Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virtumonde

Unread postby surge-on5 » March 31st, 2009, 11:08 pm

Please help, my computer is infected with the above trojan. I have a up to date version of Trend Micro Security Pro running which does not find the infection. I also have an up to date version of Spyware doctor which finds the infected files, says they are successfully removed, yet when I scan again with Spyware doctor, it continues to find infected files. (Spyware doctor has helped, but the browser popups continue though less frequently.

Here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:01 PM, on 3/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Napster\napster.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Documents and Settings\kellly\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {431d89e7-8089-4cfc-b97d-6d47dbafa423} - C:\WINDOWS\system32\sofuruzo.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Spb Wallet - {2913D3DD-9363-4C21-B205-C19A584A0674} - C:\Program Files\Spb Wallet\SpbWalletToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [telenogune] Rundll32.exe "C:\WINDOWS\system32\fobivili.dll",s
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [CPMdb93204f] Rundll32.exe "c:\windows\system32\yofivowi.dll",a
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [telenogune] Rundll32.exe "C:\WINDOWS\system32\fobivili.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [telenogune] Rundll32.exe "C:\WINDOWS\system32\fobivili.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: LaunchU3.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.mhsremote.com/Citrix/,DanaI ... icaweb.cab
O16 - DPF: {23BFC42A-A74D-4698-9E20-65E23A090982} (CmActive.CmActiveXDoc) - https://cm.mhs.net/clinx/clinx/cmactivedoc.CAB
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - https://clinician.mhs.net/mcsimenu.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8512698125
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c1/v1 ... boax10.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://www.mhsremote.com/dana-cached/s ... tupSP1.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://wc.wachovia.com/common/cab/ikcntrls.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\WINDOWS\system32\rewamaki.dll staufw.dll c:\windows\system32\gifuzasa.dll c:\windows\system32\yofivowi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yofivowi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\yofivowi.dll
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\kellly\My Documents\Astronomy Widget.html

--
End of file - 15849 bytes
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm
Advertisement
Register to Remove

Re: Virtumonde

Unread postby muppy03 » April 4th, 2009, 11:29 pm

Hello and welcome to the Malware Removal Forums

I will be assisting you with your Malware issues.

IMPORTANT

  • Whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean!
  • If you have any questions or are unsure in anyway, please let me know. I will try my best to help you!
  • Please reply to this thread. Do not start a new topic.
  • As I am still in training, everything that I post to you, must be checked by one of the teachers. Therefore, there may be a slight delay between posts.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby muppy03 » April 5th, 2009, 4:21 am

Multiple Anti-virus Programs
You are operating your computer with multiple Anti-virus programs running in memory at once:
Symantec
Trend Micro

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. Please remove one of them NOW.

NEXT Please download Malwarebytes' Anti-Malware and save to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:

    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

NEXT Download and Run: RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


Please reply with:-
  • MBAM log
  • RSIT logs ( info.txt and log.txt)
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby surge-on5 » April 5th, 2009, 11:21 pm

Here is the uninstall list from HJT

3ivx MPEG-4 5.0.3 (remove only)
ABBYY FineReader 6.0 Sprint
Adobe Acrobat - Reader 6.0.2 Update
Adobe AIR
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Photoshop Elements 7.0
Adobe Photoshop.com Inspiration Browser
Adobe Reader 6.0.1
AOLIcon
Apple Mobile Device Support
Apple Software Update
Art Explosion Scrapbook Factory Deluxe
ATI Control Panel
ATI Display Driver
Barbie(R) Pet Rescue
Barbie(TM) Fashion Show(TM) CD-ROM
Beauty and the Beast Magical Ballroom
Bonjour
Bratz (TM)
BUM
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Citrix Presentation Server Web Client for Win32
Conexant D850 56K V.9x DFVc Modem
Creative MediaSource
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Game Console
Dell Photo AIO Printer 944
DellSupport
Digital Content Portal
Digital Line Detect
Disney Princess Royal Horse Show
ELIcon
FlipShare
GemMaster Mystic
Google Desktop
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Intel Matrix Storage Manager
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet for Wired Connections
iTunes
J2SE Runtime Environment 5.0 Update 11
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Juniper Networks Secure Application Manager
Learn2 Player (Uninstall Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft ActiveSync
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Small Business
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Web Publishing Wizard 1.52
Modem Helper
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Musicmatch for Windows Media Player
My Disney Kitchen
NetWaiting
PhotoshopdotcomInspirationBrowser
PrintMaster 16
Qualxserve Service Agreement
Quicken 2007
QuickTime
RealPlayer Basic
RollerCoaster Tycoon 2 Triple Thrill Pack
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
Safari
Search Assist
SeaWorld Adventure Park Tycoon
Secret Agent(tm) Barbie(tm)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Shockwave
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Spb Wallet
Spb Wallet 1.5.2
SpongeBob SquarePants - Nighty Nightmare
SpongeBob SquarePants - The Movie
Spyware Doctor 6.0
The Sims Makin' Magic
Trend Micro Internet Security Pro
Trend Micro Internet Security Pro
Trend Micro Remote File Lock
U3Launcher
Update for Windows Media Format SDK (KB902344)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
URL Assistant
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
WD Diagnostics
WebCyberCoach 3.2 Dell
WildTangent Web Driver
Windows Live OneCare safety scanner
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Mobile® Device Handbook
Windows XP Media Center Edition 2005 KB908246
Windows XP Service Pack 3
WinPatrol 2009
Zoo Tycoon: Complete Collection
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm

Re: Virtumonde

Unread postby surge-on5 » April 5th, 2009, 11:26 pm

Re Two anti-virus programs, I don't see any thing from Norton or Symantec in my add remove list. I removed Norton when I installed Trend about 6 months ago. I did remove Norton Ghost because I wasn't using it, I think Norton Ghost uses the update manager for the anti virus program.
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm

Re: Virtumonde

Unread postby muppy03 » April 6th, 2009, 1:15 am

Please post the MBAM and RSIT logs also ;)
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby surge-on5 » April 6th, 2009, 6:40 am

Here are the MBAM and RSIT logs.
Thanks:

Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 3

4/6/2009 6:24:49 AM
mbam-log-2009-04-06 (06-24-49).txt

Scan type: Full Scan (C:\|D:\|L:\|)
Objects scanned: 216438
Time elapsed: 1 hour(s), 22 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 7
Registry Values Infected: 5
Registry Data Items Infected: 8
Folders Infected: 0
Files Infected: 34

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\nayulowo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\dufegoma.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lapolude.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nujeripa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\suzirowa.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{431d89e7-8089-4cfc-b97d-6d47dbafa423} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{431d89e7-8089-4cfc-b97d-6d47dbafa423} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d8a013d3 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\telenogune (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmdb93204f (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\dufegoma.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\dufegoma.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\lapolude.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\lapolude.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\nujeripa.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\nujeripa.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\nujeripa.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\bihawonu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\unowahib.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fofugapi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ipagufof.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nayulowo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\owoluyan.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tigayadi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idayagit.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\womaduzo.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ozudamow.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yonevufu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ufuvenoy.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\suzirowa.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\dufegoma.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\lapolude.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nujeripa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1014\A0102619.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1020\A0105080.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tunatope.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hebokipi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hibonuli.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hitivora.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hizenozo.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lonaneze.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\retegefu.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\giwohide.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lekozeko.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lewiyidi.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\felezope.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jejowada.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vozaposo.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yilinetu.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zarowoma.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\miperuwo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Logfile of random's system information tool 1.06 (written by random/random)
Run by kellly at 2009-04-06 06:34:14
Microsoft Windows XP Professional Service Pack 3
System drive C: has 67 GB (61%) free of 110 GB
Total RAM: 1022 MB (39% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:34:27 AM, on 4/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\system32\dlcdcoms.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Documents and Settings\kellly\Desktop\RSIT.exe
C:\Documents and Settings\kellly\Desktop\kellly.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Spb Wallet - {2913D3DD-9363-4C21-B205-C19A584A0674} - C:\Program Files\Spb Wallet\SpbWalletToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: LaunchU3.exe.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.mhsremote.com/Citrix/,DanaI ... icaweb.cab
O16 - DPF: {23BFC42A-A74D-4698-9E20-65E23A090982} (CmActive.CmActiveXDoc) - https://cm.mhs.net/clinx/clinx/cmactivedoc.CAB
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - https://clinician.mhs.net/mcsimenu.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8512698125
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c1/v1 ... boax10.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://www.mhsremote.com/dana-cached/s ... tupSP1.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://wc.wachovia.com/common/cab/ikcntrls.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL staufw.dll ,
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\kellly\My Documents\Astronomy Widget.html

--
End of file - 13302 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 110652]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-03-28 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-02-15 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-02-15 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
TSToolbarBHO - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll [2008-02-15 103760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-02-15 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\Program Files\BAE\BAE.dll [2006-02-22 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-28 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-28 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - Transaction Protector - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll [2008-02-15 103760]
{2913D3DD-9363-4C21-B205-C19A584A0674} - Spb Wallet - C:\Program Files\Spb Wallet\SpbWalletToolbar.dll [2008-08-11 89088]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-02-15 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-28 136600]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-06-17 139264]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-08-05 344064]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2006-04-17 26112]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-06-10 249856]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]
"DLA"=C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]
"DLCDCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16 []
"dlcdmon.exe"=C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe [2005-07-22 430080]
"MemoryCardManager"=C:\Program Files\Dell Photo AIO Printer 944\memcard.exe [2005-06-27 282624]
"CTHelper"=C:\WINDOWS\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2006-03-02 18944]
"UfSeAgnt.exe"=C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [2008-07-29 1398024]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-01-06 290088]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2009-03-17 337216]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-07-02 68856]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"TrendSecure Remote File Lock"=C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe [2008-02-15 423248]
"OE"=C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [2008-02-16 492808]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL staufw.dll , "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\WINDOWS\system32\fxsclnt.exe"="C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"
"C:\Program Files\Common Files\AOL\Loader\aolload.exe"="C:\Program Files\Common Files\AOL\Loader\aolload.exe:*:Enabled:AOL Loader"
"C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe"="C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"
"C:\Program Files\Adobe\Photoshop Elements 7.0\AdobePhotoshopElementsMediaServer.exe"="C:\Program Files\Adobe\Photoshop Elements 7.0\AdobePhotoshopElementsMediaServer.exe:*:Disabled:Adobe Photoshop Elements Media Server"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"
"C:\Program Files\Trend Micro\Internet Security\TmProxy.exe"="C:\Program Files\Trend Micro\Internet Security\TmProxy.exe:*:Enabled:TmProxy"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"
"C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe"="C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe:*:Enabled:SfCtlCom"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\ehome\ehrecvr.exe"="C:\WINDOWS\ehome\ehrecvr.exe:*:Enabled:ehRecvr"
"C:\Program Files\Norton Ghost\Agent\VProSvc.exe"="C:\Program Files\Norton Ghost\Agent\VProSvc.exe:*:Enabled:VProSvc"
"C:\Program Files\Viewpoint\Common\ViewpointService.exe"="C:\Program Files\Viewpoint\Common\ViewpointService.exe:*:Enabled:ViewpointService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12b1fbc0-e6bb-11dc-9448-001372c72725}]
shell\AutoRun\command - M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d65c89a-d20c-11dd-9480-001372c72725}]
shell\AutoRun\command - M:\Setup_FlipShare.exe
shell\Setup FlipShare\command - M:\Setup_FlipShare.exe


======List of files/folders created in the last 3 months======

65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\zugeyale.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\zimebopu.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\zigulutu.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\zefugabe.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\yumafiba.exe
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\yowibejo.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\yivezopo.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\yijoyave.exe
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\wuwozoza.exe
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\wuwopusi.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\wokirowu.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\wivovego.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\wideloza.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\wakojahe.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\vipuliji.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\vidinesa.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\tevijohe.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\sohotuwa.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\sinidopa.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\sevayija.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\sanipomu.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\rusaheke.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\pamagefi.exe
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\pakebewe.exe
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\napuduti.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\mefibena.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\lokobufa.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\lizoneho.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\lejiyuvo.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\leboboga.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\lamugili.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\kimupuye.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\jezalefa.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\hopalafo.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\higalepo.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\hehoroku.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\gojuhuji.exe
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\gifuzasa.dll
65535-65535-31889 379:31889:443 ----ASH---- C:\WINDOWS\system32\fidavine.dll
2009-04-06 06:34:14 ----D---- C:\rsit
2009-04-05 23:28:58 ----D---- C:\Documents and Settings\kellly\Application Data\Malwarebytes
2009-04-05 23:28:39 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-05 23:28:39 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-04 19:13:45 ----SH---- C:\WINDOWS\system32\afuharag.ini
2009-04-04 07:58:37 ----D---- C:\VundoFix Backups
2009-04-04 07:58:37 ----A---- C:\VundoFix.txt
2009-04-04 07:40:17 ----D---- C:\Documents and Settings\kellly\Application Data\WinPatrol
2009-04-04 07:39:47 ----D---- C:\Program Files\BillP Studios
2009-04-04 07:25:12 ----SHD---- C:\Config.Msi
2009-04-02 18:20:53 ----SH---- C:\WINDOWS\system32\epohador.ini
2009-04-01 08:33:19 ----SH---- C:\WINDOWS\system32\okabizek.ini
2009-03-31 21:45:06 ----SH---- C:\WINDOWS\system32\ozavokal.ini
2009-03-31 08:32:56 ----SH---- C:\WINDOWS\system32\atusanot.ini
2009-03-31 07:10:48 ----SHD---- C:\WINDOWS\CSC
2009-03-31 07:10:39 ----A---- C:\WINDOWS\ntbtlog.txt
2009-03-30 20:23:35 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-03-30 20:23:31 ----D---- C:\Program Files\Common Files\PC Tools
2009-03-30 20:23:25 ----D---- C:\Program Files\Spyware Doctor
2009-03-30 20:23:25 ----D---- C:\Documents and Settings\kellly\Application Data\PC Tools
2009-03-30 20:23:25 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-03-30 08:32:39 ----SH---- C:\WINDOWS\system32\irofuwov.ini
2009-03-30 07:43:27 ----D---- C:\Program Files\Windows Live Safety Center
2009-03-28 11:04:10 ----A---- C:\WINDOWS\system32\javaws.exe
2009-03-28 11:04:10 ----A---- C:\WINDOWS\system32\javaw.exe
2009-03-28 11:04:10 ----A---- C:\WINDOWS\system32\java.exe
2009-03-28 11:04:10 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-28 09:40:03 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-03-24 06:58:46 ----A---- C:\AdobeDebug.txt
2009-03-24 06:58:45 ----D---- C:\Documents and Settings\All Users\Application Data\espionServerData
2009-03-24 06:49:32 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-03-24 06:41:43 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-03-24 06:40:45 ----D---- C:\Program Files\Common Files\Macrovision Shared
2009-03-24 06:35:58 ----N---- C:\WINDOWS\system32\pxhpinst.exe
2009-03-24 06:35:58 ----N---- C:\WINDOWS\system32\pxafs.dll
2009-03-11 06:45:16 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2009-03-11 06:45:09 ----HDC---- C:\WINDOWS\$NtUninstallKB938464-v2$
2009-03-11 06:44:55 ----HDC---- C:\WINDOWS\$NtUninstallKB958690$
2009-03-03 20:45:03 ----D---- C:\WINDOWS\system32\log
2009-02-25 20:25:04 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2009-02-12 04:00:38 ----HDC---- C:\WINDOWS\$NtUninstallKB960715$
2009-01-24 11:18:13 ----D---- C:\Program Files\iPod
2009-01-24 11:18:03 ----D---- C:\Program Files\iTunes
2009-01-24 11:18:03 ----D---- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-24 11:16:06 ----D---- C:\Program Files\Bonjour
2009-01-24 11:07:49 ----D---- C:\Program Files\Safari
2009-01-17 14:35:55 ----A---- C:\WINDOWS\WORDPAD.INI
2009-01-14 04:02:20 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$

======List of files/folders modified in the last 3 months======

2009-04-06 06:33:48 ----D---- C:\WINDOWS\Prefetch
2009-04-06 06:31:55 ----A---- C:\WINDOWS\system32\kdfvmgr.exe
2009-04-06 06:31:54 ----D---- C:\WINDOWS\system32\drivers
2009-04-06 06:31:54 ----D---- C:\WINDOWS\system32
2009-04-06 06:31:54 ----A---- C:\WINDOWS\system32\kdfmgr.exe
2009-04-06 06:31:54 ----A---- C:\WINDOWS\system32\Kdfhok.dll
2009-04-06 06:31:54 ----A---- C:\WINDOWS\system32\kdfapi.dll
2009-04-06 06:31:29 ----D---- C:\WINDOWS\Temp
2009-04-06 06:31:03 ----D---- C:\Program Files\Dl_cats
2009-04-06 06:30:32 ----D---- C:\WINDOWS
2009-04-06 06:30:13 ----D---- C:\WINDOWS\Registration
2009-04-06 06:30:03 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-06 06:29:46 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2009-04-06 06:26:06 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-05 23:28:39 ----D---- C:\Program Files
2009-04-05 22:00:15 ----A---- C:\WINDOWS\IE4 Error Log.txt
2009-04-04 07:48:29 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-04-04 07:29:34 ----D---- C:\Program Files\Napster
2009-04-04 07:29:27 ----D---- C:\Documents and Settings\All Users\Application Data\Napster
2009-04-04 07:29:20 ----SHD---- C:\WINDOWS\Installer
2009-04-04 07:29:13 ----D---- C:\Program Files\Common Files
2009-04-04 07:29:12 ----D---- C:\Program Files\Common Files\Roxio Shared
2009-04-04 07:25:31 ----D---- C:\Documents and Settings\All Users\Application Data\Symantec
2009-04-04 07:20:47 ----D---- C:\Program Files\Common Files\AOL
2009-04-04 07:20:40 ----D---- C:\Documents and Settings\All Users\Application Data\AOL
2009-04-04 07:20:22 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-03 21:18:30 ----HD---- C:\WINDOWS\inf
2009-04-02 07:44:28 ----D---- C:\Program Files\Outlook Express
2009-03-31 20:33:02 ----ASH---- C:\WINDOWS\system32\yofivowi.dll
2009-03-30 20:46:23 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-03-30 20:46:23 ----D---- C:\Documents and Settings\kellly\Application Data\Lavasoft
2009-03-30 20:41:36 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-03-30 07:40:21 ----D---- C:\WINDOWS\system32\CatRoot
2009-03-28 11:03:42 ----D---- C:\Program Files\Java
2009-03-28 09:50:01 ----SD---- C:\WINDOWS\Tasks
2009-03-28 09:39:58 ----D---- C:\WINDOWS\WinSxS
2009-03-24 08:32:36 ----D---- C:\Documents and Settings\kellly\Application Data\Adobe
2009-03-24 06:50:02 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-03-24 06:41:50 ----D---- C:\Program Files\Adobe
2009-03-24 06:40:47 ----D---- C:\Program Files\Common Files\Adobe
2009-03-24 06:37:32 ----RSD---- C:\WINDOWS\Fonts
2009-03-24 06:35:51 ----N---- C:\WINDOWS\system32\pxdrv.dll
2009-03-24 06:35:50 ----N---- C:\WINDOWS\system32\PxSFS.DLL
2009-03-24 06:35:50 ----N---- C:\WINDOWS\system32\PxMas.dll
2009-03-24 06:35:49 ----N---- C:\WINDOWS\system32\PxWave.dll
2009-03-24 06:35:49 ----N---- C:\WINDOWS\system32\Px.dll
2009-03-19 21:21:22 ----D---- C:\Documents and Settings\kellly\Application Data\AdobeUM
2009-03-13 23:41:12 ----D---- C:\Documents and Settings\All Users\Application Data\Juniper Networks
2009-03-13 23:39:44 ----D---- C:\Documents and Settings\kellly\Application Data\Juniper Networks
2009-03-11 06:53:28 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-03-11 06:45:18 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-03-11 06:45:12 ----A---- C:\WINDOWS\imsins.BAK
2009-03-10 17:37:22 ----HD---- C:\WINDOWS\$hf_mig$
2009-02-15 19:46:37 ----D---- C:\Program Files\Google
2009-02-15 11:04:13 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-01-24 11:28:19 ----D---- C:\Program Files\Apple Software Update
2009-01-24 11:18:13 ----D---- C:\Program Files\Common Files\Apple
2009-01-24 11:15:40 ----D---- C:\Program Files\QuickTime
2009-01-10 21:00:31 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507); \??\C:\WINDOWS\system32\Drivers\NEOFLTR_600_12507.SYS []
R1 NEOFLTR_620_13687;Juniper Networks TDI Filter Driver (NEOFLTR_620_13687); \??\C:\WINDOWS\system32\Drivers\NEOFLTR_620_13687.SYS []
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2008-02-16 65936]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-04-17 8552]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 tmactmon;tmactmon; \??\C:\WINDOWS\system32\drivers\tmactmon.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 tmevtmgr;tmevtmgr; \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys []
R2 tmpreflt;tmpreflt; C:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2008-11-26 36368]
R2 tmxpflt;tmxpflt; C:\WINDOWS\system32\DRIVERS\tmxpflt.sys [2008-11-26 205328]
R2 vsapint;vsapint; C:\WINDOWS\system32\DRIVERS\vsapint.sys [2008-11-26 1195384]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-04 1273344]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2005-11-08 502272]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2005-11-08 439680]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2005-11-08 7168]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2005-11-08 143360]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2005-11-08 77824]
R3 GearAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 ha20x2k;Creative 20X HAL Driver; C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-02-15 1096192]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 neokdss;neokdss; C:\WINDOWS\system32\Drivers\neokdss.sys []
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2005-11-08 114688]
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2008-02-16 333328]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2005-07-13 340704]
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-03-03 18944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7; C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-04 380928]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [1999-12-12 44032]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-10-11 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
R2 FlipShare Service;FlipShare Service; C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R2 IAANTMon;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-06-17 86140]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-28 152984]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
R2 SfCtlCom;Trend Micro Central Control Component; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [2009-02-19 700760]
R2 TMBMServer;Trend Micro Unauthorized Change Prevention Service; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [2008-02-16 333064]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-08-03 38912]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R3 dlcd_device;dlcd_device; C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 491520]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-01-06 536872]
R3 TmPfw;Trend Micro Personal Firewall; C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe [2008-02-16 488768]
R3 tmproxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [2008-02-16 648456]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-07 76848]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-03-24 651720]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-21 29744]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-15 137200]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]

-----------------EOF-----------------
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm

Re: Virtumonde

Unread postby muppy03 » April 6th, 2009, 4:08 pm

Download and run Combofix
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • If you need help to disable your protection programs see here.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Image
Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix



Please reply with:-


  • New HJT log
  • Combofix log
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby surge-on5 » April 6th, 2009, 8:29 pm

ComboFix log and new HJT log.

ComboFix 09-04-04.01 - kellly 2009-04-06 20:08:17.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.502 [GMT -4:00]
Running from: c:\documents and settings\kellly\Desktop\ComboFix.exe
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\afuharag.ini
c:\windows\system32\atusanot.ini
c:\windows\system32\epohador.ini
c:\windows\system32\gifuzasa.dll
c:\windows\system32\irofuwov.ini
c:\windows\system32\lizoneho.dll
c:\windows\system32\okabizek.ini
c:\windows\system32\ozavokal.ini
c:\windows\system32\tevijohe.dll
c:\windows\system32\wivovego.dll
c:\windows\system32\wuwopusi.dll
c:\windows\system32\yivezopo.dll
c:\windows\system32\yofivowi.dll
L:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-07 to 2009-04-07 )))))))))))))))))))))))))))))))
.

2009-04-06 20:13 . 2009-04-06 20:13 <DIR> d-------- c:\windows\LastGood
2009-04-06 06:34 . 2009-04-06 06:34 <DIR> d-------- C:\rsit
2009-04-05 23:28 . 2009-04-05 23:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 23:28 . 2009-04-05 23:28 <DIR> d-------- c:\documents and settings\kellly\Application Data\Malwarebytes
2009-04-05 23:28 . 2009-04-05 23:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 23:28 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 23:28 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-04 07:58 . 2009-04-04 07:58 <DIR> d-------- C:\VundoFix Backups
2009-04-04 07:40 . 2009-04-04 07:40 <DIR> d-------- c:\documents and settings\kellly\Application Data\WinPatrol
2009-04-04 07:39 . 2009-04-04 07:39 <DIR> d-------- c:\program files\BillP Studios
2009-03-30 20:23 . 2009-04-06 06:42 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-30 20:23 . 2009-03-30 20:24 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-30 20:23 . 2009-03-30 20:23 <DIR> d-------- c:\documents and settings\kellly\Application Data\PC Tools
2009-03-30 20:23 . 2009-04-06 20:05 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-30 20:23 . 2009-03-30 20:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-30 20:23 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-03-30 20:23 . 2009-03-06 16:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-03-30 20:23 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-30 20:23 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-03-30 07:43 . 2009-03-30 07:45 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-28 11:04 . 2009-03-28 11:03 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-28 09:40 . 2009-03-30 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-24 06:58 . 2009-03-24 06:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\espionServerData
2009-03-24 06:49 . 2009-03-24 06:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-24 06:41 . 2009-03-24 06:41 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-24 06:40 . 2009-03-24 06:40 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-03-24 06:35 . 2009-03-24 06:35 129,784 --------- c:\windows\system32\pxafs.dll
2009-03-24 06:35 . 2009-03-24 06:35 39,672 --a------ c:\windows\system32\vxblock.dl~

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-07 00:15 --------- d-----w c:\program files\Dl_cats
2009-04-04 11:48 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-04 11:29 --------- d-----w c:\program files\Napster
2009-04-04 11:29 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-04-04 11:29 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-04-04 11:25 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-04-04 11:20 --------- d-----w c:\program files\Common Files\AOL
2009-04-04 11:20 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-31 00:46 --------- d-----w c:\documents and settings\kellly\Application Data\Lavasoft
2009-03-28 15:03 --------- d-----w c:\program files\Java
2009-03-24 10:40 --------- d-----w c:\program files\Common Files\Adobe
2009-03-20 01:21 --------- d-----w c:\documents and settings\kellly\Application Data\AdobeUM
2009-03-14 03:41 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
2009-03-14 03:39 --------- d-----w c:\documents and settings\kellly\Application Data\Juniper Networks
2009-02-15 23:46 --------- d-----w c:\program files\Google
2007-01-25 19:14 88 --sh--r c:\windows\system32\295ABC6D75.sys
2008-12-27 14:04 104 --sh--r c:\windows\system32\756DBC5A29.sys
2008-12-27 14:04 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"TrendSecure Remote File Lock"="c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe" [2008-02-15 423248]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-28 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-17 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 69632]
"dlcdmon.exe"="c:\program files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 430080]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 282624]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-03-17 337216]
"CTHelper"="CTHELPER.EXE" [2005-11-08 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 c:\windows\system32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 c:\windows\MIDIDEF.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-23 1078]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\documents and settings\kellly\My Documents\Astronomy Widget.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\TmProxy.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\SfCtlCom.exe"=
"c:\\WINDOWS\\ehome\\ehrecvr.exe"=
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-30 130424]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [2007-12-27 64160]
R1 NEOFLTR_620_13687;Juniper Networks TDI Filter Driver (NEOFLTR_620_13687);c:\windows\system32\drivers\NEOFLTR_620_13687.sys [2008-11-07 64480]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
R2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-16 36368]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-11-26 24652]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-02-16 333328]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-08-11 52240]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-04-17 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-30 348752]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2008-08-11 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-08-11 648456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12b1fbc0-e6bb-11dc-9448-001372c72725}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d65c89a-d20c-11dd-9480-001372c72725}]
\Shell\AutoRun\command - M:\Setup_FlipShare.exe
\Shell\Setup FlipShare\command - M:\Setup_FlipShare.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bellsouth.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&cli ... channel=us
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {23BFC42A-A74D-4698-9E20-65E23A090982} - hxxps://cm.mhs.net/clinx/clinx/cmactivedoc.CAB
DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} - hxxps://clinician.mhs.net/mcsimenu.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-06 20:16:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\fxssvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\dlcdcoms.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\documents and settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-06 20:18:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-07 00:18:42

Pre-Run: 70,124,298,240 bytes free
Post-Run: 70,734,774,272 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

232 --- E O F --- 2009-03-30 11:38:50

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:06 PM, on 4/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\kellly\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Spb Wallet - {2913D3DD-9363-4C21-B205-C19A584A0674} - C:\Program Files\Spb Wallet\SpbWalletToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: LaunchU3.exe.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.mhsremote.com/Citrix/,DanaI ... icaweb.cab
O16 - DPF: {23BFC42A-A74D-4698-9E20-65E23A090982} (CmActive.CmActiveXDoc) - https://cm.mhs.net/clinx/clinx/cmactivedoc.CAB
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - https://clinician.mhs.net/mcsimenu.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8512698125
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c1/v1 ... boax10.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://www.mhsremote.com/dana-cached/s ... tupSP1.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://wc.wachovia.com/common/cab/ikcntrls.cab
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\kellly\My Documents\Astronomy Widget.html

--
End of file - 12383 bytes
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm

Re: Virtumonde

Unread postby muppy03 » April 7th, 2009, 5:06 am

Question 1 : Did you set Astronomy Wiget.html on your desktop?
Question 2: How is the computer going now??

REMOVE VIEWPOINT

You have Viewpoint, Viewpoint Manager, Viewpoint Media Player installed on your system. These programs are not malware but are considered as foistware instead of malware since they are installed without user's approval, and for this reason I recommend you remove them.

To uninstall the the Viewpoint components (Viewpoint, Viewpoint Manager, Viewpoint Media Player):
  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.
  • Do the same for each Viewpoint component.

NEXT COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Folder::
    c:\program files\Common Files\Symantec Shared
    c:\documents and settings\All Users\Application Data\Symantec
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

NEXT Kaspersky Online Scan

Do an online scan with >Kaspersky Online Scanner<
  • Read through the requirements and privacy statement and click on Accept button
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run
  • When the downloads have finished, click on Settings
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan
  • Once the scan is complete, it will display the results. Click on View Scan Report
  • You will see a list of infected items there. Click on Save Report As...
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button
  • Please post this log in your next reply



Please reply with:-

  • New HJT log
  • Combofix log
  • Kaspersky report
  • Answer to my above questions
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby surge-on5 » April 7th, 2009, 11:54 pm

Viewpoint removed.

My son installed the astronomy widget, but I deleted it, or at least tried to delete it.

My computer is running much better. I am not getting any more pop ups and the computer is much faster. Thank you very much!

Combofix log follows:
ComboFix 09-04-04.01 - kellly 2009-04-07 23:28:32.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.471 [GMT -4:00]
Running from: c:\documents and settings\kellly\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kellly\Desktop\CFScript.txt
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Symantec
c:\documents and settings\All Users\Application Data\Symantec\LiveSubscribe\Catalog.LiveSubscribe
c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate
c:\program files\Common Files\Symantec Shared
c:\program files\Common Files\Symantec Shared\CCPD-LC\00180037.TKN
c:\program files\Common Files\Symantec Shared\CCPD-LC\ez_log.html
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-08 to 2009-04-08 )))))))))))))))))))))))))))))))
.

2009-04-06 20:13 . 2009-04-06 20:13 <DIR> d-------- c:\windows\LastGood
2009-04-06 06:34 . 2009-04-06 06:34 <DIR> d-------- C:\rsit
2009-04-05 23:28 . 2009-04-05 23:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 23:28 . 2009-04-05 23:28 <DIR> d-------- c:\documents and settings\kellly\Application Data\Malwarebytes
2009-04-05 23:28 . 2009-04-05 23:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 23:28 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 23:28 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-04 07:58 . 2009-04-04 07:58 <DIR> d-------- C:\VundoFix Backups
2009-04-04 07:40 . 2009-04-04 07:40 <DIR> d-------- c:\documents and settings\kellly\Application Data\WinPatrol
2009-04-04 07:39 . 2009-04-04 07:39 <DIR> d-------- c:\program files\BillP Studios
2009-03-30 20:23 . 2009-04-07 22:21 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-30 20:23 . 2009-03-30 20:24 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-30 20:23 . 2009-03-30 20:23 <DIR> d-------- c:\documents and settings\kellly\Application Data\PC Tools
2009-03-30 20:23 . 2009-04-07 23:27 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-30 20:23 . 2009-03-30 20:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-30 20:23 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-03-30 20:23 . 2009-03-06 16:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-03-30 20:23 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-30 20:23 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-03-30 07:43 . 2009-03-30 07:45 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-28 11:04 . 2009-03-28 11:03 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-28 09:40 . 2009-03-30 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-24 06:58 . 2009-03-24 06:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\espionServerData
2009-03-24 06:49 . 2009-03-24 06:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-24 06:41 . 2009-03-24 06:41 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-24 06:40 . 2009-03-24 06:40 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-03-24 06:35 . 2009-03-24 06:35 129,784 --------- c:\windows\system32\pxafs.dll
2009-03-24 06:35 . 2009-03-24 06:35 39,672 --a------ c:\windows\system32\vxblock.dl~

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-08 03:22 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-08 03:19 77,824 ----a-w c:\windows\system32\kdfapi.dll
2009-04-08 03:19 722,472 ----a-w c:\windows\system32\kdfmgr.exe
2009-04-08 03:19 192,512 ----a-w c:\windows\system32\kdfvmgr.exe
2009-04-07 23:01 53,248 ----a-w c:\windows\system32\Kdfhok.dll
2009-04-07 03:13 --------- d-----w c:\program files\Dl_cats
2009-04-07 03:12 --------- d-----w c:\documents and settings\kellly\Application Data\AdobeUM
2009-04-04 11:29 --------- d-----w c:\program files\Napster
2009-04-04 11:29 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-04-04 11:29 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-04-04 11:20 --------- d-----w c:\program files\Common Files\AOL
2009-04-04 11:20 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-31 00:46 --------- d-----w c:\documents and settings\kellly\Application Data\Lavasoft
2009-03-28 15:03 --------- d-----w c:\program files\Java
2009-03-28 12:45 5,815 --sha-w c:\windows\system32\napuduti.dll
2009-03-28 12:45 5,815 --sha-w c:\windows\system32\lokobufa.dll
2009-03-28 12:45 5,583 --sha-w c:\windows\system32\yumafiba.exe
2009-03-28 12:23 5,815 --sha-w c:\windows\system32\yowibejo.dll
2009-03-28 12:23 5,815 --sha-w c:\windows\system32\jezalefa.dll
2009-03-28 12:23 5,583 --sha-w c:\windows\system32\wuwozoza.exe
2009-03-27 14:13 5,815 --sha-w c:\windows\system32\wideloza.dll
2009-03-27 14:13 5,815 --sha-w c:\windows\system32\lamugili.dll
2009-03-27 14:13 5,587 --sha-w c:\windows\system32\pamagefi.exe
2009-03-27 13:50 5,815 --sha-w c:\windows\system32\zigulutu.dll
2009-03-27 13:50 5,815 --sha-w c:\windows\system32\rusaheke.dll
2009-03-27 13:50 5,587 --sha-w c:\windows\system32\gojuhuji.exe
2009-03-27 01:45 5,815 --sha-w c:\windows\system32\sinidopa.dll
2009-03-27 01:45 5,815 --sha-w c:\windows\system32\mefibena.dll
2009-03-27 01:45 5,587 --sha-w c:\windows\system32\pakebewe.exe
2009-03-27 01:22 5,815 --sha-w c:\windows\system32\zimebopu.dll
2009-03-27 01:22 5,815 --sha-w c:\windows\system32\sevayija.dll
2009-03-27 01:22 5,587 --sha-w c:\windows\system32\yijoyave.exe
2009-03-26 00:10 5,815 --sha-w c:\windows\system32\wokirowu.dll
2009-03-26 00:10 5,815 --sha-w c:\windows\system32\kimupuye.dll
2009-03-26 00:10 5,815 --sha-w c:\windows\system32\hehoroku.dll
2009-03-25 12:10 5,815 --sha-w c:\windows\system32\lejiyuvo.dll
2009-03-25 12:10 5,815 --sha-w c:\windows\system32\leboboga.dll
2009-03-25 12:10 5,815 --sha-w c:\windows\system32\fidavine.dll
2009-03-24 23:23 5,815 --sha-w c:\windows\system32\vipuliji.dll
2009-03-24 23:23 5,815 --sha-w c:\windows\system32\vidinesa.dll
2009-03-24 23:23 5,815 --sha-w c:\windows\system32\sohotuwa.dll
2009-03-24 11:23 5,815 --sha-w c:\windows\system32\zugeyale.dll
2009-03-24 11:23 5,815 --sha-w c:\windows\system32\zefugabe.dll
2009-03-24 11:23 5,815 --sha-w c:\windows\system32\higalepo.dll
2009-03-24 10:40 --------- d-----w c:\program files\Common Files\Adobe
2009-03-23 23:23 5,815 --sha-w c:\windows\system32\wakojahe.dll
2009-03-23 23:23 5,815 --sha-w c:\windows\system32\sanipomu.dll
2009-03-23 23:23 5,815 --sha-w c:\windows\system32\hopalafo.dll
2009-03-14 03:41 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
2009-03-14 03:39 --------- d-----w c:\documents and settings\kellly\Application Data\Juniper Networks
2009-02-15 23:46 --------- d-----w c:\program files\Google
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2007-01-25 19:14 88 --sh--r c:\windows\system32\295ABC6D75.sys
2008-12-27 14:04 104 --sh--r c:\windows\system32\756DBC5A29.sys
2008-12-27 14:04 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-04-06_20.17.54.13 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-07 00:12:08 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_25c.dat
+ 2009-04-07 00:24:49 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_9a0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"TrendSecure Remote File Lock"="c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe" [2008-02-15 423248]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-28 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-17 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 69632]
"dlcdmon.exe"="c:\program files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 430080]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 282624]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-03-17 337216]
"CTHelper"="CTHELPER.EXE" [2005-11-08 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 c:\windows\system32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 c:\windows\MIDIDEF.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-23 1078]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\documents and settings\kellly\My Documents\Astronomy Widget.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\TmProxy.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\SfCtlCom.exe"=
"c:\\WINDOWS\\ehome\\ehrecvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-30 130424]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [2007-12-27 64160]
R1 NEOFLTR_620_13687;Juniper Networks TDI Filter Driver (NEOFLTR_620_13687);c:\windows\system32\drivers\NEOFLTR_620_13687.sys [2008-11-07 64480]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
R2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-16 36368]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-02-16 333328]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-08-11 52240]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-04-17 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-30 348752]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2008-08-11 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-08-11 648456]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12b1fbc0-e6bb-11dc-9448-001372c72725}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d65c89a-d20c-11dd-9480-001372c72725}]
\Shell\AutoRun\command - M:\Setup_FlipShare.exe
\Shell\Setup FlipShare\command - M:\Setup_FlipShare.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bellsouth.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&cli ... channel=us
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {23BFC42A-A74D-4698-9E20-65E23A090982} - hxxps://cm.mhs.net/clinx/clinx/cmactivedoc.CAB
DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} - hxxps://clinician.mhs.net/mcsimenu.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-07 23:30:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-07 23:32:22
ComboFix-quarantined-files.txt 2009-04-08 03:32:19
ComboFix2.txt 2009-04-07 00:18:47

Pre-Run: 70,625,742,848 bytes free
Post-Run: 70,655,913,984 bytes free

237 --- E O F --- 2009-04-07 22:29:14
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm

Re: Virtumonde

Unread postby surge-on5 » April 7th, 2009, 11:58 pm

Kaspersky downloading and running now. Kaspersky log will follow when complete as well as new HJT log.
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm

Re: Virtumonde

Unread postby muppy03 » April 8th, 2009, 5:41 pm

No problem, when you can ;)
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby surge-on5 » April 8th, 2009, 6:14 pm

Here are the Kaspersky log and a new HJT log.

Interestingly, Spywaredoctor ran automatically shortly after the clean Kaspersky scan and it found a generic Trojan which it classified as low risk and removed it.

KASPERSKY ONLINE SCANNER 7 REPORTKASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, April 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build
2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 08, 2009 04:23:26
Records in database: 2021814


Scan settings
Scan using the following databaseextended
Scan archivesyes
Scan mail databasesyes

Scan areaMy Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\

Scan statistics
Files scanned117427
Threat name0
Infected objects0
Suspicious objects0
Duration of the scan02:18:56

No malware has been detected. The scan area is clean.
The selected area was scanned.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:30 PM, on 4/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCmdrLauncher.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\kellly\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Spb Wallet - {2913D3DD-9363-4C21-B205-C19A584A0674} - C:\Program Files\Spb Wallet\SpbWalletToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: LaunchU3.exe.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.mhsremote.com/Citrix/,DanaI ... icaweb.cab
O16 - DPF: {23BFC42A-A74D-4698-9E20-65E23A090982} (CmActive.CmActiveXDoc) - https://cm.mhs.net/clinx/clinx/cmactivedoc.CAB
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - https://clinician.mhs.net/mcsimenu.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8512698125
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c1/v1 ... boax10.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://www.mhsremote.com/dana-cached/s ... tupSP1.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://wc.wachovia.com/common/cab/ikcntrls.cab
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\kellly\My Documents\Astronomy Widget.html

--
End of file - 13164 bytes
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm

Re: Virtumonde

Unread postby muppy03 » April 9th, 2009, 8:02 am

Hi Surge-on5,

If you wish to remove the Astronomy Widget
  • Go to Start > Control Panel > Display Properties > Desktop > Customize Desktop... > Web tab.
  • Uncheck and Delete everything you find in there. (Except for "My Current Home Page.")

NEXT Open Hijack This and select Do a System Scan Only place a check next to the below lines if still present

    O24 - Desktop Component 1: (no name) - C:\Documents and Settings\kellly\My Documents\Astronomy Widget.html

Once selected close all windows except HJT an click on Fix Checked


NEXT COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    c:\windows\system32\staufw.dll
    c:\windows\system32\napuduti.dll
    c:\windows\system32\lokobufa.dll
    c:\windows\system32\yumafiba.exe
    c:\windows\system32\yowibejo.dll
    c:\windows\system32\jezalefa.dll
    c:\windows\system32\wuwozoza.exe
    c:\windows\system32\wideloza.dll
    c:\windows\system32\lamugili.dll
    c:\windows\system32\pamagefi.exe
    c:\windows\system32\zigulutu.dll
    c:\windows\system32\rusaheke.dll
    c:\windows\system32\gojuhuji.exe
    c:\windows\system32\sinidopa.dll
    c:\windows\system32\mefibena.dll
    c:\windows\system32\pakebewe.exe
    c:\windows\system32\zimebopu.dll
    c:\windows\system32\sevayija.dll
    c:\windows\system32\yijoyave.exe
    c:\windows\system32\wokirowu.dll
    c:\windows\system32\kimupuye.dll
    c:\windows\system32\hehoroku.dll
    c:\windows\system32\lejiyuvo.dll
    c:\windows\system32\leboboga.dll
    c:\windows\system32\fidavine.dll
    c:\windows\system32\vipuliji.dll
    c:\windows\system32\vidinesa.dll
    c:\windows\system32\sohotuwa.dll
    c:\windows\system32\zugeyale.dll
    c:\windows\system32\zefugabe.dll
    c:\windows\system32\higalepo.dll
    c:\windows\system32\wakojahe.dll
    c:\windows\system32\sanipomu.dll
    c:\windows\system32\hopalafo.dll
    
    Folder::
    c:\documents and settings\All Users\Application Data\Viewpoint 

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Please reply with:-
  • New HJT log
  • Combofix log


.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 51 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware