re: Virtumonde and Smitfraud infection

Unread postby Shaba » December 19th, 2008, 4:34 am

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Image

5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde and Smitfraud infection

Unread postby Jhp » December 19th, 2008, 5:26 pm

I have noticed a considerably large increase in speed since what you did with combofix, thanks again.
Here's the log.


2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Age of Chivalry
Apple Mobile Device Support
Apple Software Update
AV Voice Changer Software DIAMOND 6.0
Broadcom Management Programs
Browser Address Error Redirector
CCleaner (remove only)
Colorizer 1.0.0.1
Condition Zero
Conexant HDA D330 MDC V.92 Modem
Counter-Strike
Counter-Strike: Source
Dell DataSafe Online
Dell Support Center
Dell Touchpad
Dell Wireless WLAN Card
Desktop Doctor
Digital Line Detect
Documentation & Support Launcher
EZ Vinyl Converter by MixMeister 1.0.5
Game Cam v1.4
Games, Music, & Photos Launcher
GIMP 2.4.7
Half-Life 2
Half-Life Dedicated Server Update Tool
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPSSupply
HyperCam 2
Insurgency
IntelliSonic Speech Enhancement
Internet Service Offers Launcher
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 11
Java(TM) 6 Update 5
LimeWire 4.14.12
Malwarebytes' Anti-Malware
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Modem Diagnostic Tool
Mozilla Firefox (3.0.4)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
Musicmatch for Windows Media Player
NetWaiting
NVIDIA Drivers
OutlookAddinSetup
PacCafe
Pack Vista Inspirat 2 1.0
Panda ActiveScan 2.0
PayPal Plug-In
Peggle Extreme
Porrasturvat - Stair Dismount
Portal
Project64 1.6
PTFB Pro 3.5.1.1
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
SearchAssist
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Skype™ 3.6
Sonic Activation Module
Sony Media Manager 2.2
Sony Vegas 7.0
Source Dedicated Server
Source SDK
Spybot - Search & Destroy
Steam(TM)
SwiftKit
System Requirements Lab
Trend Micro PC-cillin Internet Security 14
Trend Micro PC-cillin Internet Security 14
Truck Dismount (remove only)
Update for Office 2007 (KB946691)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Ventrilo Client
Viewpoint Media Player
Windows Communication Foundation
Windows Imaging Component
Windows Live installer
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
Jhp
Regular Member
 
Posts: 23
Joined: December 15th, 2008, 6:23 pm

Re: Virtumonde and Smitfraud infection

Unread postby Shaba » December 20th, 2008, 5:43 am

IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

LimeWire 4.14.12

I'd like you to read the MRU policy for P2P Programs.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Uninstall also these:

J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 5

Please run a new uninstall list scan when finished and post the log back here.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde and Smitfraud infection

Unread postby Jhp » December 20th, 2008, 6:07 pm

Removed all programs requested. Thanks again.


2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
32 Bit HP CIO Components Installer
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Shockwave Player
Age of Chivalry
Apple Mobile Device Support
Apple Software Update
AV Voice Changer Software DIAMOND 6.0
Broadcom Management Programs
Browser Address Error Redirector
CCleaner (remove only)
Colorizer 1.0.0.1
Condition Zero
Conexant HDA D330 MDC V.92 Modem
Counter-Strike
Counter-Strike: Source
Dell DataSafe Online
Dell Support Center
Dell Touchpad
Dell Wireless WLAN Card
Desktop Doctor
Digital Line Detect
Documentation & Support Launcher
EZ Vinyl Converter by MixMeister 1.0.5
Game Cam v1.4
Games, Music, & Photos Launcher
GIMP 2.4.7
Half-Life 2
Half-Life Dedicated Server Update Tool
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPSSupply
HyperCam 2
Insurgency
IntelliSonic Speech Enhancement
Internet Service Offers Launcher
iTunes
Java(TM) 6 Update 11
Malwarebytes' Anti-Malware
MediaDirect
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Modem Diagnostic Tool
Mozilla Firefox (3.0.4)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
MSXML 6 Service Pack 2 (KB954459)
Musicmatch for Windows Media Player
NetWaiting
NVIDIA Drivers
OutlookAddinSetup
PacCafe
Pack Vista Inspirat 2 1.0
Panda ActiveScan 2.0
PayPal Plug-In
Peggle Extreme
Porrasturvat - Stair Dismount
Portal
Project64 1.6
PTFB Pro 3.5.1.1
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Drag-to-Disc
Roxio Express Labeler
Roxio MyDVD DE
Roxio Update Manager
SearchAssist
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB960714)
Skype™ 3.6
Sonic Activation Module
Sony Media Manager 2.2
Sony Vegas 7.0
Source Dedicated Server
Source SDK
Spybot - Search & Destroy
Steam(TM)
SwiftKit
System Requirements Lab
Trend Micro PC-cillin Internet Security 14
Trend Micro PC-cillin Internet Security 14
Truck Dismount (remove only)
Update for Office 2007 (KB946691)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Ventrilo Client
Viewpoint Media Player
Windows Communication Foundation
Windows Imaging Component
Windows Live installer
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
WinRAR archiver
Jhp
Regular Member
 
Posts: 23
Joined: December 15th, 2008, 6:23 pm

Re: Virtumonde and Smitfraud infection

Unread postby Shaba » December 21st, 2008, 5:42 am

I'd like you to check a file for malware.
c:\windows\explorer.exe

  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
  • Post back results here, please.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde and Smitfraud infection

Unread postby Jhp » December 21st, 2008, 12:10 pm

Looks to me like none was found! :cheers:


File 9784e0719124e4a23989aef9e7ca02d6 received on 11.18.2008 22:28:29 (CET)
Antivirus Version Last Update Result
AhnLab-V3 2008.11.18.2 2008.11.18 -
AntiVir 7.9.0.31 2008.11.18 -
Authentium 5.1.0.4 2008.11.18 -
Avast 4.8.1281.0 2008.11.18 -
AVG 8.0.0.199 2008.11.18 -
BitDefender 7.2 2008.11.18 -
CAT-QuickHeal 10.00 2008.11.18 -
ClamAV 0.94.1 2008.11.18 -
DrWeb 4.44.0.09170 2008.11.18 -
eSafe 7.0.17.0 2008.11.18 -
eTrust-Vet 31.6.6214 2008.11.18 -
Ewido 4.0 2008.11.18 -
F-Prot 4.4.4.56 2008.11.18 -
F-Secure 8.0.14332.0 2008.11.18 -
Fortinet 3.117.0.0 2008.11.18 -
GData 19 2008.11.18 -
Ikarus T3.1.1.45.0 2008.11.18 -
K7AntiVirus 7.10.527 2008.11.18 -
Kaspersky 7.0.0.125 2008.11.18 -
McAfee 5438 2008.11.18 -
Microsoft 1.4104 2008.11.17 -
NOD32 3623 2008.11.18 -
Norman 5.80.02 2008.11.18 -
Panda 9.0.0.4 2008.11.18 -
PCTools 4.4.2.0 2008.11.18 -
Prevx1 V2 2008.11.18 -
Rising 21.04.12.00 2008.11.18 -
SecureWeb-Gateway 6.7.6 2008.11.18 -
Sophos 4.35.0 2008.11.18 -
Sunbelt 3.1.1801.2 2008.11.14 -
Symantec 10 2008.11.18 -
TheHacker 6.3.1.1.157 2008.11.18 -
TrendMicro 8.700.0.1004 2008.11.18 -
VBA32 3.12.8.9 2008.11.18 -
ViRobot 2008.11.18.1474 2008.11.18 -
VirusBuster 4.5.11.0 2008.11.18 -
Additional information
File size: 975360 bytes
MD5...: 9784e0719124e4a23989aef9e7ca02d6
SHA1..: 401d4d0353eb9cc7dd534896a42ea2388d8cfe6c
SHA256: 512e2ff62feaa213c9a95e55cea3af402851a1b8d816d373e542aeeaa06af807
SHA512: dea578947d5bd883cfd493db00dc90f12399e351b0266119a9fb063b5dce8cb1<br>9e9d63a4556f8ba6925f1ce34eab9ca455fb4041a27aa59d55d301494a677640
PEiD..: -
TrID..: File type identification<br>Win32 Executable MS Visual C++ (generic) (65.2%)<br>Win32 Executable Generic (14.7%)<br>Win32 Dynamic Link Library (generic) (13.1%)<br>Generic Win/DOS Executable (3.4%)<br>DOS Executable Generic (3.4%)
PEInfo: PE Structure information<br><br>( base data )<br>entrypointaddress.: 0x101a8ce<br>timedatestamp.....: 0x466fc588 (Wed Jun 13 10:23:04 2007)<br>machinetype.......: 0x14c (I386)<br><br>( 4 sections )<br>name viradd virsiz rawdsiz ntrpy md5<br>.text 0x1000 0x44ad9 0x44c00 6.36 7de882aa0da62b155286cb91c8f0fbd9<br>.data 0x46000 0x1db4 0x1800 1.30 25fdde5ea7a06e94390eb8773b825a55<br>.rsrc 0x48000 0xa40d3 0xa4200 6.57 ee89e485300f55d17f4eccb02eeb5036<br>.reloc 0xed000 0x3720 0x3800 6.76 924c25a2a1584ac973811d65894c44fa<br><br>( 13 imports ) <br>> ADVAPI32.dll: RegSetValueW, RegEnumKeyExW, GetUserNameW, RegNotifyChangeKeyValue, RegEnumValueW, RegQueryValueExA, RegOpenKeyExA, RegEnumKeyW, RegCloseKey, RegCreateKeyW, RegQueryInfoKeyW, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW, RegSetValueExW, RegDeleteValueW, RegQueryValueW<br>> BROWSEUI.dll: -, -, -, -<br>> GDI32.dll: GetStockObject, CreatePatternBrush, OffsetViewportOrgEx, GetLayout, CombineRgn, CreateDIBSection, GetTextExtentPoint32W, StretchBlt, SetTextColor, CreateRectRgn, GetClipRgn, IntersectClipRect, GetViewportOrgEx, SetViewportOrgEx, SelectClipRgn, PatBlt, GetBkColor, CreateCompatibleDC, CreateCompatibleBitmap, OffsetWindowOrgEx, DeleteDC, SetBkColor, BitBlt, ExtTextOutW, GetTextExtentPointW, GetClipBox, GetObjectW, CreateRectRgnIndirect, SetBkMode, CreateFontIndirectW, DeleteObject, GetTextMetricsW, SelectObject, GetDeviceCaps, TranslateCharsetInfo, SetStretchBltMode<br>> KERNEL32.dll: GetSystemDirectoryW, CreateThread, CreateJobObjectW, ExitProcess, SetProcessShutdownParameters, ReleaseMutex, CreateMutexW, SetPriorityClass, GetCurrentProcess, GetStartupInfoW, GetCommandLineW, SetErrorMode, LeaveCriticalSection, EnterCriticalSection, ResetEvent, LoadLibraryExA, CompareFileTime, GetSystemTimeAsFileTime, SetThreadPriority, GetCurrentThreadId, GetThreadPriority, GetCurrentThread, GetUserDefaultLangID, Sleep, GetBinaryTypeW, GetModuleHandleExW, SystemTimeToFileTime, GetLocalTime, GetCurrentProcessId, GetEnvironmentVariableW, UnregisterWait, GlobalGetAtomNameW, GetFileAttributesW, MoveFileW, lstrcmpW, LoadLibraryExW, FindClose, FindNextFileW, FindFirstFileW, lstrcmpiA, SetEvent, AssignProcessToJobObject, GetDateFormatW, GetTimeFormatW, FlushInstructionCache, lstrcpynW, GetSystemWindowsDirectoryW, SetLastError, GetProcessHeap, HeapFree, HeapReAlloc, HeapSize, HeapAlloc, GetUserDefaultLCID, ReadProcessMemory, OpenProcess, InterlockedCompareExchange, LoadLibraryA, QueryPerformanceCounter, UnhandledExceptionFilter, SetUnhandledExceptionFilter, VirtualFree, VirtualAlloc, ResumeThread, TerminateProcess, TerminateThread, GetSystemDefaultLCID, GetLocaleInfoW, CreateEventW, GetLastError, RegisterWaitForSingleObject, OpenEventW, WaitForSingleObject, GetTickCount, ExpandEnvironmentStringsW, GetModuleFileNameW, GetPrivateProfileStringW, lstrcmpiW, CreateProcessW, FreeLibrary, GetWindowsDirectoryW, LocalAlloc, CreateFileW, DeviceIoControl, LocalFree, GetQueuedCompletionStatus, CreateIoCompletionPort, SetInformationJobObject, CloseHandle, LoadLibraryW, GetModuleHandleW, ActivateActCtx, DeactivateActCtx, DelayLoadFailureHook, GetProcAddress, DeleteCriticalSection, CreateEventA, HeapDestroy, InitializeCriticalSection, GetFileAttributesExW, MulDiv, lstrlenW, InterlockedDecrement, InterlockedIncrement, GlobalAlloc, InterlockedExchange, GetModuleHandleA, GetVersionExA, GlobalFree, GetProcessTimes, lstrcpyW, GetLongPathNameW, InitializeCriticalSectionAndSpinCount<br>> msvcrt.dll: _itow, free, memmove, realloc, _except_handler3, malloc, _ftol, _vsnwprintf<br>> ntdll.dll: RtlNtStatusToDosError, NtQueryInformationProcess<br>> ole32.dll: CoFreeUnusedLibraries, RegisterDragDrop, CreateBindCtx, RevokeDragDrop, CoInitializeEx, CoUninitialize, OleInitialize, CoRevokeClassObject, CoRegisterClassObject, CoMarshalInterThreadInterfaceInStream, CoCreateInstance, OleUninitialize, DoDragDrop<br>> OLEAUT32.dll: -, -<br>> SHDOCVW.dll: -, -, -<br>> SHELL32.dll: -, SHGetFolderPathW, -, -, -, -, -, ExtractIconExW, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, -, ShellExecuteExW, -, -, -, -, -, -, -, SHBindToParent, -, -, -, SHParseDisplayName, -, -, -, -, -, -, SHGetSpecialFolderLocation, -, -, -, -, SHGetSpecialFolderPathW, -, -, -, -, -, SHChangeNotify, SHGetDesktopFolder, SHAddToRecentDocs, -, -, -, DuplicateIcon, -, -, -, -, -, -, -, -, SHUpdateRecycleBinIcon, SHGetFolderLocation, SHGetPathFromIDListA, -, -, -, -, -, -, -, SHGetPathFromIDListW, -, -, -<br>> SHLWAPI.dll: StrCpyNW, -, -, -, -, StrRetToBufW, StrRetToStrW, -, -, -, -, SHQueryValueExW, PathIsNetworkPathW, -, AssocCreate, -, -, -, -, -, StrCatW, StrCpyW, -, -, -, -, -, -, -, SHGetValueW, -, StrCmpNIW, PathRemoveBlanksW, PathRemoveArgsW, PathFindFileNameW, StrStrIW, PathGetArgsW, -, StrToIntW, SHRegGetBoolUSValueW, SHRegWriteUSValueW, SHRegCloseUSKey, SHRegCreateUSKeyW, SHRegGetUSValueW, SHSetValueW, -, PathAppendW, PathUnquoteSpacesW, -, -, PathQuoteSpacesW, -, SHSetThreadRef, SHCreateThreadRef, -, -, -, PathCombineW, -, -, -, SHStrDupW, PathIsPrefixW, PathParseIconLocationW, AssocQueryKeyW, -, AssocQueryStringW, StrCmpW, -, -, -, -, -, -, -, -, SHRegQueryUSValueW, SHRegOpenUSKeyW, SHRegSetUSValueW, PathIsDirectoryW, PathFileExistsW, PathGetDriveNumberW, -, StrChrW, PathFindExtensionW, -, -, PathRemoveFileSpecW, PathStripToRootW, -, -, -, SHOpenRegStream2W, -, -, -, StrDupW, SHDeleteValueW, StrCatBuffW, SHDeleteKeyW, StrCmpIW, -, -, wnsprintfW, -, StrCmpNW, -, -<br>> USER32.dll: TileWindows, GetDoubleClickTime, GetSystemMetrics, GetSysColorBrush, AllowSetForegroundWindow, LoadMenuW, GetSubMenu, RemoveMenu, SetParent, GetMessagePos, CheckDlgButton, EnableWindow, GetDlgItemInt, SetDlgItemInt, CopyIcon, AdjustWindowRectEx, DrawFocusRect, DrawEdge, ExitWindowsEx, WindowFromPoint, SetRect, AppendMenuW, LoadAcceleratorsW, LoadBitmapW, SendNotifyMessageW, SetWindowPlacement, CheckMenuItem, EndDialog, SendDlgItemMessageW, MessageBeep, GetActiveWindow, PostQuitMessage, MoveWindow, GetDlgItem, RemovePropW, GetClassNameW, GetDCEx, SetCursorPos, ChildWindowFromPoint, ChangeDisplaySettingsW, RegisterHotKey, UnregisterHotKey, SetCursor, SendMessageTimeoutW, GetWindowPlacement, LoadImageW, SetWindowRgn, IntersectRect, OffsetRect, EnumDisplayMonitors, RedrawWindow, SubtractRect, TranslateAcceleratorW, WaitMessage, InflateRect, CallWindowProcW, GetDlgCtrlID, SetCapture, LockSetForegroundWindow, CopyRect, SystemParametersInfoW, FindWindowW, CreatePopupMenu, GetMenuDefaultItem, DestroyMenu, GetShellWindow, EnumChildWindows, GetWindowLongW, SendMessageW, RegisterWindowMessageW, GetKeyState, MonitorFromRect, MonitorFromPoint, RegisterClassW, SetPropW, GetWindowLongA, SetWindowLongW, FillRect, GetCursorPos, PtInRect, MessageBoxW, LoadStringW, ReleaseDC, GetDC, EnumDisplaySettingsExW, EnumDisplayDevicesW, PostMessageW, DispatchMessageW, TranslateMessage, GetMessageW, PeekMessageW, BeginPaint, EndPaint, SetWindowTextW, GetAsyncKeyState, InvalidateRect, GetWindow, ShowWindowAsync, TrackPopupMenuEx, UpdateWindow, DestroyIcon, IsRectEmpty, SetActiveWindow, GetSysColor, DrawTextW, IsHungAppWindow, SetTimer, GetMenuItemID, TrackPopupMenu, EndTask, SendMessageCallbackW, GetClassLongW, LoadIconW, OpenInputDesktop, CloseDesktop, SetScrollPos, ShowWindow, BringWindowToTop, GetDesktopWindow, CascadeWindows, CharUpperBuffW, SwitchToThisWindow, InternalGetWindowText, GetScrollInfo, GetMenuItemCount, ModifyMenuW, CreateWindowExW, DialogBoxParamW, MsgWaitForMultipleObjects, CharNextA, RegisterClipboardFormatW, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, PrintWindow, SetClassLongW, GetPropW, GetNextDlgGroupItem, GetNextDlgTabItem, ChildWindowFromPointEx, IsChild, NotifyWinEvent, TrackMouseEvent, GetCapture, GetAncestor, CharUpperW, SetWindowLongA, DrawCaption, InsertMenuW, IsWindowEnabled, GetMenuState, LoadCursorW, GetParent, IsDlgButtonChecked, DestroyWindow, EnumWindows, IsWindowVisible, GetClientRect, UnionRect, EqualRect, GetWindowThreadProcessId, GetForegroundWindow, KillTimer, GetClassInfoExW, DefWindowProcW, RegisterClassExW, GetIconInfo, SetScrollInfo, GetLastActivePopup, SetForegroundWindow, IsWindow, GetSystemMenu, IsIconic, IsZoomed, EnableMenuItem, SetMenuDefaultItem, MonitorFromWindow, GetMonitorInfoW, GetWindowInfo, GetFocus, SetFocus, MapWindowPoints, ScreenToClient, ClientToScreen, GetWindowRect, SetWindowPos, DeleteMenu, GetMenuItemInfoW, SetMenuItemInfoW, CharNextW<br>> UxTheme.dll: GetThemeBackgroundContentRect, GetThemeBool, GetThemePartSize, DrawThemeParentBackground, OpenThemeData, DrawThemeBackground, GetThemeTextExtent, DrawThemeText, CloseThemeData, SetWindowTheme, GetThemeBackgroundRegion, -, GetThemeMargins, GetThemeColor, GetThemeFont, GetThemeRect, IsAppThemed<br><br>( 0 exports ) <br>
Jhp
Regular Member
 
Posts: 23
Joined: December 15th, 2008, 6:23 pm

Re: Virtumonde and Smitfraud infection

Unread postby Shaba » December 21st, 2008, 12:28 pm

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
c:\windows\system32\msnetwk.exe

Folder::
c:\Program Files\LimeWire
c:\Program Files\DNA

Driver::
"MS NtSvr"

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\DNA\\btdna.exe"=-


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde and Smitfraud infection

Unread postby Jhp » December 21st, 2008, 3:09 pm

I realize that uTorrent is a P2P sharing program, but I need it for something I'm doing today. I will remove it after I'm finished. :oops:


ComboFix 08-12-18.01 - Jimmy 2008-12-21 13:57:34.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1195 [GMT -5:00]
Running from: c:\documents and settings\Jimmy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jimmy\Desktop\cfscript.txt
* Created a new restore point

FILE ::
c:\windows\system32\msnetwk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
c:\program files\LimeWire
c:\program files\LimeWire\hs_err_pid216.log
c:\program files\LimeWire\hs_err_pid2348.log
c:\program files\LimeWire\hs_err_pid3524.log
c:\program files\LimeWire\limewire.m3u
c:\program files\LimeWire\Playlist 1.m3u
c:\program files\LimeWire\soilwork.m3u
c:\windows\system32\msnetwk.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MS_NTSVR
-------\Service_MS NtSvr


((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 11:29 . 2008-12-21 14:01 <DIR> d-------- c:\program files\PeerGuardian2
2008-12-21 11:17 . 2008-12-21 11:17 <DIR> d-------- c:\program files\uTorrent
2008-12-21 11:17 . 2008-12-21 13:55 <DIR> d-------- c:\documents and settings\Jimmy\Application Data\uTorrent
2008-12-20 17:01 . 2008-12-17 17:49 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-18 16:39 . 2008-12-19 16:28 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-18 16:39 . 2008-12-18 16:39 1,409 --a------ c:\windows\QTFont.for
2008-12-17 17:49 . 2008-12-17 17:49 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-16 18:34 . 2007-12-11 09:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Roxio
2008-12-16 18:34 . 2007-12-11 09:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-12-16 18:34 . 2008-12-16 18:34 <DIR> d-------- c:\documents and settings\Administrator
2008-12-13 10:27 . 2008-12-13 10:27 <DIR> d-------- c:\program files\Common Files\Thraex Software
2008-12-10 17:10 . 2008-12-10 17:10 <DIR> d-------- C:\VundoFix Backups
2008-12-08 17:00 . 2008-12-08 17:00 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2008-11-29 12:23 . 2008-11-29 12:23 <DIR> d-------- c:\program files\GodzHellClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 19:04 --------- d-----w c:\program files\Steam
2008-12-21 16:27 31 ----a-w c:\documents and settings\Jimmy\jagex_runescape_preferences.dat
2008-12-20 22:01 --------- d-----w c:\program files\Java
2008-12-19 02:15 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-15 21:18 --------- d-----w c:\program files\World of Warcraft
2008-12-09 23:41 --------- d-----w c:\program files\Trend Micro
2008-12-04 18:41 --------- d-----w c:\program files\AV Vcs 6.0 DIAMOND
2008-11-23 15:48 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-11-12 21:23 --------- d-----w c:\program files\MSBuild
2008-11-12 21:20 --------- d-----w c:\program files\Reference Assemblies
2008-11-12 21:17 --------- d-----w c:\documents and settings\Jimmy\Application Data\Sony Setup
2008-11-12 20:54 --------- d-----w c:\documents and settings\Jimmy\Application Data\gtk-2.0
2008-11-04 04:32 --------- d-----w c:\documents and settings\All Users\Application Data\SwiftKit
2008-11-03 21:41 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-02 23:24 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-11-02 23:24 --------- d-----w c:\program files\Windows Live
2008-11-02 23:22 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-02 23:21 2,400,784 ----a-w C:\WLinstaller.exe
2008-11-01 17:05 --------- d-----w c:\program files\HyCam2
2008-11-01 17:04 668,488 ----a-w C:\HC2Setup.exe
2008-10-28 21:35 --------- d-----w c:\documents and settings\Jimmy\Application Data\Sony
2008-10-28 21:34 --------- d-----w c:\program files\Vstplugins
2008-10-28 21:34 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2008-10-28 21:33 --------- d-----w c:\program files\Sony
2008-10-28 21:31 147,544,835 ----a-w C:\vegas70e_enu.exe
2008-10-25 21:28 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 20:40 --------- d-----w c:\program files\Panda Security
2008-10-23 00:30 --------- d-----w c:\program files\RegCleaner
2008-10-23 00:18 553,687 ----a-w C:\regcleaner.exe
2008-10-22 22:48 --------- d-----w c:\documents and settings\NetworkService\Application Data\Skype
2008-10-22 20:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-22 20:39 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-22 20:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-22 20:34 --------- d-----w c:\program files\Lavasoft
2008-10-22 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-22 19:42 --------- d-----w c:\program files\Common Files\Logishrd
2008-10-22 00:44 --------- d-----w c:\program files\Common Files\SureThing Shared
2008-10-22 00:38 --------- d-----w c:\program files\Windows Live Safety Center
2008-10-22 00:37 --------- d-----w c:\program files\Common Files\AOL
2008-10-22 00:30 --------- d-----w c:\program files\CCleaner
2008-10-22 00:27 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 00:27 --------- d-----w c:\documents and settings\Jimmy\Application Data\Malwarebytes
2008-10-22 00:27 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-22 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2008-10-21 01:00 --------- d-----w c:\documents and settings\NetworkService\Application Data\HPAppData
2008-10-07 20:43 61,588 -c--a-w c:\windows\BricoPackUninst.cmd
2008-10-07 20:43 5,417 -c--a-w c:\windows\BricoPackFoldersDelete.cmd
2008-10-02 23:40 7,127,451 ----a-w C:\Zip.zip
2008-07-22 14:35 0 -csh--w c:\program files\desktoq.ini
2005-12-03 04:58 1,982,464 ----a-w c:\program files\Vistab2.msstyles
2008-07-22 14:25 14,080 --sha-w c:\windows\system32\mssjfilejf.dll
2008-07-22 14:25 20,192 --sha-w c:\windows\system32\vcrxfileju.dll
.

------- Sigcheck -------

2007-06-13 05:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2008-04-13 19:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2007-06-13 05:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( snapshot@2008-12-18_20.02.17.42 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-19 00:18:39 101,991 ----a-w c:\windows\.jagex_cache_32\loginapplet\cache-1272026540.dat
+ 2008-12-20 01:30:16 101,991 ----a-w c:\windows\.jagex_cache_32\loginapplet\cache-1272026540.dat
- 2008-12-18 21:07:33 315,392 ----a-w c:\windows\.jagex_cache_32\runescape\jogl.dll
+ 2008-12-21 16:27:42 315,392 ----a-w c:\windows\.jagex_cache_32\runescape\jogl.dll
- 2008-12-18 21:07:33 20,480 ----a-w c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
+ 2008-12-21 16:27:42 20,480 ----a-w c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
- 2008-11-13 02:11:33 20,240 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-12-19 02:16:00 20,240 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-11-13 02:11:32 184,080 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-12-19 02:15:59 184,080 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\joticon.exe
- 2008-11-13 02:11:33 217,864 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
+ 2008-12-19 02:16:00 217,864 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\misc.exe
- 2008-11-13 02:11:33 18,704 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-12-19 02:16:00 18,704 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-11-13 02:11:33 35,088 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-12-19 02:16:00 35,088 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-11-13 02:11:32 922,384 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-12-19 02:16:00 922,384 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\pptico.exe
- 2008-11-13 02:11:33 888,080 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-12-19 02:16:00 888,080 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-11-13 02:11:32 1,172,240 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-12-19 02:15:59 1,172,240 ----a-r c:\windows\Installer\{91120000-002F-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-08-20 05:33:19 1,024,000 ----a-w c:\windows\system32\browseui.dll
+ 2008-10-16 10:20:52 1,024,000 ----a-w c:\windows\system32\browseui.dll
- 2008-08-20 05:33:17 151,040 ----a-w c:\windows\system32\cdfview.dll
+ 2008-10-16 10:20:42 151,040 ----a-w c:\windows\system32\cdfview.dll
- 2008-08-20 05:33:18 1,054,208 ----a-w c:\windows\system32\danim.dll
+ 2008-10-16 10:20:45 1,054,208 ----a-w c:\windows\system32\danim.dll
- 2008-08-20 05:33:19 1,024,000 ----a-w c:\windows\system32\dllcache\browseui.dll
+ 2008-10-16 10:20:52 1,024,000 ----a-w c:\windows\system32\dllcache\browseui.dll
- 2008-08-20 05:33:17 151,040 ------w c:\windows\system32\dllcache\cdfview.dll
+ 2008-10-16 10:20:42 151,040 ------w c:\windows\system32\dllcache\cdfview.dll
- 2008-08-20 05:33:18 1,054,208 ------w c:\windows\system32\dllcache\danim.dll
+ 2008-10-16 10:20:45 1,054,208 ------w c:\windows\system32\dllcache\danim.dll
- 2008-08-20 05:33:18 357,888 ------w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 10:20:45 357,888 ------w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-20 05:33:18 205,312 ------w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 10:20:45 205,312 ------w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-20 05:33:18 55,808 ------w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 10:20:46 55,808 ------w c:\windows\system32\dllcache\extmgr.dll
- 2008-02-20 06:51:05 282,624 ------w c:\windows\system32\dllcache\gdi32.dll
+ 2008-10-23 13:01:36 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
- 2008-08-19 09:38:57 18,432 ------w c:\windows\system32\dllcache\iedw.exe
+ 2008-10-15 14:18:21 18,432 ------w c:\windows\system32\dllcache\iedw.exe
- 2008-08-20 05:33:18 251,904 ------w c:\windows\system32\dllcache\iepeers.dll
+ 2008-10-16 10:20:46 251,904 ------w c:\windows\system32\dllcache\iepeers.dll
- 2008-08-20 05:33:18 96,256 ------w c:\windows\system32\dllcache\inseng.dll
+ 2008-10-16 10:20:46 96,256 ------w c:\windows\system32\dllcache\inseng.dll
- 2008-08-20 05:33:19 16,384 ------w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 10:20:50 16,384 ------w c:\windows\system32\dllcache\jsproxy.dll
- 2005-01-28 19:44:28 96,768 ----a-w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-10 10:52:04 96,768 ----a-w c:\windows\system32\dllcache\logagent.exe
- 2008-08-20 05:33:20 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-12 17:27:54 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-20 05:33:19 449,024 ------w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 10:20:50 449,024 ------w c:\windows\system32\dllcache\mshtmled.dll
- 2008-08-20 05:33:18 146,432 ------w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 10:20:46 146,432 ------w c:\windows\system32\dllcache\msrating.dll
- 2008-08-20 05:33:18 532,480 ------w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 10:20:46 532,480 ------w c:\windows\system32\dllcache\mstime.dll
- 2008-08-20 05:33:18 39,424 ------w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 10:20:46 39,424 ------w c:\windows\system32\dllcache\pngfilt.dll
- 2008-08-20 05:33:19 1,499,136 ----a-w c:\windows\system32\dllcache\shdocvw.dll
+ 2008-10-16 10:20:48 1,499,136 ----a-w c:\windows\system32\dllcache\shdocvw.dll
- 2008-08-20 05:33:19 474,112 ----a-w c:\windows\system32\dllcache\shlwapi.dll
+ 2008-10-16 10:20:51 474,112 ----a-w c:\windows\system32\dllcache\shlwapi.dll
- 2006-08-21 15:52:08 246,814 ------w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
- 2008-08-20 05:33:19 619,008 ----a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 10:20:53 619,008 ----a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-20 05:33:19 667,648 ----a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 10:20:49 667,648 ----a-w c:\windows\system32\dllcache\wininet.dll
- 2005-01-28 19:44:28 1,027,072 ----a-w c:\windows\system32\dllcache\wmnetmgr.dll
+ 2008-06-10 11:28:36 1,028,096 ----a-w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-12-07 05:29:34 2,374,472 ----a-w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-10 12:07:24 2,376,760 ----a-w c:\windows\system32\dllcache\WMVCore.dll
- 2008-08-20 05:33:18 357,888 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 10:20:45 357,888 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-20 05:33:18 205,312 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 10:20:45 205,312 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-20 05:33:18 55,808 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 10:20:46 55,808 ----a-w c:\windows\system32\extmgr.dll
- 2008-02-20 06:51:05 282,624 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 13:01:36 283,648 ----a-w c:\windows\system32\gdi32.dll
- 2008-08-20 05:33:18 251,904 ----a-w c:\windows\system32\iepeers.dll
+ 2008-10-16 10:20:46 251,904 ----a-w c:\windows\system32\iepeers.dll
- 2008-08-20 05:33:18 96,256 ----a-w c:\windows\system32\inseng.dll
+ 2008-10-16 10:20:46 96,256 ----a-w c:\windows\system32\inseng.dll
- 2008-08-20 05:33:19 16,384 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 10:20:50 16,384 ----a-w c:\windows\system32\jsproxy.dll
- 2005-01-28 19:44:28 96,768 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-10 10:52:04 96,768 ----a-w c:\windows\system32\logagent.exe
+ 2008-12-09 20:24:38 17,593,280 ----a-w c:\windows\system32\MRT.exe
- 2008-08-20 05:33:20 3,067,392 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-12 17:27:54 3,067,392 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-20 05:33:19 449,024 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 10:20:50 449,024 ----a-w c:\windows\system32\mshtmled.dll
- 2008-08-20 05:33:18 146,432 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 10:20:46 146,432 ----a-w c:\windows\system32\msrating.dll
- 2008-08-20 05:33:18 532,480 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 10:20:46 532,480 ----a-w c:\windows\system32\mstime.dll
- 2008-12-15 20:58:50 79,675 ----a-w c:\windows\system32\nvModes.dat
+ 2008-12-20 01:26:34 79,675 ----a-w c:\windows\system32\nvModes.dat
- 2008-08-20 05:33:18 39,424 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 10:20:46 39,424 ----a-w c:\windows\system32\pngfilt.dll
- 2008-08-20 05:33:19 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
+ 2008-10-16 10:20:48 1,499,136 ----a-w c:\windows\system32\shdocvw.dll
- 2008-08-20 05:33:19 474,112 ----a-w c:\windows\system32\shlwapi.dll
+ 2008-10-16 10:20:51 474,112 ----a-w c:\windows\system32\shlwapi.dll
- 2008-07-08 13:02:01 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2007-07-27 14:41:40 16,760 ------w c:\windows\system32\spmsg.dll
- 2006-08-21 15:52:08 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:15:47 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2008-07-14 11:09:18 62,976 ----a-w c:\windows\system32\tzchange.exe
+ 2008-10-22 09:47:07 62,976 ----a-w c:\windows\system32\tzchange.exe
- 2008-08-20 05:33:19 619,008 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 10:20:53 619,008 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-20 05:33:19 667,648 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 10:20:49 667,648 ----a-w c:\windows\system32\wininet.dll
- 2005-01-28 19:44:28 1,027,072 ----a-w c:\windows\system32\wmnetmgr.dll
+ 2008-06-10 11:28:36 1,028,096 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-12-07 05:29:34 2,374,472 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-10 12:07:24 2,376,760 ----a-w c:\windows\system32\WMVCore.dll
- 2008-08-19 09:20:32 351,744 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-10-15 14:00:41 351,744 ----a-w c:\windows\system32\xpsp3res.dll
+ 2008-12-21 19:03:41 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7c4.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-12-11 1410296]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Google Update"="c:\documents and settings\Jimmy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-21 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-09 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-06 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"nwiz"="nwiz.exe" [2007-06-06 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-06-06 c:\windows\system32\nvhotkey.dll]

c:\documents and settings\Jimmy\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]
TransBar.lnk - c:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-11 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcAsrQ]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\SRCDS\\srcds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\source dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\jimmyjhp\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\insurgency\\hl2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-23 28544]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-11-08 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-11-08 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2007-11-08 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-11-08 566872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-12-25 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2007-11-08 280392]
S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys []
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-21 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Jimmy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-21 13:51]

2008-12-21 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2007-09-26 08:53]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1B93547F-5CE9-4E60-B3B8-15AE6B6F93B7} - (no file)
BHO-{1D03BF11-3729-4CDF-8C1A-4B0AFD45326A} - (no file)
BHO-{467B24BD-D8BF-453F-9DB2-B58CF8EC364F} - (no file)
BHO-{55af58ab-9339-400d-9c9c-1a83e921e47f} - (no file)
BHO-{5a4627ce-385a-4f3a-8a1e-8a80a3406117} - (no file)
BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
BHO-{90F5A359-914F-40CF-B406-082EA7F8744D} - (no file)
BHO-{B3AA6D76-A5DA-4C05-9DC1-E061E0E4528C} - (no file)
BHO-{B5F009B0-1266-4AF5-B6D5-E35FEC70E4BB} - (no file)
BHO-{E0EF78AE-5534-40FC-866D-419739FEA10C} - (no file)
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_05\bin\jusched.exe
HKLM-Run-hamukuboye - c:\windows\system32\yehifuni.dll
HKLM-Run-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {EC46BC7F-E5D7-4F5B-A70B-3C2C37C1861C} = 68.87.64.146,68.87.75.194

c:\program files\Common Files\supportsoft\bin\tgctlsi.dll - c:\windows\Downloaded Program Files\sprtexternal.dll
O16 -: {42D06124-98A2-47EC-8098-3778B58CE7D5}
hxxps://actsvr.comcastonline.com/techto ... ntrols.cab
c:\windows\Downloaded Program Files\sprtexternal.inf
FF - ProfilePath - c:\documents and settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\3mkdxskb.default\
FF - prefs.js: browser.search.selectedEngine - Zybez Item Database
FF - prefs.js: browser.startup.homepage - hxxp://www.zybez.net/
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 14:04:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(988)
c:\windows\System32\BCMLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\WLTRYSVC.EXE
c:\windows\system32\BCMWLTRY.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\progra~1\TRENDM~1\INTERN~1\PcCtlCom.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
.
**************************************************************************
.
Completion time: 2008-12-21 14:08:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 19:08:34
ComboFix2.txt 2008-12-19 01:02:51

Pre-Run: 22,627,061,760 bytes free
Post-Run: 22,617,231,360 bytes free

401 --- E O F --- 2008-12-19 02:16:03
Jhp
Regular Member
 
Posts: 23
Joined: December 15th, 2008, 6:23 pm

Re: Virtumonde and Smitfraud infection

Unread postby Shaba » December 21st, 2008, 3:15 pm

If you want to continue with cleaning, you must remove it now as per P2P policy.

Let me know when you have done it and we will continue.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde and Smitfraud infection

Unread postby Jhp » December 21st, 2008, 4:06 pm

Alright, finished up. It's been removed, sorry to delay cleaning. Continue please.
Jhp
Regular Member
 
Posts: 23
Joined: December 15th, 2008, 6:23 pm

Re: Virtumonde and Smitfraud infection

Unread postby Shaba » December 21st, 2008, 4:16 pm

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
Folder::
c:\program files\uTorrent
c:\documents and settings\Jimmy\Application Data\uTorrent


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Virtumonde and Smitfraud infection

Unread postby Jhp » December 21st, 2008, 4:53 pm

Here's the ComboFix:


ComboFix 08-12-18.01 - Jimmy 2008-12-21 15:45:31.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1212 [GMT -5:00]
Running from: c:\documents and settings\Jimmy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jimmy\Desktop\cfscript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 11:29 . 2008-12-21 14:01 <DIR> d-------- c:\program files\PeerGuardian2
2008-12-20 17:01 . 2008-12-17 17:49 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-12-18 16:39 . 2008-12-19 16:28 54,156 --ah----- c:\windows\QTFont.qfn
2008-12-18 16:39 . 2008-12-18 16:39 1,409 --a------ c:\windows\QTFont.for
2008-12-17 17:49 . 2008-12-17 17:49 410,984 --a------ c:\windows\system32\deploytk.dll
2008-12-16 18:34 . 2007-12-11 09:37 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Roxio
2008-12-16 18:34 . 2007-12-11 09:15 <DIR> d-------- c:\documents and settings\Administrator\Application Data\InstallShield
2008-12-16 18:34 . 2008-12-16 18:34 <DIR> d-------- c:\documents and settings\Administrator
2008-12-13 10:27 . 2008-12-13 10:27 <DIR> d-------- c:\program files\Common Files\Thraex Software
2008-12-10 17:10 . 2008-12-10 17:10 <DIR> d-------- C:\VundoFix Backups
2008-12-08 17:00 . 2008-12-08 17:00 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\HPAppData
2008-11-29 12:23 . 2008-11-29 12:23 <DIR> d-------- c:\program files\GodzHellClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 20:44 31 ----a-w c:\documents and settings\Jimmy\jagex_runescape_preferences.dat
2008-12-21 20:18 --------- d-----w c:\program files\Steam
2008-12-20 22:01 --------- d-----w c:\program files\Java
2008-12-19 02:15 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-18 21:00 83,140 ----a-w c:\windows\system32\huhukuge.dll
2008-12-15 21:18 --------- d-----w c:\program files\World of Warcraft
2008-12-12 17:27 3,067,392 ----a-w c:\windows\system32\dllcache\mshtml.dll
2008-12-09 23:41 --------- d-----w c:\program files\Trend Micro
2008-12-04 18:41 --------- d-----w c:\program files\AV Vcs 6.0 DIAMOND
2008-11-23 15:48 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-11-12 21:23 --------- d-----w c:\program files\MSBuild
2008-11-12 21:20 --------- d-----w c:\program files\Reference Assemblies
2008-11-12 21:17 --------- d-----w c:\documents and settings\Jimmy\Application Data\Sony Setup
2008-11-12 20:54 --------- d-----w c:\documents and settings\Jimmy\Application Data\gtk-2.0
2008-11-04 04:32 --------- d-----w c:\documents and settings\All Users\Application Data\SwiftKit
2008-11-03 21:41 --------- d-----w c:\program files\Microsoft Silverlight
2008-11-02 23:24 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
2008-11-02 23:24 --------- d-----w c:\program files\Windows Live
2008-11-02 23:22 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2008-11-02 23:21 2,400,784 ----a-w C:\WLinstaller.exe
2008-11-01 17:05 --------- d-----w c:\program files\HyCam2
2008-11-01 17:04 668,488 ----a-w C:\HC2Setup.exe
2008-10-28 21:35 --------- d-----w c:\documents and settings\Jimmy\Application Data\Sony
2008-10-28 21:34 --------- d-----w c:\program files\Vstplugins
2008-10-28 21:34 --------- d-----w c:\documents and settings\All Users\Application Data\Sony
2008-10-28 21:33 --------- d-----w c:\program files\Sony
2008-10-28 21:31 147,544,835 ----a-w C:\vegas70e_enu.exe
2008-10-25 21:28 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 20:40 --------- d-----w c:\program files\Panda Security
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
2008-10-23 00:30 --------- d-----w c:\program files\RegCleaner
2008-10-23 00:18 553,687 ----a-w C:\regcleaner.exe
2008-10-22 22:48 --------- d-----w c:\documents and settings\NetworkService\Application Data\Skype
2008-10-22 20:55 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-22 20:39 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-22 20:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-22 20:34 --------- d-----w c:\program files\Lavasoft
2008-10-22 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-22 19:42 --------- d-----w c:\program files\Common Files\Logishrd
2008-10-22 00:44 --------- d-----w c:\program files\Common Files\SureThing Shared
2008-10-22 00:38 --------- d-----w c:\program files\Windows Live Safety Center
2008-10-22 00:37 --------- d-----w c:\program files\Common Files\AOL
2008-10-22 00:30 --------- d-----w c:\program files\CCleaner
2008-10-22 00:27 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-22 00:27 --------- d-----w c:\documents and settings\Jimmy\Application Data\Malwarebytes
2008-10-22 00:27 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-22 00:20 --------- d-----w c:\documents and settings\All Users\Application Data\WholeSecurity
2008-10-21 01:00 --------- d-----w c:\documents and settings\NetworkService\Application Data\HPAppData
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-15 14:18 18,432 ------w c:\windows\system32\dllcache\iedw.exe
2008-10-07 20:43 61,588 -c--a-w c:\windows\BricoPackUninst.cmd
2008-10-07 20:43 5,417 -c--a-w c:\windows\BricoPackFoldersDelete.cmd
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-03 10:15 247,326 ------w c:\windows\system32\dllcache\strmdll.dll
2008-10-02 23:40 7,127,451 ----a-w C:\Zip.zip
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-07-22 14:35 0 -csh--w c:\program files\desktoq.ini
2005-12-03 04:58 1,982,464 ----a-w c:\program files\Vistab2.msstyles
2008-07-22 14:25 14,080 --sha-w c:\windows\system32\mssjfilejf.dll
2008-07-22 14:25 20,192 --sha-w c:\windows\system32\vcrxfileju.dll
.

------- Sigcheck -------

2007-06-13 05:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\explorer.exe
2007-06-13 06:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
2008-04-13 19:12 1033728 12896823fb95bfb3dc9b46bcaedc9923 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
2007-06-13 05:23 975360 9784e0719124e4a23989aef9e7ca02d6 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((( snapshot_2008-12-21_14.08.07.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-21 16:27:42 315,392 ----a-w c:\windows\.jagex_cache_32\runescape\jogl.dll
+ 2008-12-21 20:44:09 315,392 ----a-w c:\windows\.jagex_cache_32\runescape\jogl.dll
- 2008-12-21 16:27:42 20,480 ----a-w c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
+ 2008-12-21 20:44:09 20,480 ----a-w c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
- 2008-12-20 01:26:34 79,675 ----a-w c:\windows\system32\nvModes.dat
+ 2008-12-21 20:04:32 79,675 ----a-w c:\windows\system32\nvModes.dat
+ 2008-12-21 20:17:51 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7bc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Steam"="c:\program files\steam\steam.exe" [2008-12-11 1410296]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Google Update"="c:\documents and settings\Jimmy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-21 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-09 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-06 8429568]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-06 81920]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-03 1228800]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-05-09 1392640]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"pccguide.exe"="c:\program files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 1807960]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-10 385024]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"nwiz"="nwiz.exe" [2007-06-06 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-06-06 c:\windows\system32\nvhotkey.dll]

c:\documents and settings\Jimmy\Start Menu\Programs\Startup\
RocketDock.lnk - c:\windows\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe [2007-03-18 630784]
TransBar.lnk - c:\windows\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe [2005-06-01 65536]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-12-11 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcAsrQ]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\counter-strike source\\hl2.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\SRCDS\\srcds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\source dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\counter-strike\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\jimmyjhp\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\age of chivalry\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\pishockj\\insurgency\\hl2.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-10-23 28544]
R2 Tmntsrv;Trend Micro Real-time Service;c:\progra~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2007-11-08 345696]
R2 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2007-11-08 923216]
R2 tmpreflt;tmpreflt;c:\windows\system32\DRIVERS\tmpreflt.sys [2007-11-08 36368]
R2 tmproxy;Trend Micro Proxy Service;c:\progra~1\TRENDM~1\INTERN~1\tmproxy.exe [2007-11-08 566872]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2007-12-25 24652]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\DRIVERS\TM_CFW.sys [2007-11-08 280392]
S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys []
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2008-06-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-21 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Jimmy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-21 13:51]

2008-12-21 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2007-09-26 08:53]
.
- - - - ORPHANS REMOVED - - - -

BHO-{1B93547F-5CE9-4E60-B3B8-15AE6B6F93B7} - (no file)
BHO-{1D03BF11-3729-4CDF-8C1A-4B0AFD45326A} - (no file)
BHO-{467B24BD-D8BF-453F-9DB2-B58CF8EC364F} - (no file)
BHO-{55af58ab-9339-400d-9c9c-1a83e921e47f} - (no file)
BHO-{5a4627ce-385a-4f3a-8a1e-8a80a3406117} - (no file)
BHO-{90F5A359-914F-40CF-B406-082EA7F8744D} - (no file)
BHO-{B3AA6D76-A5DA-4C05-9DC1-E061E0E4528C} - (no file)
BHO-{B5F009B0-1266-4AF5-B6D5-E35FEC70E4BB} - (no file)
BHO-{E0EF78AE-5534-40FC-866D-419739FEA10C} - (no file)


.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {EC46BC7F-E5D7-4F5B-A70B-3C2C37C1861C} = 68.87.64.146,68.87.75.194

c:\program files\Common Files\supportsoft\bin\tgctlsi.dll - c:\windows\Downloaded Program Files\sprtexternal.dll
O16 -: {42D06124-98A2-47EC-8098-3778B58CE7D5}
hxxps://actsvr.comcastonline.com/techto ... ntrols.cab
c:\windows\Downloaded Program Files\sprtexternal.inf
FF - ProfilePath - c:\documents and settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\3mkdxskb.default\
FF - prefs.js: browser.search.selectedEngine - Zybez Item Database
FF - prefs.js: browser.startup.homepage - hxxp://www.zybez.net/
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.version", 3);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.rights.3.shown", false);
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 15:49:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(976)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2008-12-21 15:51:38
ComboFix-quarantined-files.txt 2008-12-21 20:51:12
ComboFix2.txt 2008-12-21 19:08:38
ComboFix3.txt 2008-12-19 01:02:51

Pre-Run: 26,158,059,520 bytes free
Post-Run: 26,137,432,064 bytes free

261 --- E O F --- 2008-12-19 02:16:03



Here's the HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:52:59 PM, on 12/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\program files\steam\steam.exe
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jimmy\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=del ... bd=0071211
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: PayPal Plug-In - {DC0F2F93-27FA-4f84-ACAA-9416F90B9511} - C:\Program Files\PayPal\PayPal Plug-In\OToolbar.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [dscactivate] "%ProgramFiles%\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jimmy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: TransBar.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\TransBar\TransBar.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {42D06124-98A2-47EC-8098-3778B58CE7D5} (SupportSoft External Control) - https://actsvr.comcastonline.com/techto ... ntrols.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC46BC7F-E5D7-4F5B-A70B-3C2C37C1861C}: NameServer = 68.87.64.146,68.87.75.194
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: iifcAsrQ - C:\WINDOWS\
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 9809 bytes
Jhp
Regular Member
 
Posts: 23
Joined: December 15th, 2008, 6:23 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 91 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware