Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Virtumonde

Unread postby surge-on5 » April 9th, 2009, 9:54 pm

Hi Muppy03,

Thank you for all of your help. I think we are getting closer to clean. My computer is running fine and I'm not noticing any problems.

Astonomy Widget deleted, it did not show up when I ran HJT.

Here are the new logs:

ComboFix 09-04-04.01 - kellly 2009-04-09 21:38:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.505 [GMT -4:00]
Running from: c:\documents and settings\kellly\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kellly\Desktop\CFScript.txt
AV: Trend Micro Internet Security Pro *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\fidavine.dll
c:\windows\system32\gojuhuji.exe
c:\windows\system32\hehoroku.dll
c:\windows\system32\higalepo.dll
c:\windows\system32\hopalafo.dll
c:\windows\system32\jezalefa.dll
c:\windows\system32\kimupuye.dll
c:\windows\system32\lamugili.dll
c:\windows\system32\leboboga.dll
c:\windows\system32\lejiyuvo.dll
c:\windows\system32\lokobufa.dll
c:\windows\system32\mefibena.dll
c:\windows\system32\napuduti.dll
c:\windows\system32\pakebewe.exe
c:\windows\system32\pamagefi.exe
c:\windows\system32\rusaheke.dll
c:\windows\system32\sanipomu.dll
c:\windows\system32\sevayija.dll
c:\windows\system32\sinidopa.dll
c:\windows\system32\sohotuwa.dll
c:\windows\system32\staufw.dll
c:\windows\system32\vidinesa.dll
c:\windows\system32\vipuliji.dll
c:\windows\system32\wakojahe.dll
c:\windows\system32\wideloza.dll
c:\windows\system32\wokirowu.dll
c:\windows\system32\wuwozoza.exe
c:\windows\system32\yijoyave.exe
c:\windows\system32\yowibejo.dll
c:\windows\system32\yumafiba.exe
c:\windows\system32\zefugabe.dll
c:\windows\system32\zigulutu.dll
c:\windows\system32\zimebopu.dll
c:\windows\system32\zugeyale.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\windows\system32\fidavine.dll
c:\windows\system32\gojuhuji.exe
c:\windows\system32\hehoroku.dll
c:\windows\system32\higalepo.dll
c:\windows\system32\hopalafo.dll
c:\windows\system32\jezalefa.dll
c:\windows\system32\kimupuye.dll
c:\windows\system32\lamugili.dll
c:\windows\system32\leboboga.dll
c:\windows\system32\lejiyuvo.dll
c:\windows\system32\lokobufa.dll
c:\windows\system32\mefibena.dll
c:\windows\system32\napuduti.dll
c:\windows\system32\pakebewe.exe
c:\windows\system32\pamagefi.exe
c:\windows\system32\rusaheke.dll
c:\windows\system32\sanipomu.dll
c:\windows\system32\sevayija.dll
c:\windows\system32\sinidopa.dll
c:\windows\system32\sohotuwa.dll
c:\windows\system32\vidinesa.dll
c:\windows\system32\vipuliji.dll
c:\windows\system32\wakojahe.dll
c:\windows\system32\wideloza.dll
c:\windows\system32\wokirowu.dll
c:\windows\system32\wuwozoza.exe
c:\windows\system32\yijoyave.exe
c:\windows\system32\yowibejo.dll
c:\windows\system32\yumafiba.exe
c:\windows\system32\zefugabe.dll
c:\windows\system32\zigulutu.dll
c:\windows\system32\zimebopu.dll
c:\windows\system32\zugeyale.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

2009-04-06 20:13 . 2009-04-06 20:13 <DIR> d-------- c:\windows\LastGood
2009-04-06 06:34 . 2009-04-06 06:34 <DIR> d-------- C:\rsit
2009-04-05 23:28 . 2009-04-05 23:28 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-05 23:28 . 2009-04-05 23:28 <DIR> d-------- c:\documents and settings\kellly\Application Data\Malwarebytes
2009-04-05 23:28 . 2009-04-05 23:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-05 23:28 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-05 23:28 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-04-04 07:58 . 2009-04-04 07:58 <DIR> d-------- C:\VundoFix Backups
2009-04-04 07:40 . 2009-04-04 07:40 <DIR> d-------- c:\documents and settings\kellly\Application Data\WinPatrol
2009-04-04 07:39 . 2009-04-04 07:39 <DIR> d-------- c:\program files\BillP Studios
2009-03-30 20:23 . 2009-04-09 08:24 <DIR> d-------- c:\program files\Spyware Doctor
2009-03-30 20:23 . 2009-03-30 20:24 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-03-30 20:23 . 2009-03-30 20:23 <DIR> d-------- c:\documents and settings\kellly\Application Data\PC Tools
2009-03-30 20:23 . 2009-04-09 21:37 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-03-30 20:23 . 2009-03-30 20:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-03-30 20:23 . 2008-12-11 08:38 159,600 --a------ c:\windows\system32\drivers\pctgntdi.sys
2009-03-30 20:23 . 2009-03-06 16:45 130,424 --a------ c:\windows\system32\drivers\PCTCore.sys
2009-03-30 20:23 . 2008-12-18 12:16 73,840 --a------ c:\windows\system32\drivers\PCTAppEvent.sys
2009-03-30 20:23 . 2008-12-10 12:36 64,392 --a------ c:\windows\system32\drivers\pctplsg.sys
2009-03-30 07:43 . 2009-03-30 07:45 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-03-28 11:04 . 2009-03-28 11:03 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-28 09:40 . 2009-03-30 20:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-24 06:58 . 2009-03-24 06:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\espionServerData
2009-03-24 06:49 . 2009-03-24 06:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2009-03-24 06:41 . 2009-03-24 06:41 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2009-03-24 06:40 . 2009-03-24 06:40 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2009-03-24 06:35 . 2009-03-24 06:35 129,784 --------- c:\windows\system32\pxafs.dll
2009-03-24 06:35 . 2009-03-24 06:35 39,672 --a------ c:\windows\system32\vxblock.dl~

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-10 01:32 77,824 ----a-w c:\windows\system32\kdfapi.dll
2009-04-10 01:32 722,472 ----a-w c:\windows\system32\kdfmgr.exe
2009-04-10 01:32 192,512 ----a-w c:\windows\system32\kdfvmgr.exe
2009-04-10 01:20 53,248 ----a-w c:\windows\system32\Kdfhok.dll
2009-04-10 01:20 --------- d-----w c:\program files\Dl_cats
2009-04-10 01:17 --------- d-----w c:\documents and settings\kellly\Application Data\AdobeUM
2009-04-09 11:46 --------- d-----w c:\documents and settings\kellly\Application Data\U3
2009-04-04 11:29 --------- d-----w c:\program files\Napster
2009-04-04 11:29 --------- d-----w c:\program files\Common Files\Roxio Shared
2009-04-04 11:29 --------- d-----w c:\documents and settings\All Users\Application Data\Napster
2009-04-04 11:20 --------- d-----w c:\program files\Common Files\AOL
2009-04-04 11:20 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-31 00:46 --------- d-----w c:\documents and settings\kellly\Application Data\Lavasoft
2009-03-28 15:03 --------- d-----w c:\program files\Java
2009-03-24 10:40 --------- d-----w c:\program files\Common Files\Adobe
2009-03-14 03:41 --------- d-----w c:\documents and settings\All Users\Application Data\Juniper Networks
2009-03-14 03:39 --------- d-----w c:\documents and settings\kellly\Application Data\Juniper Networks
2009-02-15 23:46 --------- d-----w c:\program files\Google
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-09 11:13 1,846,784 ------w c:\windows\system32\dllcache\win32k.sys
2007-01-25 19:14 88 --sh--r c:\windows\system32\295ABC6D75.sys
2008-12-27 14:04 104 --sh--r c:\windows\system32\756DBC5A29.sys
2008-12-27 14:04 6,686 --sha-w c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-02 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"TrendSecure Remote File Lock"="c:\program files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe" [2008-02-15 423248]
"OE"="c:\program files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-16 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-28 136600]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-06-17 139264]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-04-17 26112]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 69632]
"dlcdmon.exe"="c:\program files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 430080]
"MemoryCardManager"="c:\program files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 282624]
"UfSeAgnt.exe"="c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-07-29 1398024]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-03-17 337216]
"CTHelper"="CTHELPER.EXE" [2005-11-08 c:\windows\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-03-02 c:\windows\system32\CTXFIHLP.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SetDefaultMIDI"="MIDIDEF.EXE" [2005-11-08 c:\windows\MIDIDEF.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-04-17 24576]
LaunchU3.exe.lnk - c:\windows\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe [2006-11-23 1078]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\dsSamProxy.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Photoshop Elements 7.0\\AdobePhotoshopElementsMediaServer.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\TmProxy.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\SfCtlCom.exe"=
"c:\\WINDOWS\\ehome\\ehrecvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-03-30 130424]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507);c:\windows\system32\drivers\NEOFLTR_600_12507.sys [2007-12-27 64160]
R1 NEOFLTR_620_13687;Juniper Networks TDI Filter Driver (NEOFLTR_620_13687);c:\windows\system32\drivers\NEOFLTR_620_13687.sys [2008-11-07 64480]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
R2 FlipShare Service;FlipShare Service;c:\program files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-16 36368]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-02-16 333328]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-08-11 52240]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2006-04-17 29744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-03-30 348752]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~2\TmPfw.exe [2008-08-11 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2008-08-11 648456]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12b1fbc0-e6bb-11dc-9448-001372c72725}]
\Shell\AutoRun\command - M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d65c89a-d20c-11dd-9480-001372c72725}]
\Shell\AutoRun\command - M:\Setup_FlipShare.exe
\Shell\Setup FlipShare\command - M:\Setup_FlipShare.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://home.bellsouth.net/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ig/dell?hl=en&cli ... channel=us
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {23BFC42A-A74D-4698-9E20-65E23A090982} - hxxps://cm.mhs.net/clinx/clinx/cmactivedoc.CAB
DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} - hxxps://clinician.mhs.net/mcsimenu.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-09 21:41:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCDCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-09 21:43:36
ComboFix-quarantined-files.txt 2009-04-10 01:43:32
ComboFix2.txt 2009-04-08 03:32:24
ComboFix3.txt 2009-04-07 00:18:47

Pre-Run: 70,468,038,656 bytes free
Post-Run: 70,684,745,728 bytes free

259 --- E O F --- 2009-04-07 22:29:14

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:28 PM, on 4/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCmdrLauncher.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OE.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\kellly\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Spb Wallet - {2913D3DD-9363-4C21-B205-C19A584A0674} - C:\Program Files\Spb Wallet\SpbWalletToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: LaunchU3.exe.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.mhsremote.com/Citrix/,DanaI ... icaweb.cab
O16 - DPF: {23BFC42A-A74D-4698-9E20-65E23A090982} (CmActive.CmActiveXDoc) - https://cm.mhs.net/clinx/clinx/cmactivedoc.CAB
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - https://clinician.mhs.net/mcsimenu.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8512698125
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c1/v1 ... boax10.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://www.mhsremote.com/dana-cached/s ... tupSP1.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://wc.wachovia.com/common/cab/ikcntrls.cab
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 12213 bytes
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm
Advertisement
Register to Remove

Re: Virtumonde

Unread postby muppy03 » April 10th, 2009, 2:38 am

Hi there, It is definitely looking better just a couple more jobs to do ;) .

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 13.
  • Go to Java Site
  • Click to Download Java SE Runtime Environment (JRE) 6 Update 13
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u13-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

Update Adobe Reader
Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 9.
You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

NEXT Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
Make sure that all browser windows are closed.

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Uncheck Cookies if you do not want them deleted. (If deleted, you will likely need to re-enter your passwords at all sites where a cookie is used to recognize you when you visit). Click the Empty Selected button.

If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Uncheck Cookies if you do not want them deleted.
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.


If you use Opera browser
    Click Opera at the top and choose: Select All
    Uncheck Cookies if you do not want them deleted
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Please reply and let me know when the above is done before we continue.
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby surge-on5 » April 12th, 2009, 6:34 am

Good morning Muppy03,

Java and Adobe reader updated and old versions deleted. ATF cleaner downloaded and run.

Thanks
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm

Re: Virtumonde

Unread postby muppy03 » April 12th, 2009, 7:43 pm

Hi there,

Before we go on could you please paste the Combo fix quarantined files log it can be found at:-

C:\Qoobox\ComboFix-quarantined-files.txt

Thank you
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby surge-on5 » April 12th, 2009, 9:16 pm

Hello Muppy03,

Here is the file you requested.

0000-00-00 00:00:00 A------- 5,583 C:\Qoobox\Quarantine\C\WINDOWS\system32\wuwozoza.exe.vir
0000-00-00 00:00:00 A------- 5,583 C:\Qoobox\Quarantine\C\WINDOWS\system32\yumafiba.exe.vir
0000-00-00 00:00:00 A------- 5,587 C:\Qoobox\Quarantine\C\WINDOWS\system32\gojuhuji.exe.vir
0000-00-00 00:00:00 A------- 5,587 C:\Qoobox\Quarantine\C\WINDOWS\system32\pakebewe.exe.vir
0000-00-00 00:00:00 A------- 5,587 C:\Qoobox\Quarantine\C\WINDOWS\system32\pamagefi.exe.vir
0000-00-00 00:00:00 A------- 5,587 C:\Qoobox\Quarantine\C\WINDOWS\system32\yijoyave.exe.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\fidavine.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\hehoroku.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\higalepo.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\hopalafo.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\jezalefa.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\kimupuye.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\lamugili.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\leboboga.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\lejiyuvo.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\lokobufa.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\mefibena.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\napuduti.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\rusaheke.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\sanipomu.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\sevayija.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\sinidopa.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\sohotuwa.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\vidinesa.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\vipuliji.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\wakojahe.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\wideloza.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\wokirowu.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\yowibejo.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\zefugabe.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\zigulutu.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\zimebopu.dll.vir
0000-00-00 00:00:00 A------- 5,815 C:\Qoobox\Quarantine\C\WINDOWS\system32\zugeyale.dll.vir
0000-00-00 00:00:00 A------- 95,232 C:\Qoobox\Quarantine\C\WINDOWS\system32\gifuzasa.dll.vir
0000-00-00 00:00:00 A------- 95,232 C:\Qoobox\Quarantine\C\WINDOWS\system32\wivovego.dll.vir
0000-00-00 00:00:00 A------- 95,232 C:\Qoobox\Quarantine\C\WINDOWS\system32\yivezopo.dll.vir
0000-00-00 00:00:00 A------- 95,744 C:\Qoobox\Quarantine\C\WINDOWS\system32\tevijohe.dll.vir
0000-00-00 00:00:00 A------- 96,768 C:\Qoobox\Quarantine\C\WINDOWS\system32\lizoneho.dll.vir
0000-00-00 00:00:00 A------- 128,000 C:\Qoobox\Quarantine\C\WINDOWS\system32\wuwopusi.dll.vir
2006-04-17 11:05:29 A------- 2,294 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Settings.LiveUpdate.vir
2006-04-17 11:06:25 A------- 259,570 C:\Qoobox\Quarantine\C\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll.vir
2006-04-17 11:06:36 A------- 344 C:\Qoobox\Quarantine\C\Program Files\Common Files\Symantec Shared\CCPD-LC\00180037.TKN.vir
2006-04-17 11:13:30 A------- 708 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Symantec\LiveSubscribe\Catalog.LiveSubscribe.vir
2008-08-26 10:08:36 A------- 1,006 C:\Qoobox\Quarantine\C\WINDOWS\IE4 Error Log.txt.vir
2008-12-31 20:33:01 A------- 95,232 C:\Qoobox\Quarantine\C\WINDOWS\system32\yofivowi.dll.vir
2009-03-30 08:32:39 A------- 3,295,837 C:\Qoobox\Quarantine\C\WINDOWS\system32\irofuwov.ini.vir
2009-03-31 08:32:56 A------- 2,510,545 C:\Qoobox\Quarantine\C\WINDOWS\system32\atusanot.ini.vir
2009-03-31 21:45:06 A------- 1,403,738 C:\Qoobox\Quarantine\C\WINDOWS\system32\ozavokal.ini.vir
2009-04-01 08:33:19 A------- 1,418,334 C:\Qoobox\Quarantine\C\WINDOWS\system32\okabizek.ini.vir
2009-04-02 18:20:53 A------- 1,422,844 C:\Qoobox\Quarantine\C\WINDOWS\system32\epohador.ini.vir
2009-04-04 07:25:45 A------- 562 C:\Qoobox\Quarantine\C\Program Files\Common Files\Symantec Shared\CCPD-LC\ez_log.html.vir
2009-04-04 19:13:45 A------- 1,422,574 C:\Qoobox\Quarantine\C\WINDOWS\system32\afuharag.ini.vir
2009-04-06 20:06:04 A------- 174 C:\Qoobox\Quarantine\catchme.log
2009-04-06 20:09:25 A------- 8,204 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm

Re: Virtumonde

Unread postby muppy03 » April 13th, 2009, 1:08 am

Thanks for that ;) , It was unusual that certain files were not picked up straight away by Combofix so I would like you to upload the following files for analysis. This helps to keep data bases updated with the latest information, which in turn makes is easier to clean computers.

Please go Here to upload the files.

In the first box : Link to topic where this file was requested: copy and paste the following
Code: Select all
http://www.malwareremoval.com/forum/viewtopic.php?f=11&t=41428&p=423426#p423426


In the second box: Browse to the file you want to submit: Click on browse and navigate to
  • C:\Qoobox\Quarantine\C\WINDOWS\system32\wuwozoza.exe.vir

Note: To do this Right click Start and select explore

Please repeat for the following 2 samples
  • C:\Qoobox\Quarantine\C\WINDOWS\system32\yumafiba.exe.vir
  • C:\Qoobox\Quarantine\C\WINDOWS\system32\leboboga.dll.vir


Note: Use the same Link to topic for each sample submitted.

Let me know how you go please :flower: .
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby surge-on5 » April 13th, 2009, 7:25 am

Hello Muppy03.

Files uploaded as requested.

Thanks
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm

Re: Virtumonde

Unread postby muppy03 » April 13th, 2009, 8:10 am

Thanks for uploading those files, much appreciated :cheers: . Your logs are looking good and if you are not having any further problems, I would suggest you proceed as follows to provide extra protection for future safe internet use.

MBAM and ATF are great tools for you to keep and use on a regular basis.

Next
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Image
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.

You can also remove RSIT and associated logs from you desktop.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialise and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.

Here are some free programs I recommend that could help you improve your computer's security.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check


Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Note: I see you already have this installed :thumbright:

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm


Read some information here how to prevent Malware.

Please reply and let me know if you have any problems or questions
Happy Safe Surfing :flower:
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby surge-on5 » April 15th, 2009, 6:43 am

Hi Muppy03,

Almost finished with your last instructions. My computer was working fine, but I just got two error messages that I could get rid off unless I restarted my computer:

The following application failed to initialize. . .:

logonui.exe

The following is not a valid windows image. . .:

C:\Program\QuickTime\QTSystem.qts

I don't know if these are related to the previous infections or not

Thanks
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm

Re: Virtumonde

Unread postby muppy03 » April 15th, 2009, 4:50 pm

Hi There,

You said you were 'almost finished', can you tell me exactly whats still to be done or is it all completed now? Also at what stage did the errors occur?

Is the error still happening or was it only the one time?

Is the computer still usable? If not try using your 'Last Restore Point'.

Was anything else done/ updated/installed or changed by yourself or another user since my last post? (eg even something like updating Itunes) as we did not change either of the two programs effected?

Please run and post another RSIT log so I can have a deeper look. ;)
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby surge-on5 » April 15th, 2009, 9:59 pm

Hello Muppy03,

All items have been completed. The error came up only once, I had downloaded SpywareBlaster but had not installed it. The computer is usable and appears fine. To the best of my knowledge there have not been any changes made to the machine, but my gf's daughter said she tried to go on itunes yesterday and it "did not work."

Here is the RSIT log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by kellly at 2009-04-15 21:46:31
Microsoft Windows XP Professional Service Pack 3
System drive C: has 70 GB (64%) free of 110 GB
Total RAM: 1022 MB (30% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:42 PM, on 4/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\All Users\Application Data\U3\U3Launcher\LaunchU3.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\kellly\Desktop\RSIT.exe
C:\Documents and Settings\kellly\Desktop\kellly.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Spb Wallet - {2913D3DD-9363-4C21-B205-C19A584A0674} - C:\Program Files\Spb Wallet\SpbWalletToolbar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] "C:\Program Files\Dell Photo AIO Printer 944\memcard.exe"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: LaunchU3.exe.lnk = ?
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://www.mhsremote.com/Citrix/,DanaI ... icaweb.cab
O16 - DPF: {23BFC42A-A74D-4698-9E20-65E23A090982} (CmActive.CmActiveXDoc) - https://cm.mhs.net/clinx/clinx/cmactivedoc.CAB
O16 - DPF: {275E2FE0-7486-11D0-89D6-00A0C90C9B67} (MCSiMenuCtl Class) - https://clinician.mhs.net/mcsimenu.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resour ... se5483.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 8512698125
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {843EE768-3A97-455C-9076-741BA3AD7B62} (QuickBooks Online Edition Utilities Class v10) - https://accounting.quickbooks.com/c1/v1 ... boax10.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.co ... nos/gp.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupControlXP Class) - https://www.mhsremote.com/dana-cached/s ... tupSP1.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - https://wc.wachovia.com/common/cab/ikcntrls.cab
O23 - Service: Adobe Active File Monitor V7 (AdobeActiveFileMonitor7.0) - Adobe Systems Incorporated - C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: FlipShare Service - Unknown owner - C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 13275 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
DriveLetterAccess - C:\WINDOWS\System32\DLA\DLASHX_W.DLL [2005-09-08 110652]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-02-15 251504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-02-15 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C1656CCA-D2EA-4A32-94AE-AE0B180E6449}]
TSToolbarBHO - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll [2008-02-15 103760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll [2009-02-15 522224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\Program Files\BAE\BAE.dll [2006-02-22 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-04-11 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-04-11 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - Transaction Protector - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll [2008-02-15 103760]
{2913D3DD-9363-4C21-B205-C19A584A0674} - Spb Wallet - C:\Program Files\Spb Wallet\SpbWalletToolbar.dll [2008-08-11 89088]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll [2009-02-15 251504]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-09-29 67584]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2005-06-17 139264]
"ATIPTA"=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2005-08-05 344064]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2006-04-17 26112]
"ISUSPM Startup"=C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe [2005-06-10 249856]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2005-06-10 81920]
"DLA"=C:\WINDOWS\System32\DLA\DLACTRLW.EXE [2005-09-08 122940]
"DLCDCATS"=rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16 []
"dlcdmon.exe"=C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe [2005-07-22 430080]
"MemoryCardManager"=C:\Program Files\Dell Photo AIO Printer 944\memcard.exe [2005-06-27 282624]
"CTHelper"=C:\WINDOWS\CTHELPER.EXE [2005-11-08 16384]
"CTxfiHlp"=C:\WINDOWS\system32\CTXFIHLP.EXE [2006-03-02 18944]
"UfSeAgnt.exe"=C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe [2008-07-29 1398024]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-01-05 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-01-06 290088]
"WinPatrol"=C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe [2009-03-17 337216]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-12-08 1173384]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-04-11 148888]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-13 1695232]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-07-02 68856]
"H/PC Connection Agent"=C:\Program Files\Microsoft ActiveSync\wcescomm.exe [2006-11-13 1289000]
"TrendSecure Remote File Lock"=C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe [2008-02-15 423248]
"OE"=C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe [2008-02-16 492808]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe
LaunchU3.exe.lnk - C:\WINDOWS\Installer\{D8E363A7-88B7-446D-B2C0-E26CE4DC8E54}\_294823.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\WINDOWS\system32\fxsclnt.exe"="C:\WINDOWS\system32\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe"="C:\Program Files\Juniper Networks\Secure Application Manager\dsSamProxy.exe:*:Enabled:Secure Application Manager Proxy"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Adobe\Photoshop Elements 7.0\AdobePhotoshopElementsMediaServer.exe"="C:\Program Files\Adobe\Photoshop Elements 7.0\AdobePhotoshopElementsMediaServer.exe:*:Disabled:Adobe Photoshop Elements Media Server"
"C:\Program Files\Trend Micro\Internet Security\TmProxy.exe"="C:\Program Files\Trend Micro\Internet Security\TmProxy.exe:*:Enabled:TmProxy"
"C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe"="C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe:*:Enabled:SfCtlCom"
"C:\WINDOWS\ehome\ehrecvr.exe"="C:\WINDOWS\ehome\ehrecvr.exe:*:Enabled:ehRecvr"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Common Files\AOL\ACS\AOLDial.exe"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL"
"C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe"="C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL"
"C:\Program Files\America Online 9.0\waol.exe"="C:\Program Files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0"
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"="C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"="C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{12b1fbc0-e6bb-11dc-9448-001372c72725}]
shell\AutoRun\command - M:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5d65c89a-d20c-11dd-9480-001372c72725}]
shell\AutoRun\command - M:\Setup_FlipShare.exe
shell\Setup FlipShare\command - M:\Setup_FlipShare.exe


======List of files/folders created in the last 1 months======

2009-04-15 21:45:26 ----D---- C:\Program Files\SpywareBlaster
2009-04-15 08:47:40 ----D---- C:\WINDOWS\LastGood
2009-04-14 18:34:01 ----A---- C:\pv.exe
2009-04-11 07:24:45 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-04-11 06:58:34 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2009-04-11 06:58:32 ----D---- C:\Program Files\NOS
2009-04-11 06:55:21 ----A---- C:\WINDOWS\system32\javaws.exe
2009-04-11 06:55:21 ----A---- C:\WINDOWS\system32\javaw.exe
2009-04-11 06:55:21 ----A---- C:\WINDOWS\system32\java.exe
2009-04-09 21:44:25 ----SHD---- C:\RECYCLER
2009-04-09 21:43:37 ----A---- C:\ComboFix.txt
2009-04-06 20:07:11 ----A---- C:\Boot.bak
2009-04-06 20:07:01 ----RASHD---- C:\cmdcons
2009-04-06 20:06:04 ----D---- C:\WINDOWS\ERDNT
2009-04-06 06:34:14 ----D---- C:\rsit
2009-04-05 23:28:58 ----D---- C:\Documents and Settings\kellly\Application Data\Malwarebytes
2009-04-05 23:28:39 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-05 23:28:39 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-04 07:58:37 ----A---- C:\VundoFix.txt
2009-04-04 07:40:17 ----D---- C:\Documents and Settings\kellly\Application Data\WinPatrol
2009-04-04 07:39:47 ----D---- C:\Program Files\BillP Studios
2009-04-04 07:25:12 ----SHD---- C:\Config.Msi
2009-03-31 07:10:48 ----SHD---- C:\WINDOWS\CSC
2009-03-31 07:10:39 ----A---- C:\WINDOWS\ntbtlog.txt
2009-03-30 20:23:35 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-03-30 20:23:31 ----D---- C:\Program Files\Common Files\PC Tools
2009-03-30 20:23:25 ----D---- C:\Program Files\Spyware Doctor
2009-03-30 20:23:25 ----D---- C:\Documents and Settings\kellly\Application Data\PC Tools
2009-03-30 20:23:25 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-03-30 07:43:27 ----D---- C:\Program Files\Windows Live Safety Center
2009-03-28 11:04:10 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-03-28 09:40:03 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2009-03-24 06:58:46 ----A---- C:\AdobeDebug.txt
2009-03-24 06:58:45 ----D---- C:\Documents and Settings\All Users\Application Data\espionServerData
2009-03-24 06:49:32 ----D---- C:\Documents and Settings\All Users\Application Data\FLEXnet
2009-03-24 06:40:45 ----D---- C:\Program Files\Common Files\Macrovision Shared
2009-03-24 06:35:58 ----N---- C:\WINDOWS\system32\pxhpinst.exe
2009-03-24 06:35:58 ----N---- C:\WINDOWS\system32\pxafs.dll

======List of files/folders modified in the last 1 months======

2009-04-15 21:46:31 ----D---- C:\WINDOWS\Prefetch
2009-04-15 21:45:27 ----D---- C:\WINDOWS\system32
2009-04-15 21:45:26 ----D---- C:\Program Files
2009-04-15 21:37:09 ----D---- C:\WINDOWS\system32\drivers
2009-04-15 21:37:09 ----A---- C:\WINDOWS\system32\kdfvmgr.exe
2009-04-15 21:37:09 ----A---- C:\WINDOWS\system32\kdfmgr.exe
2009-04-15 21:37:09 ----A---- C:\WINDOWS\system32\kdfapi.dll
2009-04-15 18:52:53 ----D---- C:\WINDOWS\Temp
2009-04-15 18:45:51 ----D---- C:\Program Files\Dl_cats
2009-04-15 08:49:40 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-15 08:48:30 ----HD---- C:\WINDOWS\inf
2009-04-15 08:48:10 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-15 08:48:09 ----D---- C:\WINDOWS
2009-04-15 07:31:40 ----A---- C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt
2009-04-15 06:28:37 ----A---- C:\WINDOWS\system32\Kdfhok.dll
2009-04-15 06:26:40 ----D---- C:\WINDOWS\Registration
2009-04-15 06:25:48 ----SHD---- C:\System Volume Information
2009-04-15 06:25:48 ----D---- C:\WINDOWS\system32\Restore
2009-04-14 15:08:45 ----D---- C:\WINDOWS\system32\FxsTmp
2009-04-12 19:08:40 ----SHD---- C:\WINDOWS\Installer
2009-04-11 07:25:00 ----D---- C:\Program Files\Adobe
2009-04-11 07:24:48 ----D---- C:\Documents and Settings\kellly\Application Data\Adobe
2009-04-11 07:24:48 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-04-11 07:24:45 ----D---- C:\Program Files\Common Files
2009-04-11 07:04:47 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-11 07:02:13 ----D---- C:\Program Files\Common Files\Adobe
2009-04-11 06:58:38 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-11 06:54:56 ----D---- C:\Program Files\Java
2009-04-09 21:41:27 ----N---- C:\WINDOWS\system.ini
2009-04-09 21:40:00 ----D---- C:\WINDOWS\AppPatch
2009-04-09 21:17:59 ----D---- C:\Documents and Settings\kellly\Application Data\AdobeUM
2009-04-09 07:46:16 ----D---- C:\Documents and Settings\kellly\Application Data\U3
2009-04-07 18:30:19 ----D---- C:\WINDOWS\system32\CatRoot
2009-04-06 20:10:50 ----D---- C:\WINDOWS\system32\config
2009-04-06 20:07:11 ----RASH---- C:\boot.ini
2009-04-04 07:29:34 ----D---- C:\Program Files\Napster
2009-04-04 07:29:27 ----D---- C:\Documents and Settings\All Users\Application Data\Napster
2009-04-04 07:29:12 ----D---- C:\Program Files\Common Files\Roxio Shared
2009-04-04 07:20:47 ----D---- C:\Program Files\Common Files\AOL
2009-04-04 07:20:40 ----D---- C:\Documents and Settings\All Users\Application Data\AOL
2009-04-02 07:44:28 ----D---- C:\Program Files\Outlook Express
2009-03-30 20:46:23 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-03-30 20:46:23 ----D---- C:\Documents and Settings\kellly\Application Data\Lavasoft
2009-03-30 20:41:36 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-03-28 09:50:01 ----SD---- C:\WINDOWS\Tasks
2009-03-28 09:39:58 ----D---- C:\WINDOWS\WinSxS
2009-03-24 06:37:32 ----RSD---- C:\WINDOWS\Fonts
2009-03-24 06:35:51 ----N---- C:\WINDOWS\system32\pxdrv.dll
2009-03-24 06:35:50 ----N---- C:\WINDOWS\system32\PxSFS.DLL
2009-03-24 06:35:50 ----N---- C:\WINDOWS\system32\PxMas.dll
2009-03-24 06:35:49 ----N---- C:\WINDOWS\system32\PxWave.dll
2009-03-24 06:35:49 ----N---- C:\WINDOWS\system32\Px.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 DLACDBHM;DLACDBHM; C:\WINDOWS\System32\Drivers\DLACDBHM.SYS [2005-08-25 5628]
R1 DLARTL_N;DLARTL_N; C:\WINDOWS\System32\Drivers\DLARTL_N.SYS [2005-08-25 22684]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 NEOFLTR_600_12507;Juniper Networks TDI Filter Driver (NEOFLTR_600_12507); \??\C:\WINDOWS\system32\Drivers\NEOFLTR_600_12507.SYS []
R1 NEOFLTR_620_13687;Juniper Networks TDI Filter Driver (NEOFLTR_620_13687); \??\C:\WINDOWS\system32\Drivers\NEOFLTR_620_13687.SYS []
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\system32\DRIVERS\tmtdi.sys [2008-02-16 65936]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-04-17 8552]
R2 DLABOIOM;DLABOIOM; C:\WINDOWS\System32\DLA\DLABOIOM.SYS [2005-09-08 25628]
R2 DLADResN;DLADResN; C:\WINDOWS\System32\DLA\DLADResN.SYS [2005-09-08 2496]
R2 DLAIFS_M;DLAIFS_M; C:\WINDOWS\System32\DLA\DLAIFS_M.SYS [2005-09-08 86524]
R2 DLAOPIOM;DLAOPIOM; C:\WINDOWS\System32\DLA\DLAOPIOM.SYS [2005-09-08 14684]
R2 DLAPoolM;DLAPoolM; C:\WINDOWS\System32\DLA\DLAPoolM.SYS [2005-09-08 6364]
R2 DLAUDF_M;DLAUDF_M; C:\WINDOWS\System32\DLA\DLAUDF_M.SYS [2005-09-08 87036]
R2 DLAUDFAM;DLAUDFAM; C:\WINDOWS\System32\DLA\DLAUDFAM.SYS [2005-09-08 94332]
R2 DRVNDDM;DRVNDDM; C:\WINDOWS\System32\Drivers\DRVNDDM.SYS [2005-08-12 40544]
R2 dsunidrv;DellSupport UniDriver; C:\WINDOWS\system32\DRIVERS\dsunidrv.sys [2007-02-25 5376]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
R2 tmactmon;tmactmon; \??\C:\WINDOWS\system32\drivers\tmactmon.sys []
R2 tmcomm;tmcomm; \??\C:\WINDOWS\system32\drivers\tmcomm.sys []
R2 tmevtmgr;tmevtmgr; \??\C:\WINDOWS\system32\drivers\tmevtmgr.sys []
R2 tmpreflt;tmpreflt; C:\WINDOWS\system32\DRIVERS\tmpreflt.sys [2008-11-26 36368]
R2 tmxpflt;tmxpflt; C:\WINDOWS\system32\DRIVERS\tmxpflt.sys [2008-11-26 205328]
R2 vsapint;vsapint; C:\WINDOWS\system32\DRIVERS\vsapint.sys [2008-11-26 1195384]
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2005-08-04 1273344]
R3 ctac32k;Creative AC3 Software Decoder; C:\WINDOWS\system32\drivers\ctac32k.sys [2005-11-08 502272]
R3 ctaud2k;Creative Audio Driver (WDM); C:\WINDOWS\system32\drivers\ctaud2k.sys [2005-11-08 439680]
R3 ctprxy2k;Creative Proxy Driver; C:\WINDOWS\system32\drivers\ctprxy2k.sys [2005-11-08 7168]
R3 ctsfm2k;Creative SoundFont Management Device Driver; C:\WINDOWS\system32\drivers\ctsfm2k.sys [2005-11-08 143360]
R3 E100B;Intel(R) PRO Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2004-10-14 155648]
R3 emupia;E-mu Plug-in Architecture Driver; C:\WINDOWS\system32\drivers\emupia2k.sys [2005-11-08 77824]
R3 GearAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2008-04-17 15464]
R3 ha20x2k;Creative 20X HAL Driver; C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-02-15 1096192]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSF_DP.sys [2003-11-17 1042432]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys [2003-11-17 212224]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 neokdss;neokdss; C:\WINDOWS\system32\Drivers\neokdss.sys []
R3 ossrv;Creative OS Services Driver; C:\WINDOWS\system32\drivers\ctoss2k.sys [2005-11-08 114688]
R3 tmcfw;Trend Micro Common Firewall Service; C:\WINDOWS\system32\DRIVERS\TM_CFW.sys [2008-02-16 333328]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys [2003-11-17 680704]
S3 bvrp_pci;bvrp_pci; C:\WINDOWS\system32\drivers\bvrp_pci.sys []
S3 ctdvda2k;Creative DVD-Audio Device Driver; C:\WINDOWS\system32\drivers\ctdvda2k.sys [2005-07-13 340704]
S3 DSproct;DSproct; \??\C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
S3 usb_rndisx;USB RNDIS Adapter; C:\WINDOWS\system32\DRIVERS\usb8023x.sys [2008-04-13 12800]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-11-07 32000]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys []
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-03-03 18944]
S4 agp440;Intel AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agp440.sys [2008-04-13 42368]
S4 agpCPQ;Compaq AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\agpCPQ.sys [2008-04-13 44928]
S4 alim1541;ALI AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\alim1541.sys [2008-04-13 42752]
S4 amdagp;AMD AGP Bus Filter Driver; C:\WINDOWS\system32\DRIVERS\amdagp.sys [2008-04-13 43008]
S4 cbidf;cbidf; C:\WINDOWS\system32\DRIVERS\cbidf2k.sys [2001-08-17 13952]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]
S4 sisagp;SIS AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\sisagp.sys [2008-04-13 40960]
S4 viaagp;VIA AGP Bus Filter; C:\WINDOWS\system32\DRIVERS\viaagp.sys [2008-04-13 42240]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7; C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2005-08-04 380928]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 Creative Service for CDROM Access;Creative Service for CDROM Access; C:\WINDOWS\system32\CTsvcCDA.exe [1999-12-12 44032]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2005-10-11 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
R2 FlipShare Service;FlipShare Service; C:\Program Files\Pure Digital Technologies\FlipShare\FlipShareService.exe [2008-11-13 439616]
R2 IAANTMon;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe [2005-06-17 86140]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-04-11 152984]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-01-21 1095560]
R2 SfCtlCom;Trend Micro Central Control Component; C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe [2009-02-19 700760]
R2 TMBMServer;Trend Micro Unauthorized Change Prevention Service; C:\Program Files\Trend Micro\BM\TMBMSRV.exe [2008-02-16 333064]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-08-03 38912]
R3 dlcd_device;dlcd_device; C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 491520]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-01-06 536872]
R3 TmPfw;Trend Micro Personal Firewall; C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe [2008-02-16 488768]
R3 tmproxy;Trend Micro Proxy Service; C:\Program Files\Trend Micro\Internet Security\TmProxy.exe [2008-02-16 648456]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2004-07-15 32768]
S3 DSBrokerService;DSBrokerService; C:\Program Files\DellSupport\brkrsvc.exe [2007-03-07 76848]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-03-24 651720]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2008-08-21 29744]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-15 137200]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 NetSvc;Intel NCS NetService; C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe [2004-11-19 147456]
S4 getPlus(R) Helper;getPlus(R) Helper; C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2009-03-03 33176]

-----------------EOF-----------------
surge-on5
Regular Member
 
Posts: 28
Joined: March 31st, 2009, 10:48 pm

Re: Virtumonde

Unread postby muppy03 » April 16th, 2009, 5:27 am

Howdy,

Ok RSIT looks fine so that’s good :cheers: . The error only happening once is also good :cheers: . Apart from ITunes not working, you say everything appears fine, so that’s also good :cheers: .

The most probable reason for ITunes not working is this error that you received.

The following is not a valid windows image. . .:

C:\Program\QuickTime\QTSystem.qts


It does not appear to be malware related. I did notice that in your scheduled tasks you have AppleSoftwareUpdate.job scheduled. There could be a chance that the update did not install correctly.

I would try uninstalling Quicktime. Once Uninstalled run ATF cleaner, then REBOOT before re-installing.

See how you go over the next couple of days and let me know if any problems or the error messages appear again :flower:
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby muppy03 » April 19th, 2009, 2:44 am

Hi, Just wondering how things are going? If all is ok let me know and I can close this thread :flower:
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4798
Joined: December 4th, 2007, 5:30 am
Location: Australia

Re: Virtumonde

Unread postby chryssi2001 » April 21st, 2009, 2:11 am

As your problems appear to have been resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
chryssi2001
MRU Teacher Emeritus
 
Posts: 14395
Joined: September 24th, 2006, 2:11 am
Location: far away
Advertisement
Register to Remove

Previous

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 274 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware