Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Can not remove Virtumonde and Virtumonde.generic - NEED HELP

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby xcel » December 21st, 2007, 9:49 pm

I have run spywaredoctor, adware 2007, and AVG Anti-Spyware. NEED HELP!!

Here is my hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:47:30 PM, on 12/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\CINGVPN\VPN Client\cvpnd.exe
C:\PROGRAM FILES\DRU\bin\DRUService.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec\Ghost\ngctw32.exe
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Peregrine\Discovery Agent\bin32\discagnt.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Emanate\snmpdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\PROGRA~1\ASDCLI~1\ASDCLI~1.EXE
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
E:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my-cingular.sbms.sbc.com/mycingular/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my-cingular.sbms.sbc.com/mycingular/index.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my-cingular/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.wdc.cingular.net/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ASDclient] C:\Program Files\ASDclient\ASDLauncher_v2.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ac4d2304] rundll32.exe "C:\WINDOWS\system32\woxgqtxw.dll",b
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ViewSonic Explorer V5.3] C:\WINDOWS\msdtcsw32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: IMproxy.bat
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://my-cingular.sbms.sbc.com/mycingular/index.jsp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30FE4017-9CC6-45D2-9D6C-E96F4E385B8F} (ClientInstallControl.EverestInstall) - http://outlooksoft.edc.cingular.net/oso ... v4Inst.CAB
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://coles2.kennesaw.edu/iNotes6W.cab
O16 - DPF: {5E1358C4-8831-4DEF-8293-0834F9B9C4A5} (ClientDiag.EverestDiagnostic) - http://outlooksoft.edc.cingular.net/oso ... v4Diag.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 2717307707
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2717287466
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - https://erpapps.edc.cingular.net/jinitiator/oajinit.exe
O16 - DPF: {EE6DD3BD-B5E5-4A05-9FF2-9DB265522F0E} (ZaboCheckAndRunControl Class) - http://dalbocompweb04.us.cingular.net/w ... boIEen.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = US.Cingular.Net
O17 - HKLM\Software\..\Telephony: DomainName = Us.Cingular.Net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = US.Cingular.Net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sbms.sbc.com,US.Cingular.Net,Cingular.Net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sbms.sbc.com,US.Cingular.Net,Cingular.Net
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CINGVPN\VPN Client\cvpnd.exe
O23 - Service: DRUAgent - AT&T - C:\PROGRAM FILES\DRU\bin\DRUService.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Symantec Ghost Win32 Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Peregrine Discovery Agent (prgnDiscAgent) - Unknown owner - C:\Program Files\Peregrine\Discovery Agent\bin32\discagnt.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: snmpdm - Unknown owner - C:\Program Files\Emanate\snmpdm.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 12950 bytes
xcel
Active Member
 
Posts: 14
Joined: December 21st, 2007, 9:41 pm
Advertisement
Register to Remove

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby xcel » December 21st, 2007, 9:55 pm

Here is my SDFix.exe log as well

Also ran SDFix too. Here is that log

Username "jw1173" - 12/21/2007 19:43:35 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
C:\Documents and Settings\jw1173\Application Data\Install.dat Deleted
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"NGClient"="C:\\Program Files\\Symantec\\Ghost\\ngctw32.exe"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"AGRSMMSG"="AGRSMMSG.exe"
"RoxioEngineUtility"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"IntelZeroConfig"="\"C:\\Program Files\\Intel\\Wireless\\bin\\ZCfgSvc.exe\""
"IntelWireless"="\"C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe\" /tf Intel PROSet/Wireless"
"ATIModeChange"="Ati2mdxx.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"AT&T Communication Manager"="\"C:\\Program Files\\AT&T\\Communication Manager\\ATTCM.exe\" -a"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"McAfeeUpdaterUI"="\"C:\\Program Files\\Network Associates\\Common Framework\\UdaterUI.exe\" /StartedFromRunKey"
"ShStatEXE"="\"C:\\Program Files\\McAfee\\VirusScan Enterprise\\SHSTAT.EXE\" /STANDALONE"
"ASDclient"="C:\\Program Files\\ASDclient\\ASDLauncher_v2.EXE"
"ac4d2304"="rundll32.exe \"C:\\WINDOWS\\system32\\ugnnkdxl.dll\",b"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\Wcescomm.exe\""
"ViewSonic Explorer V5.3"="C:\\WINDOWS\\msdtcsw32.exe"
"Yahoo! Pager"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe -quiet"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report
xcel
Active Member
 
Posts: 14
Joined: December 21st, 2007, 9:41 pm

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby Katana » December 23rd, 2007, 3:29 pm

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D



Disable Teatimer
First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.

VundoFix
Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Rename HJT
Please open your Hijack This folder
  • Right click on Hijackthis.exe
  • Select Rename
  • Rename Hijack This to showme.exe
  • Double click showme
  • Click on the Do a system scan and save a log file button.

Please post the VundoFix log along with the new HJT (showme) log in your reply
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby xcel » December 23rd, 2007, 4:31 pm

This is my VundoFix.txt


VundoFix V6.7.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 2:53:41 PM 12/23/2007

Listing files found while scanning....

C:\WINDOWS\system32\adccf.bak1
C:\WINDOWS\system32\adccf.bak2
C:\WINDOWS\system32\adccf.ini
C:\WINDOWS\system32\adccf.ini2
C:\WINDOWS\system32\adccf.tmp
C:\WINDOWS\system32\aqrfbssx.dll
C:\WINDOWS\system32\atuodfcr.dll
C:\WINDOWS\system32\axofyeyi.dll
C:\WINDOWS\system32\bjiswfvl.dll
C:\WINDOWS\system32\celubgof.dll
C:\WINDOWS\system32\chmokupy.dll
C:\WINDOWS\system32\cwfapkne.dll
C:\WINDOWS\system32\cyhavnee.dll
C:\WINDOWS\system32\dmnoyxul.dll
C:\WINDOWS\system32\dohbnpny.dll
C:\WINDOWS\system32\dvmttxca.dll
C:\WINDOWS\system32\dxoohmxs.dll
C:\WINDOWS\system32\eunffyon.dll
C:\WINDOWS\system32\euxdxtws.dll
C:\WINDOWS\system32\fccda.dll
C:\WINDOWS\system32\ferygggy.dll
C:\WINDOWS\system32\fpsbauwq.exe
C:\WINDOWS\system32\fruvrpwa.dll
C:\WINDOWS\system32\fwsbtnbx.dll
C:\WINDOWS\system32\ggyoovpe.dll
C:\WINDOWS\system32\gjsigybm.dll
C:\WINDOWS\system32\guxcxnpr.dll
C:\WINDOWS\system32\gvcuocmd.dll
C:\WINDOWS\system32\gwimxakl.dll
C:\WINDOWS\system32\helnobsk.dll
C:\WINDOWS\system32\hiljftew.dll
C:\WINDOWS\system32\hkjsxtlv.dll
C:\WINDOWS\system32\hlynfqbb.dll
C:\WINDOWS\system32\iemfslwq.dll
C:\WINDOWS\system32\itowdpxg.dll
C:\WINDOWS\system32\itxgkphn.dll
C:\WINDOWS\system32\iujsmise.dll
C:\WINDOWS\system32\iyeyfoxa.ini
C:\WINDOWS\system32\kfngqkio.dll
C:\WINDOWS\system32\kpayrwgy.dll
C:\WINDOWS\system32\kphkxcel.dll
C:\WINDOWS\system32\kwdfxasp.dll
C:\WINDOWS\system32\lavaapih.dll
C:\WINDOWS\system32\lserudcr.dll
C:\WINDOWS\system32\lujrkwva.dll
C:\WINDOWS\system32\miyjbnvi.dll
C:\WINDOWS\system32\mnwrmerr.dll
C:\WINDOWS\system32\mownjprv.dll
C:\WINDOWS\system32\mrisqsfx.dll
C:\WINDOWS\system32\nbqmwwwn.dll
C:\WINDOWS\system32\nimtugjy.dll
C:\WINDOWS\system32\offqrhhe.dll
C:\WINDOWS\system32\ogucmjfv.dll
C:\WINDOWS\system32\okyyytcq.dll
C:\WINDOWS\system32\oosdrxxc.dll
C:\WINDOWS\system32\oqhvsasl.dll
C:\WINDOWS\system32\pdcgtabi.dll
C:\WINDOWS\system32\pdkwkaov.dll
C:\WINDOWS\system32\pgijmkhp.dll
C:\WINDOWS\system32\prcndccm.dll
C:\WINDOWS\system32\qxkbxanq.dll
C:\WINDOWS\system32\rqmwccsy.dll
C:\WINDOWS\system32\scweaypi.dll
C:\WINDOWS\system32\sfdysnvy.dll
C:\WINDOWS\system32\shqhkfbq.dll
C:\WINDOWS\system32\stoxiwtv.dll
C:\WINDOWS\system32\syjqnibj.dll
C:\WINDOWS\system32\theoaeyr.dll
C:\WINDOWS\system32\tjaotioo.dll
C:\WINDOWS\system32\trkmramb.dll
C:\WINDOWS\system32\tvdidwsw.dll
C:\WINDOWS\system32\ubhfgapm.dll
C:\WINDOWS\system32\ufwrfgqw.dll
C:\WINDOWS\system32\ulvvhmob.dll
C:\WINDOWS\system32\unaqhtfg.dll
C:\WINDOWS\system32\untygjon.dll
C:\WINDOWS\system32\uogqpmni.dll
C:\WINDOWS\system32\vunycygi.exe
C:\WINDOWS\system32\wguvoqwi.dll
C:\WINDOWS\system32\wnjrluvs.dll
C:\WINDOWS\system32\wsnobmka.dll
C:\WINDOWS\system32\wuhqymgt.dll
C:\WINDOWS\system32\xasjlang.dll
C:\WINDOWS\system32\xtnequqa.dll
C:\WINDOWS\system32\xvqvbbkm.dll
C:\WINDOWS\system32\yatgvxjj.dll
C:\WINDOWS\system32\ypukomhc.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\adccf.bak1
C:\WINDOWS\system32\adccf.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\adccf.bak2
C:\WINDOWS\system32\adccf.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\adccf.ini
C:\WINDOWS\system32\adccf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\adccf.ini2
C:\WINDOWS\system32\adccf.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\adccf.tmp
C:\WINDOWS\system32\adccf.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\aqrfbssx.dll
C:\WINDOWS\system32\aqrfbssx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\atuodfcr.dll
C:\WINDOWS\system32\atuodfcr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\axofyeyi.dll
C:\WINDOWS\system32\axofyeyi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bjiswfvl.dll
C:\WINDOWS\system32\bjiswfvl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\celubgof.dll
C:\WINDOWS\system32\celubgof.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\chmokupy.dll
C:\WINDOWS\system32\chmokupy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cwfapkne.dll
C:\WINDOWS\system32\cwfapkne.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cyhavnee.dll
C:\WINDOWS\system32\cyhavnee.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dmnoyxul.dll
C:\WINDOWS\system32\dmnoyxul.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dohbnpny.dll
C:\WINDOWS\system32\dohbnpny.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dvmttxca.dll
C:\WINDOWS\system32\dvmttxca.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dxoohmxs.dll
C:\WINDOWS\system32\dxoohmxs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eunffyon.dll
C:\WINDOWS\system32\eunffyon.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\euxdxtws.dll
C:\WINDOWS\system32\euxdxtws.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fccda.dll
C:\WINDOWS\system32\fccda.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ferygggy.dll
C:\WINDOWS\system32\ferygggy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fpsbauwq.exe
C:\WINDOWS\system32\fpsbauwq.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\fruvrpwa.dll
C:\WINDOWS\system32\fruvrpwa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fwsbtnbx.dll
C:\WINDOWS\system32\fwsbtnbx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ggyoovpe.dll
C:\WINDOWS\system32\ggyoovpe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gjsigybm.dll
C:\WINDOWS\system32\gjsigybm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\guxcxnpr.dll
C:\WINDOWS\system32\guxcxnpr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gvcuocmd.dll
C:\WINDOWS\system32\gvcuocmd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gwimxakl.dll
C:\WINDOWS\system32\gwimxakl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\helnobsk.dll
C:\WINDOWS\system32\helnobsk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hiljftew.dll
C:\WINDOWS\system32\hiljftew.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hkjsxtlv.dll
C:\WINDOWS\system32\hkjsxtlv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hlynfqbb.dll
C:\WINDOWS\system32\hlynfqbb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iemfslwq.dll
C:\WINDOWS\system32\iemfslwq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\itowdpxg.dll
C:\WINDOWS\system32\itowdpxg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\itxgkphn.dll
C:\WINDOWS\system32\itxgkphn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iujsmise.dll
C:\WINDOWS\system32\iujsmise.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iyeyfoxa.ini
C:\WINDOWS\system32\iyeyfoxa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\kfngqkio.dll
C:\WINDOWS\system32\kfngqkio.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kpayrwgy.dll
C:\WINDOWS\system32\kpayrwgy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kphkxcel.dll
C:\WINDOWS\system32\kphkxcel.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kwdfxasp.dll
C:\WINDOWS\system32\kwdfxasp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lavaapih.dll
C:\WINDOWS\system32\lavaapih.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lserudcr.dll
C:\WINDOWS\system32\lserudcr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lujrkwva.dll
C:\WINDOWS\system32\lujrkwva.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\miyjbnvi.dll
C:\WINDOWS\system32\miyjbnvi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mnwrmerr.dll
C:\WINDOWS\system32\mnwrmerr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mownjprv.dll
C:\WINDOWS\system32\mownjprv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mrisqsfx.dll
C:\WINDOWS\system32\mrisqsfx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nbqmwwwn.dll
C:\WINDOWS\system32\nbqmwwwn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nimtugjy.dll
C:\WINDOWS\system32\nimtugjy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\offqrhhe.dll
C:\WINDOWS\system32\offqrhhe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\okyyytcq.dll
C:\WINDOWS\system32\okyyytcq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oosdrxxc.dll
C:\WINDOWS\system32\oosdrxxc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqhvsasl.dll
C:\WINDOWS\system32\oqhvsasl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pdcgtabi.dll
C:\WINDOWS\system32\pdcgtabi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pdkwkaov.dll
C:\WINDOWS\system32\pdkwkaov.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pgijmkhp.dll
C:\WINDOWS\system32\pgijmkhp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\prcndccm.dll
C:\WINDOWS\system32\prcndccm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qxkbxanq.dll
C:\WINDOWS\system32\qxkbxanq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqmwccsy.dll
C:\WINDOWS\system32\rqmwccsy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\scweaypi.dll
C:\WINDOWS\system32\scweaypi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sfdysnvy.dll
C:\WINDOWS\system32\sfdysnvy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\shqhkfbq.dll
C:\WINDOWS\system32\shqhkfbq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\stoxiwtv.dll
C:\WINDOWS\system32\stoxiwtv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\syjqnibj.dll
C:\WINDOWS\system32\syjqnibj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\theoaeyr.dll
C:\WINDOWS\system32\theoaeyr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tjaotioo.dll
C:\WINDOWS\system32\tjaotioo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\trkmramb.dll
C:\WINDOWS\system32\trkmramb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tvdidwsw.dll
C:\WINDOWS\system32\tvdidwsw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ubhfgapm.dll
C:\WINDOWS\system32\ubhfgapm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ufwrfgqw.dll
C:\WINDOWS\system32\ufwrfgqw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ulvvhmob.dll
C:\WINDOWS\system32\ulvvhmob.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\unaqhtfg.dll
C:\WINDOWS\system32\unaqhtfg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\untygjon.dll
C:\WINDOWS\system32\untygjon.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uogqpmni.dll
C:\WINDOWS\system32\uogqpmni.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vunycygi.exe
C:\WINDOWS\system32\vunycygi.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wguvoqwi.dll
C:\WINDOWS\system32\wguvoqwi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wnjrluvs.dll
C:\WINDOWS\system32\wnjrluvs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wsnobmka.dll
C:\WINDOWS\system32\wsnobmka.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wuhqymgt.dll
C:\WINDOWS\system32\wuhqymgt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xasjlang.dll
C:\WINDOWS\system32\xasjlang.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xtnequqa.dll
C:\WINDOWS\system32\xtnequqa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xvqvbbkm.dll
C:\WINDOWS\system32\xvqvbbkm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yatgvxjj.dll
C:\WINDOWS\system32\yatgvxjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ypukomhc.ini
C:\WINDOWS\system32\ypukomhc.ini Has been deleted!

Performing Repairs to the registry.
Done!
xcel
Active Member
 
Posts: 14
Joined: December 21st, 2007, 9:41 pm

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby xcel » December 23rd, 2007, 4:32 pm

This is my new hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:35 PM, on 12/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\bmwebcfg.exe
C:\Program Files\CINGVPN\VPN Client\cvpnd.exe
C:\PROGRAM FILES\DRU\bin\DRUService.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
C:\Program Files\Peregrine\Discovery Agent\bin32\discagnt.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Emanate\snmpdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\PROGRA~1\ASDCLI~1\ASDCLI~1.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\jw1173\Desktop\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my-cingular.sbms.sbc.com/mycingular/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my-cingular.sbms.sbc.com/mycingular/index.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my-cingular/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.wdc.cingular.net/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {038EAB0C-7FB2-44AE-A86C-119B05323CF2} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06A342C9-A503-4D40-AA67-2C0AA672AC6C} - (no file)
O2 - BHO: (no name) - {0D858DC7-E5DE-4433-9325-F8051D3F3541} - (no file)
O2 - BHO: (no name) - {1028620C-CDCB-4C13-8BA8-0C519ACAF6EA} - (no file)
O2 - BHO: (no name) - {12EB603B-29BF-462D-95EC-99521C05F767} - (no file)
O2 - BHO: (no name) - {13034a83-1552-4592-95a7-520ef008844f} - (no file)
O2 - BHO: (no name) - {400D98DD-DC76-4168-9ECB-F9096880F63E} - (no file)
O2 - BHO: (no name) - {47BB508A-B710-4256-8930-6E9A33751EC0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B2B626E-9547-4E45-ADB5-E6F6F938B7E7} - (no file)
O2 - BHO: (no name) - {6FAFC5D6-107B-4B38-928D-815391122698} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {783F6C92-E0CF-4799-84C5-B5C6B72E717A} - (no file)
O2 - BHO: (no name) - {7A9B644C-84E3-4DDE-A34D-D8D0AFF0CE78} - (no file)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: (no name) - {7EB2770B-102C-4489-9A00-0D6346BB9C8D} - (no file)
O2 - BHO: (no name) - {87ED6951-2C6E-4AFC-A14D-9E7AFC6AF4A2} - (no file)
O2 - BHO: (no name) - {888FFC6D-961B-4F79-9FCD-F582488AABE1} - (no file)
O2 - BHO: (no name) - {8ee65c64-67a4-4385-90f6-690b5136de1c} - C:\WINDOWS\system32\prcndccm.dll (file missing)
O2 - BHO: (no name) - {91E7396E-6E54-410D-98B0-AAC5CBBB655B} - (no file)
O2 - BHO: (no name) - {9A90C600-BB45-45A6-9736-01CE0389BFCA} - (no file)
O2 - BHO: (no name) - {a1f0af7b-030b-427f-8067-492be6fb411a} - (no file)
O2 - BHO: (no name) - {AA801B8E-EE42-43D0-9B35-DF9A80F2FFBF} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {AECFD5F0-66D5-4198-A146-AC8D3D1099D1} - (no file)
O2 - BHO: (no name) - {B01A161D-DD32-44E3-A3A7-89294820D89D} - (no file)
O2 - BHO: (no name) - {B5069D25-0F4D-45EC-9E0F-6E679325FC13} - (no file)
O2 - BHO: (no name) - {BAA0318A-9C05-42A5-BEE0-C2A6F9A3AF7F} - (no file)
O2 - BHO: (no name) - {BB5C9D00-5D5E-4CCF-8285-55C19918DFAF} - (no file)
O2 - BHO: (no name) - {CEC4F542-5D89-4A68-90E1-4DE3A3215716} - (no file)
O2 - BHO: (no name) - {D22F78F8-596A-43AF-8CFE-34A4CEABD1DB} - (no file)
O2 - BHO: (no name) - {D2E7F7C2-08CA-4450-BA19-D7DDC7AF9ACC} - (no file)
O2 - BHO: (no name) - {E4EB302A-293E-420D-8E0B-58083A4C83B7} - C:\WINDOWS\system32\fccda.dll (file missing)
O2 - BHO: (no name) - {EB9FB406-118B-4880-9C27-41E5762D2036} - (no file)
O2 - BHO: (no name) - {F2A82F47-0319-4081-B7A2-211DFAF4D781} - (no file)
O2 - BHO: (no name) - {F33C7FBB-1321-4B01-8227-C88E0689B176} - (no file)
O2 - BHO: {987be605-93f6-71b9-dea4-470b424fe25f} - {f52ef424-b074-4aed-9b17-6f39506eb789} - C:\WINDOWS\system32\cwfapkne.dll (file missing)
O2 - BHO: (no name) - {FC3F92F1-A220-49D2-ABA7-31F5BCBA0A1B} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NGClient] C:\Program Files\Symantec\Ghost\ngctw32.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ASDclient] C:\Program Files\ASDclient\ASDLauncher_v2.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [ac4d2304] rundll32.exe "C:\WINDOWS\system32\kwdfxasp.dll",b
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ViewSonic Explorer V5.3] C:\WINDOWS\msdtcsw32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe -quiet
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: IMproxy.bat
O4 - Global Startup: McAfee Host Intrusion Prevention Tray.lnk = ?
O4 - Global Startup: VPN Client.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O14 - IERESET.INF: START_PAGE_URL=http://my-cingular.sbms.sbc.com/mycingular/index.jsp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30FE4017-9CC6-45D2-9D6C-E96F4E385B8F} (ClientInstallControl.EverestInstall) - http://outlooksoft.edc.cingular.net/oso ... v4Inst.CAB
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://coles2.kennesaw.edu/iNotes6W.cab
O16 - DPF: {5E1358C4-8831-4DEF-8293-0834F9B9C4A5} (ClientDiag.EverestDiagnostic) - http://outlooksoft.edc.cingular.net/oso ... v4Diag.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 2717307707
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2717287466
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) - https://erpapps.edc.cingular.net/jinitiator/oajinit.exe
O16 - DPF: {EE6DD3BD-B5E5-4A05-9FF2-9DB265522F0E} (ZaboCheckAndRunControl Class) - http://dalbocompweb04.us.cingular.net/w ... boIEen.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = US.Cingular.Net
O17 - HKLM\Software\..\Telephony: DomainName = Us.Cingular.Net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = US.Cingular.Net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sbms.sbc.com,US.Cingular.Net,Cingular.Net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sbms.sbc.com,US.Cingular.Net,Cingular.Net
O20 - Winlogon Notify: ogucmjfv - ogucmjfv.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bytemobile Web Configurator (bmwebcfg) - Bytemobile, Inc. - C:\WINDOWS\system32\bmwebcfg.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CINGVPN\VPN Client\cvpnd.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gkclfefg.exe (file missing)
O23 - Service: DRUAgent - AT&T - C:\PROGRAM FILES\DRU\bin\DRUService.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Host Intrusion Prevention Service (enterceptAgent) - McAfee, Inc. - C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: Symantec Ghost Win32 Client Agent (NGClient) - Symantec Corporation - C:\Program Files\Symantec\Ghost\ngctw32.exe
O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE
O23 - Service: Pharos Systems ComTaskMaster - Pharos Systems International - C:\PROGRA~1\PHAROS~1\Core\CTskMstr.exe
O23 - Service: Peregrine Discovery Agent (prgnDiscAgent) - Unknown owner - C:\Program Files\Peregrine\Discovery Agent\bin32\discagnt.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: snmpdm - Unknown owner - C:\Program Files\Emanate\snmpdm.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 16391 bytes
xcel
Active Member
 
Posts: 14
Joined: December 21st, 2007, 9:41 pm

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby Katana » December 23rd, 2007, 7:15 pm

Download and Run ComboFix
  • Download Combofix from one of the links below :

    ComboFix.exe 1
    ComboFix.exe 2
    ComboFix.exe 3
  • Then double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
ComboFix SHOULD NOT be used without supervision
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby xcel » December 25th, 2007, 2:22 pm

ComboFix 07-12-21.4 - jw1173 2007-12-25 13:03:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.394 [GMT -5:00]
Running from: C:\Documents and Settings\jw1173\Local Settings\Temporary Internet Files\Content.IE5\W3FFI4TT\ComboFix[1].exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\jw1173\Start Menu\Programs\Outerinfo
C:\Documents and Settings\jw1173\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\sembly~1
C:\Program Files\Common Files\sembly~1\??sembly\
C:\Program Files\QdrDrive
C:\Program Files\WinAble
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\pac.txt
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_SVCHOST
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-11-25 to 2007-12-25 )))))))))))))))))))))))))))))))
.

2007-12-25 13:12 . 2007-12-11 10:31 176,128 --a------ C:\WINDOWS\system32\KevlarSigs.dll
2007-12-25 13:12 . 2007-06-13 11:41 176,128 --a------ C:\WINDOWS\system32\hidapi.dll
2007-12-25 13:12 . 2007-12-05 12:24 23,398 --a------ C:\WINDOWS\system32\kevlar_api_hook_list.dat
2007-12-25 13:10 . 2007-06-13 11:41 182,784 --a------ C:\WINDOWS\system32\drivers\HidSys.sys
2007-12-25 12:50 . 2007-01-26 17:19 53,248 --a------ C:\WINDOWS\system32\hidapistub.dll
2007-12-24 22:59 . 2007-12-24 22:59 <DIR> dr-h----- C:\Documents and Settings\jw1173\Application Data\SecuROM
2007-12-24 22:59 . 2007-12-24 22:59 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-24 22:26 . 2007-12-24 22:26 <DIR> d-------- C:\Program Files\EA GAMES
2007-12-24 22:26 . 2007-08-06 19:28 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-12-23 14:57 . 2007-12-23 14:57 990,810 ---hs---- C:\WINDOWS\system32\psaxfdwk.ini
2007-12-23 14:53 . 2007-12-23 14:53 <DIR> d-------- C:\VundoFix Backups
2007-12-22 19:53 . 2007-12-22 19:53 990,630 ---hs---- C:\WINDOWS\system32\gximfqxr.ini
2007-12-22 13:34 . 2007-12-22 13:42 990,639 ---hs---- C:\WINDOWS\system32\ygggyref.ini
2007-12-22 11:15 . 2007-12-22 11:15 991,611 ---hs---- C:\WINDOWS\system32\jjxvgtay.ini
2007-12-22 10:18 . 2007-12-22 11:15 991,224 ---hs---- C:\WINDOWS\system32\jmaminsd.ini
2007-12-22 10:03 . 2007-12-22 10:03 991,542 ---hs---- C:\WINDOWS\system32\oikqgnfk.ini
2007-12-21 20:53 . 2007-12-21 21:46 991,791 ---hs---- C:\WINDOWS\system32\ryeaoeht.ini
2007-12-21 19:59 . 2007-12-21 20:45 991,749 ---hs---- C:\WINDOWS\system32\wxtqgxow.ini
2007-12-21 16:36 . 2007-12-21 16:36 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\Grisoft
2007-12-21 16:12 . 2007-12-21 19:53 414 ---hs---- C:\WINDOWS\system32\lxdknngu.ini
2007-12-21 16:00 . 2007-12-21 16:01 14,033 --a------ C:\posA7D.tmp
2007-12-21 15:46 . 2007-12-21 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-21 15:46 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-21 15:31 . 2007-12-21 15:31 294 ---hs---- C:\WINDOWS\system32\tgmyqhuw.ini
2007-12-20 16:17 . 2007-12-20 16:17 14,033 --a------ C:\pos7E5.tmp
2007-12-20 16:16 . 2007-12-20 16:17 14,033 --a------ C:\pos61D.tmp
2007-12-20 15:06 . 2007-12-20 15:06 14,033 --a------ C:\pos5FC.tmp
2007-12-20 15:05 . 2007-12-20 15:06 14,033 --a------ C:\pos420.tmp
2007-12-20 13:58 . 2007-12-20 14:59 14,033 --a------ C:\pos40D.tmp
2007-12-20 13:57 . 2007-12-20 13:58 14,033 --a------ C:\pos335.tmp
2007-12-20 09:48 . 2007-12-20 09:48 14,033 --a------ C:\pos222.tmp
2007-12-20 09:47 . 2007-12-20 09:47 14,033 --a------ C:\posFE.tmp
2007-12-20 09:46 . 2007-12-20 09:46 165,472 --a------ C:\WINDOWS\system32\miuaoqsv.dll
2007-12-17 23:27 . 2007-12-17 23:27 113 --a------ C:\WINDOWS\notesnsd.ini
2007-12-17 22:21 . 2007-12-20 09:47 834 ---hs---- C:\WINDOWS\system32\knrtfdbf.ini
2007-12-17 21:24 . 2007-12-17 21:24 594 ---hs---- C:\WINDOWS\system32\hpotgdvn.ini
2007-12-17 15:40 . 2007-12-17 15:40 <DIR> d-------- C:\Program Files\HP
2007-12-17 15:40 . 2003-11-11 11:16 266,296 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-12-17 15:40 . 2003-10-22 10:26 196,608 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-12-17 15:40 . 2003-07-21 14:24 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-12-17 15:40 . 2003-10-22 10:19 65,536 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-12-17 15:40 . 2003-07-25 12:20 61,699 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-12-17 15:40 . 2003-07-21 14:24 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-12-17 15:38 . 2007-12-17 15:38 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-17 06:48 . 2007-12-17 21:17 534 ---hs---- C:\WINDOWS\system32\rcphegiu.ini
2007-12-16 11:56 . 2007-12-17 06:44 414 ---hs---- C:\WINDOWS\system32\ktildnog.ini
2007-12-16 11:02 . 2007-12-16 11:56 294 ---hs---- C:\WINDOWS\system32\cwyycsxm.ini
2007-12-15 20:31 . 2007-12-15 20:31 354 ---hs---- C:\WINDOWS\system32\svulrjnw.ini
2007-12-15 19:34 . 2007-12-15 19:34 294 ---hs---- C:\WINDOWS\system32\mjivodoa.ini
2007-12-15 12:56 . 2007-12-15 12:57 3,594 ---hs---- C:\WINDOWS\system32\clquphwj.ini
2007-12-14 19:01 . 2007-12-15 12:49 3,534 ---hs---- C:\WINDOWS\system32\klrenxri.ini
2007-12-14 18:04 . 2007-12-14 18:04 3,414 ---hs---- C:\WINDOWS\system32\rbhkyyap.ini
2007-12-14 12:29 . 2007-12-14 17:56 3,354 ---hs---- C:\WINDOWS\system32\cxypbouw.ini
2007-12-14 11:47 . 2007-12-14 12:22 3,174 ---hs---- C:\WINDOWS\system32\hkbmhkqc.ini
2007-12-14 11:29 . 2007-12-14 11:43 3,054 ---hs---- C:\WINDOWS\system32\xvbqabdv.ini
2007-12-14 10:37 . 2007-12-14 11:25 2,934 ---hs---- C:\WINDOWS\system32\fsyjakbk.ini
2007-12-14 08:47 . 2007-12-14 10:30 2,814 ---hs---- C:\WINDOWS\system32\ngpfddhm.ini
2007-12-13 23:14 . 2007-12-14 08:42 2,634 ---hs---- C:\WINDOWS\system32\rlptkrpx.ini
2007-12-13 22:14 . 2007-12-13 22:14 2,514 ---hs---- C:\WINDOWS\system32\yurtpjai.ini
2007-12-13 17:03 . 2007-12-13 22:09 2,454 ---hs---- C:\WINDOWS\system32\botnrppg.ini
2007-12-13 16:41 . 2007-12-13 17:00 2,334 ---hs---- C:\WINDOWS\system32\tdnmruij.ini
2007-12-13 15:38 . 2007-12-13 15:38 2,214 ---hs---- C:\WINDOWS\system32\rxikfyxh.ini
2007-12-13 13:00 . 2007-12-13 15:34 2,154 ---hs---- C:\WINDOWS\system32\vdjmjgbf.ini
2007-12-13 12:02 . 2007-12-13 12:03 2,034 ---hs---- C:\WINDOWS\system32\vstgofpj.ini
2007-12-13 11:24 . 2007-12-13 11:55 1,974 ---hs---- C:\WINDOWS\system32\xbuytlig.ini
2007-12-13 09:02 . 2007-12-13 11:16 1,854 ---hs---- C:\WINDOWS\system32\woxpalnv.ini
2007-12-13 08:38 . 2007-12-13 08:38 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\Yahoo!
2007-12-13 08:36 . 2007-12-17 21:34 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-13 08:05 . 2007-12-13 08:05 1,734 ---hs---- C:\WINDOWS\system32\eueltxfh.ini
2007-12-12 18:42 . 2007-12-12 18:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-12 18:42 . 2007-12-12 18:42 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-12 17:13 . 2007-12-13 08:00 1,674 ---hs---- C:\WINDOWS\system32\jbliqvwk.ini
2007-12-12 13:26 . 2007-12-12 17:13 1,554 ---hs---- C:\WINDOWS\system32\grkorvhw.ini
2007-12-11 21:53 . 2007-12-12 13:24 1,434 ---hs---- C:\WINDOWS\system32\xkieegby.ini
2007-12-11 18:55 . 2007-12-11 21:53 1,254 ---hs---- C:\WINDOWS\system32\rgnrpegl.ini
2007-12-11 18:07 . 2007-12-11 18:48 1,134 ---hs---- C:\WINDOWS\system32\csrbdvdx.ini
2007-12-11 12:41 . 2007-12-11 18:02 1,014 ---hs---- C:\WINDOWS\system32\qmbtvgyf.ini
2007-12-11 11:28 . 2007-12-11 12:34 894 ---hs---- C:\WINDOWS\system32\eoexowab.ini
2007-12-11 08:13 . 2007-12-11 11:20 774 ---hs---- C:\WINDOWS\system32\diybyjce.ini
2007-12-11 07:06 . 2007-12-11 08:08 654 ---hs---- C:\WINDOWS\system32\kctnrfen.ini
2007-12-11 06:54 . 2007-12-11 07:01 534 ---hs---- C:\WINDOWS\system32\yrlvfxup.ini
2007-12-10 20:56 . 2007-12-11 06:53 414 ---hs---- C:\WINDOWS\system32\xvexvuph.ini
2007-12-10 19:59 . 2007-12-10 19:59 294 ---hs---- C:\WINDOWS\system32\xxxkjlyy.ini
2007-12-10 15:20 . 2006-09-22 14:09 812,296 --a------ C:\WINDOWS\system32\wodFtpDLX.dll
2007-12-10 15:20 . 2001-03-08 17:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-10 15:19 . 2007-12-10 15:21 <DIR> d-------- C:\Program Files\PharosSystems
2007-12-10 15:19 . 2007-12-10 15:19 1,759 --a------ C:\WINDOWS\pbp0310y.mif
2007-12-10 11:12 . 2007-12-10 11:12 <DIR> d-------- C:\Program Files\Monarch Report Explorer
2007-12-10 11:12 . 1994-06-14 13:19 51,988 --a------ C:\WINDOWS\system32\pres.ttf
2007-12-10 11:10 . 1997-04-08 14:08 299,520 --a------ C:\WINDOWS\uninst.exe
2007-12-10 11:07 . 2007-12-10 11:07 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-10 11:07 . 2007-12-10 11:07 <DIR> d-------- C:\Program Files\Monarch
2007-12-10 11:07 . 2007-12-10 11:07 <DIR> d-------- C:\Program Files\Common Files\Datawatch Shared
2007-12-10 10:51 . 2005-08-24 15:03 192,512 --a------ C:\WINDOWS\system32\DWRCSET.DLL
2007-12-10 10:51 . 2005-08-24 15:03 160,256 --a------ C:\WINDOWS\system32\DWRCS.EXE
2007-12-10 10:51 . 2004-10-05 15:14 69,632 --a------ C:\WINDOWS\system32\DWRCShell.dll
2007-12-10 10:51 . 2005-08-24 15:02 53,248 --a------ C:\WINDOWS\system32\DWRCK.DLL
2007-12-10 10:51 . 2005-08-24 15:03 43,520 --a------ C:\WINDOWS\system32\DWRCST.EXE
2007-12-10 10:51 . 2004-07-01 09:22 714 --a------ C:\WINDOWS\system32\DWRCST.exe.manifest
2007-12-10 09:31 . 2007-01-08 16:18 2,359,352 --a------ C:\WINDOWS\Cingularbmp.old

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 17:39 --------- d-----w C:\Documents and Settings\jw1173\Application Data\.purple
2007-12-10 16:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 14:43 --------- d-----w C:\Program Files\Network Associates
2007-12-02 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2007-11-30 20:13 --------- d-----w C:\Program Files\Java
2007-11-30 15:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-29 17:15 111,153 ----a-w C:\Program Files\INSTALL.LOG
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038EAB0C-7FB2-44AE-A86C-119B05323CF2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06A342C9-A503-4D40-AA67-2C0AA672AC6C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D858DC7-E5DE-4433-9325-F8051D3F3541}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1028620C-CDCB-4C13-8BA8-0C519ACAF6EA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12EB603B-29BF-462D-95EC-99521C05F767}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13034a83-1552-4592-95a7-520ef008844f}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{400D98DD-DC76-4168-9ECB-F9096880F63E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47BB508A-B710-4256-8930-6E9A33751EC0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B2B626E-9547-4E45-ADB5-E6F6F938B7E7}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FAFC5D6-107B-4B38-928D-815391122698}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{783F6C92-E0CF-4799-84C5-B5C6B72E717A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A9B644C-84E3-4DDE-A34D-D8D0AFF0CE78}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EB2770B-102C-4489-9A00-0D6346BB9C8D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87ED6951-2C6E-4AFC-A14D-9E7AFC6AF4A2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{888FFC6D-961B-4F79-9FCD-F582488AABE1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ee65c64-67a4-4385-90f6-690b5136de1c}]
C:\WINDOWS\system32\prcndccm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91E7396E-6E54-410D-98B0-AAC5CBBB655B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A90C600-BB45-45A6-9736-01CE0389BFCA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a1f0af7b-030b-427f-8067-492be6fb411a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA801B8E-EE42-43D0-9B35-DF9A80F2FFBF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AECFD5F0-66D5-4198-A146-AC8D3D1099D1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B01A161D-DD32-44E3-A3A7-89294820D89D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5069D25-0F4D-45EC-9E0F-6E679325FC13}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAA0318A-9C05-42A5-BEE0-C2A6F9A3AF7F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB5C9D00-5D5E-4CCF-8285-55C19918DFAF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CEC4F542-5D89-4A68-90E1-4DE3A3215716}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D22F78F8-596A-43AF-8CFE-34A4CEABD1DB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2E7F7C2-08CA-4450-BA19-D7DDC7AF9ACC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4EB302A-293E-420D-8E0B-58083A4C83B7}]
C:\WINDOWS\system32\fccda.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB9FB406-118B-4880-9C27-41E5762D2036}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2A82F47-0319-4081-B7A2-211DFAF4D781}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F33C7FBB-1321-4B01-8227-C88E0689B176}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f52ef424-b074-4aed-9b17-6f39506eb789}]
C:\WINDOWS\system32\cwfapkne.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC3F92F1-A220-49D2-ABA7-31F5BCBA0A1B}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]
"ViewSonic Explorer V5.3"="C:\WINDOWS\msdtcsw32.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 16:31]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 16:27]
"NGClient"="C:\Program Files\Symantec\Ghost\ngctw32.exe" [2004-08-26 16:35]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 08:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 11:41]
"AGRSMMSG"="AGRSMMSG.exe" [2004-08-24 10:19 C:\WINDOWS\AGRSMMSG.exe]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 17:44]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-06-26 23:21]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-07 20:05]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-07-03 00:07]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-07-02 20:50]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 17:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"AT&T Communication Manager"="C:\Program Files\AT&T\Communication Manager\ATTCM.exe" [2007-04-06 18:11]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-09-07 15:51]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" [2007-03-27 17:06]
"ShStatEXE"="C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.exe" [2007-02-22 20:50]
"ASDclient"="C:\Program Files\ASDclient\ASDLauncher_v2.EXE" [2007-03-26 14:16]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
"ac4d2304"="C:\WINDOWS\system32\kwdfxasp.dll" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-11-29 16:09:55]
IMproxy.bat [2004-01-30 19:56:00]
McAfee Host Intrusion Prevention Tray.lnk - C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe [2007-12-05 07:51:22]
VPN Client.lnk - C:\WINDOWS\Installer\{8A3A2363-2129-43FB-8DFC-F237DA58038C}\Icon3E5562ED7.ico [2007-08-01 06:50:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
"RunLogonScriptSync"= 1 (0x1)
"MaxGPOScriptWait"= 0 (0x0)
"RunStartupScriptSync"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ogucmjfv]
ogucmjfv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=EPOstartup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=AddAdmin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=EPOstartup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-29503\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-35163\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-3711\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-3711\Scripts\Logon\1\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

R0 GhMon;GhostMountMonitor - Boot Phase Driver;C:\WINDOWS\system32\Drivers\ghmon.sys [2004-08-26 16:03]
R1 tcpipBM;Bytemobile Kernel Network Provider;C:\WINDOWS\system32\drivers\tcpipBM.sys [2007-03-23 17:18]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\System32\CCM\CcmExec.exe [2007-04-13 02:50]
R2 DRUAgent;DRUAgent;C:\PROGRAM FILES\DRU\bin\DRUService.exe [2007-06-22 18:02]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;"C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe" [2007-06-13 11:47]
R2 prgnDiscAgent;Peregrine Discovery Agent;"C:\Program Files\Peregrine\Discovery Agent\bin32\discagnt.exe" [2005-12-07 21:01]
R2 snmpdm;snmpdm;"C:\Program Files\Emanate\snmpdm.exe" -l 8161 []
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe [2007-04-13 02:50]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 23:49]
R3 hidsys;hidsys;C:\WINDOWS\system32\Drivers\hidsys.sys [2007-06-13 11:41]
R3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys [2005-11-28 10:44]
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys [2005-11-28 10:44]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\System32\CCM\prepdrv.sys [2007-04-13 02:50]
S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;C:\WINDOWS\system32\Drivers\ghpcw2k.sys [2004-08-26 16:04]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;C:\WINDOWS\system32\Drivers\ghpcw2k.sys [2004-08-26 16:04]
S2 NGClient;Symantec Ghost Win32 Client Agent;C:\Program Files\Symantec\Ghost\ngctw32.exe [2004-08-26 16:35]
S3 mbxfilt;mbxfilt;C:\WINDOWS\system32\drivers\MbxFilt.sys [2002-12-09 15:29]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 13:50]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [2004-01-08 08:10]
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\PCTINDIS5.SYS [2007-03-23 17:14]
S3 SWNC8U20;Sierra Wireless MUX NDIS Driver (UMTS20);C:\WINDOWS\system32\DRIVERS\swnc8u20.sys [2007-03-26 14:21]
S3 SWUMX20;Sierra Wireless USB MUX Driver (UMTS20);C:\WINDOWS\system32\DRIVERS\swumx20.sys [2007-03-26 14:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

*Newly Created Service* - HIDSYS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Bo65]
C:\Program Files\Business Objects\BusinessObjects Enterprise 6\bin\UserProfileRkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ViewSonic Explorer V5.3]
C:\WINDOWS\msdtcsw32.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-02 08:59:54 C:\WINDOWS\Tasks\At1.job"
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2007-12-25 13:16:26 - machine was rebooted
.
2007-12-12 21:45:00 --- E O F ---
xcel
Active Member
 
Posts: 14
Joined: December 21st, 2007, 9:41 pm

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby Katana » December 25th, 2007, 5:48 pm

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\pos222.tmp
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\WINDOWS\msdtcsw32.exe

If Virustotal is too busy please try Jotti

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    (make sure you get it all, it's a big one)
    Code: Select all
    DirLook::
    C:\Documents and Settings\jw1173\Application Data\.purple
    
    File::
    C:\WINDOWS\Tasks\At1.job
    C:\WINDOWS\system32\psaxfdwk.ini
    C:\WINDOWS\system32\gximfqxr.ini
    C:\WINDOWS\system32\ygggyref.ini
    C:\WINDOWS\system32\jjxvgtay.ini
    C:\WINDOWS\system32\jmaminsd.ini
    C:\WINDOWS\system32\oikqgnfk.ini
    C:\WINDOWS\system32\ryeaoeht.ini
    C:\WINDOWS\system32\wxtqgxow.ini
    C:\WINDOWS\system32\lxdknngu.ini
    C:\WINDOWS\system32\tgmyqhuw.ini
    C:\WINDOWS\system32\miuaoqsv.dll
    C:\WINDOWS\system32\knrtfdbf.ini
    C:\WINDOWS\system32\hpotgdvn.ini
    C:\WINDOWS\system32\rcphegiu.ini
    C:\WINDOWS\system32\ktildnog.ini
    C:\WINDOWS\system32\cwyycsxm.ini
    C:\WINDOWS\system32\svulrjnw.ini
    C:\WINDOWS\system32\mjivodoa.ini
    C:\WINDOWS\system32\clquphwj.ini
    C:\WINDOWS\system32\klrenxri.ini
    C:\WINDOWS\system32\rbhkyyap.ini
    C:\WINDOWS\system32\cxypbouw.ini
    C:\WINDOWS\system32\hkbmhkqc.ini
    C:\WINDOWS\system32\xvbqabdv.ini
    C:\WINDOWS\system32\fsyjakbk.ini
    C:\WINDOWS\system32\ngpfddhm.ini
    C:\WINDOWS\system32\rlptkrpx.ini
    C:\WINDOWS\system32\yurtpjai.ini
    C:\WINDOWS\system32\botnrppg.ini
    C:\WINDOWS\system32\tdnmruij.ini
    C:\WINDOWS\system32\rxikfyxh.ini
    C:\WINDOWS\system32\vdjmjgbf.ini
    C:\WINDOWS\system32\vstgofpj.ini
    C:\WINDOWS\system32\xbuytlig.ini
    C:\WINDOWS\system32\woxpalnv.ini
    C:\WINDOWS\system32\eueltxfh.ini
    C:\WINDOWS\system32\jbliqvwk.ini
    C:\WINDOWS\system32\grkorvhw.ini
    C:\WINDOWS\system32\xkieegby.ini
    C:\WINDOWS\system32\rgnrpegl.ini
    C:\WINDOWS\system32\csrbdvdx.ini
    C:\WINDOWS\system32\qmbtvgyf.ini
    C:\WINDOWS\system32\eoexowab.ini
    C:\WINDOWS\system32\diybyjce.ini
    C:\WINDOWS\system32\kctnrfen.ini
    C:\WINDOWS\system32\yrlvfxup.ini
    C:\WINDOWS\system32\xvexvuph.ini
    C:\WINDOWS\system32\xxxkjlyy.ini
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{038EAB0C-7FB2-44AE-A86C-119B05323CF2}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06A342C9-A503-4D40-AA67-2C0AA672AC6C}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D858DC7-E5DE-4433-9325-F8051D3F3541}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1028620C-CDCB-4C13-8BA8-0C519ACAF6EA}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12EB603B-29BF-462D-95EC-99521C05F767}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13034a83-1552-4592-95a7-520ef008844f}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{400D98DD-DC76-4168-9ECB-F9096880F63E}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47BB508A-B710-4256-8930-6E9A33751EC0}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B2B626E-9547-4E45-ADB5-E6F6F938B7E7}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FAFC5D6-107B-4B38-928D-815391122698}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{783F6C92-E0CF-4799-84C5-B5C6B72E717A}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7A9B644C-84E3-4DDE-A34D-D8D0AFF0CE78}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7EB2770B-102C-4489-9A00-0D6346BB9C8D}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{87ED6951-2C6E-4AFC-A14D-9E7AFC6AF4A2}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{888FFC6D-961B-4F79-9FCD-F582488AABE1}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8ee65c64-67a4-4385-90f6-690b5136de1c}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91E7396E-6E54-410D-98B0-AAC5CBBB655B}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9A90C600-BB45-45A6-9736-01CE0389BFCA}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a1f0af7b-030b-427f-8067-492be6fb411a}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA801B8E-EE42-43D0-9B35-DF9A80F2FFBF}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AECFD5F0-66D5-4198-A146-AC8D3D1099D1}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B01A161D-DD32-44E3-A3A7-89294820D89D}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5069D25-0F4D-45EC-9E0F-6E679325FC13}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BAA0318A-9C05-42A5-BEE0-C2A6F9A3AF7F}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB5C9D00-5D5E-4CCF-8285-55C19918DFAF}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CEC4F542-5D89-4A68-90E1-4DE3A3215716}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D22F78F8-596A-43AF-8CFE-34A4CEABD1DB}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2E7F7C2-08CA-4450-BA19-D7DDC7AF9ACC}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4EB302A-293E-420D-8E0B-58083A4C83B7}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EB9FB406-118B-4880-9C27-41E5762D2036}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2A82F47-0319-4081-B7A2-211DFAF4D781}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F33C7FBB-1321-4B01-8227-C88E0689B176}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f52ef424-b074-4aed-9b17-6f39506eb789}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC3F92F1-A220-49D2-ABA7-31F5BCBA0A1B}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ac4d2304"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ogucmjfv]
    
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby xcel » December 27th, 2007, 11:02 am

Results of C:\pos222.tmp, I do not have the C:\WINDOWS\msdtcsw32.exe


File pos222.tmp received on 12.27.2007 15:45:26 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 0/32 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.12.27.10 2007.12.26 -
AntiVir 7.6.0.46 2007.12.27 -
Authentium 4.93.8 2007.12.27 -
Avast 4.7.1098.0 2007.12.26 -
AVG 7.5.0.516 2007.12.27 -
BitDefender 7.2 2007.12.27 -
CAT-QuickHeal 9.00 2007.12.27 -
ClamAV 0.91.2 2007.12.27 -
DrWeb 4.44.0.09170 2007.12.27 -
eSafe 7.0.15.0 2007.12.26 -
eTrust-Vet 31.3.5406 2007.12.27 -
Ewido 4.0 2007.12.27 -
FileAdvisor 1 2007.12.27 -
Fortinet 3.14.0.0 2007.12.27 -
F-Prot 4.4.2.54 2007.12.26 -
F-Secure 6.70.13030.0 2007.12.27 -
Ikarus T3.1.1.15 2007.12.27 -
Kaspersky 7.0.0.125 2007.12.27 -
McAfee 5193 2007.12.26 -
Microsoft 1.3109 2007.12.27 -
NOD32v2 2750 2007.12.27 -
Norman 5.80.02 2007.12.27 -
Panda 9.0.0.4 2007.12.26 -
Prevx1 V2 2007.12.27 -
Rising 20.24.32.00 2007.12.27 -
Sophos 4.24.0 2007.12.27 -
Sunbelt 2.2.907.0 2007.12.27 -
Symantec 10 2007.12.27 -
TheHacker 6.2.9.170 2007.12.26 -
VBA32 3.12.2.5 2007.12.26 -
VirusBuster 4.3.26:9 2007.12.26 -
Webwasher-Gateway 6.6.2 2007.12.27 -
Additional information
File size: 14033 bytes
MD5: 53a425b51078f79d61a27107fa4e25dd
SHA1: 89dc9b66d43fbb081ebe19e6b42bd370e1f46096
PEiD: -
xcel
Active Member
 
Posts: 14
Joined: December 21st, 2007, 9:41 pm

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby xcel » December 27th, 2007, 12:00 pm

ComboFix 07-12-21.4 - jw1173 2007-12-27 10:06:03.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.439 [GMT -5:00]
Running from: C:\Documents and Settings\jw1173\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jw1173\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\botnrppg.ini
C:\WINDOWS\system32\clquphwj.ini
C:\WINDOWS\system32\csrbdvdx.ini
C:\WINDOWS\system32\cwyycsxm.ini
C:\WINDOWS\system32\cxypbouw.ini
C:\WINDOWS\system32\diybyjce.ini
C:\WINDOWS\system32\eoexowab.ini
C:\WINDOWS\system32\eueltxfh.ini
C:\WINDOWS\system32\fsyjakbk.ini
C:\WINDOWS\system32\grkorvhw.ini
C:\WINDOWS\system32\gximfqxr.ini
C:\WINDOWS\system32\hkbmhkqc.ini
C:\WINDOWS\system32\hpotgdvn.ini
C:\WINDOWS\system32\jbliqvwk.ini
C:\WINDOWS\system32\jjxvgtay.ini
C:\WINDOWS\system32\jmaminsd.ini
C:\WINDOWS\system32\kctnrfen.ini
C:\WINDOWS\system32\klrenxri.ini
C:\WINDOWS\system32\knrtfdbf.ini
C:\WINDOWS\system32\ktildnog.ini
C:\WINDOWS\system32\lxdknngu.ini
C:\WINDOWS\system32\miuaoqsv.dll
C:\WINDOWS\system32\mjivodoa.ini
C:\WINDOWS\system32\ngpfddhm.ini
C:\WINDOWS\system32\oikqgnfk.ini
C:\WINDOWS\system32\psaxfdwk.ini
C:\WINDOWS\system32\qmbtvgyf.ini
C:\WINDOWS\system32\rbhkyyap.ini
C:\WINDOWS\system32\rcphegiu.ini
C:\WINDOWS\system32\rgnrpegl.ini
C:\WINDOWS\system32\rlptkrpx.ini
C:\WINDOWS\system32\rxikfyxh.ini
C:\WINDOWS\system32\ryeaoeht.ini
C:\WINDOWS\system32\svulrjnw.ini
C:\WINDOWS\system32\tdnmruij.ini
C:\WINDOWS\system32\tgmyqhuw.ini
C:\WINDOWS\system32\vdjmjgbf.ini
C:\WINDOWS\system32\vstgofpj.ini
C:\WINDOWS\system32\woxpalnv.ini
C:\WINDOWS\system32\wxtqgxow.ini
C:\WINDOWS\system32\xbuytlig.ini
C:\WINDOWS\system32\xkieegby.ini
C:\WINDOWS\system32\xvbqabdv.ini
C:\WINDOWS\system32\xvexvuph.ini
C:\WINDOWS\system32\xxxkjlyy.ini
C:\WINDOWS\system32\ygggyref.ini
C:\WINDOWS\system32\yrlvfxup.ini
C:\WINDOWS\system32\yurtpjai.ini
C:\WINDOWS\Tasks\At1.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\botnrppg.ini
C:\WINDOWS\system32\clquphwj.ini
C:\WINDOWS\system32\csrbdvdx.ini
C:\WINDOWS\system32\cwyycsxm.ini
C:\WINDOWS\system32\cxypbouw.ini
C:\WINDOWS\system32\diybyjce.ini
C:\WINDOWS\system32\eoexowab.ini
C:\WINDOWS\system32\eueltxfh.ini
C:\WINDOWS\system32\fsyjakbk.ini
C:\WINDOWS\system32\grkorvhw.ini
C:\WINDOWS\system32\gximfqxr.ini
C:\WINDOWS\system32\hkbmhkqc.ini
C:\WINDOWS\system32\hpotgdvn.ini
C:\WINDOWS\system32\jbliqvwk.ini
C:\WINDOWS\system32\jjxvgtay.ini
C:\WINDOWS\system32\jmaminsd.ini
C:\WINDOWS\system32\kctnrfen.ini
C:\WINDOWS\system32\klrenxri.ini
C:\WINDOWS\system32\knrtfdbf.ini
C:\WINDOWS\system32\ktildnog.ini
C:\WINDOWS\system32\lxdknngu.ini
C:\WINDOWS\system32\miuaoqsv.dll
C:\WINDOWS\system32\mjivodoa.ini
C:\WINDOWS\system32\ngpfddhm.ini
C:\WINDOWS\system32\oikqgnfk.ini
C:\WINDOWS\system32\psaxfdwk.ini
C:\WINDOWS\system32\qmbtvgyf.ini
C:\WINDOWS\system32\rbhkyyap.ini
C:\WINDOWS\system32\rcphegiu.ini
C:\WINDOWS\system32\rgnrpegl.ini
C:\WINDOWS\system32\rlptkrpx.ini
C:\WINDOWS\system32\rxikfyxh.ini
C:\WINDOWS\system32\ryeaoeht.ini
C:\WINDOWS\system32\svulrjnw.ini
C:\WINDOWS\system32\tdnmruij.ini
C:\WINDOWS\system32\tgmyqhuw.ini
C:\WINDOWS\system32\vdjmjgbf.ini
C:\WINDOWS\system32\vstgofpj.ini
C:\WINDOWS\system32\woxpalnv.ini
C:\WINDOWS\system32\wxtqgxow.ini
C:\WINDOWS\system32\xbuytlig.ini
C:\WINDOWS\system32\xkieegby.ini
C:\WINDOWS\system32\xvbqabdv.ini
C:\WINDOWS\system32\xvexvuph.ini
C:\WINDOWS\system32\xxxkjlyy.ini
C:\WINDOWS\system32\ygggyref.ini
C:\WINDOWS\system32\yrlvfxup.ini
C:\WINDOWS\system32\yurtpjai.ini
C:\WINDOWS\Tasks\At1.job

.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-27 09:39 . 2007-12-11 10:31 176,128 --a------ C:\WINDOWS\system32\KevlarSigs.dll
2007-12-27 09:39 . 2007-06-13 11:41 176,128 --a------ C:\WINDOWS\system32\hidapi.dll
2007-12-27 09:39 . 2007-01-26 17:19 53,248 --a------ C:\WINDOWS\system32\hidapistub.dll
2007-12-27 09:39 . 2007-12-05 12:24 23,398 --a------ C:\WINDOWS\system32\kevlar_api_hook_list.dat
2007-12-27 09:38 . 2007-06-13 11:41 182,784 --a------ C:\WINDOWS\system32\drivers\HidSys.sys
2007-12-24 22:59 . 2007-12-24 22:59 <DIR> dr-h----- C:\Documents and Settings\jw1173\Application Data\SecuROM
2007-12-24 22:59 . 2007-12-24 22:59 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-24 22:26 . 2007-12-24 22:26 <DIR> d-------- C:\Program Files\EA GAMES
2007-12-24 22:26 . 2007-08-06 19:28 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-12-23 14:53 . 2007-12-23 14:53 <DIR> d-------- C:\VundoFix Backups
2007-12-21 16:36 . 2007-12-21 16:36 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\Grisoft
2007-12-21 16:00 . 2007-12-21 16:01 14,033 --a------ C:\posA7D.tmp
2007-12-21 15:46 . 2007-12-21 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-21 15:46 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-20 16:17 . 2007-12-20 16:17 14,033 --a------ C:\pos7E5.tmp
2007-12-20 16:16 . 2007-12-20 16:17 14,033 --a------ C:\pos61D.tmp
2007-12-20 15:06 . 2007-12-20 15:06 14,033 --a------ C:\pos5FC.tmp
2007-12-20 15:05 . 2007-12-20 15:06 14,033 --a------ C:\pos420.tmp
2007-12-20 13:58 . 2007-12-20 14:59 14,033 --a------ C:\pos40D.tmp
2007-12-20 13:57 . 2007-12-20 13:58 14,033 --a------ C:\pos335.tmp
2007-12-20 09:48 . 2007-12-20 09:48 14,033 --a------ C:\pos222.tmp
2007-12-20 09:47 . 2007-12-20 09:47 14,033 --a------ C:\posFE.tmp
2007-12-17 23:27 . 2007-12-17 23:27 113 --a------ C:\WINDOWS\notesnsd.ini
2007-12-17 15:40 . 2007-12-17 15:40 <DIR> d-------- C:\Program Files\HP
2007-12-17 15:40 . 2003-11-11 11:16 266,296 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-12-17 15:40 . 2003-10-22 10:26 196,608 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-12-17 15:40 . 2003-07-21 14:24 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-12-17 15:40 . 2003-10-22 10:19 65,536 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-12-17 15:40 . 2003-07-25 12:20 61,699 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-12-17 15:40 . 2003-07-21 14:24 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-12-17 15:38 . 2007-12-17 15:38 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-13 08:38 . 2007-12-13 08:38 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\Yahoo!
2007-12-13 08:36 . 2007-12-17 21:34 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-12 18:42 . 2007-12-12 18:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-12 18:42 . 2007-12-12 18:42 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-10 15:20 . 2006-09-22 14:09 812,296 --a------ C:\WINDOWS\system32\wodFtpDLX.dll
2007-12-10 15:20 . 2001-03-08 17:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-10 15:19 . 2007-12-10 15:21 <DIR> d-------- C:\Program Files\PharosSystems
2007-12-10 15:19 . 2007-12-10 15:19 1,759 --a------ C:\WINDOWS\pbp0310y.mif
2007-12-10 11:12 . 2007-12-10 11:12 <DIR> d-------- C:\Program Files\Monarch Report Explorer
2007-12-10 11:12 . 1994-06-14 13:19 51,988 --a------ C:\WINDOWS\system32\pres.ttf
2007-12-10 11:10 . 1997-04-08 14:08 299,520 --a------ C:\WINDOWS\uninst.exe
2007-12-10 11:07 . 2007-12-10 11:07 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-10 11:07 . 2007-12-10 11:07 <DIR> d-------- C:\Program Files\Monarch
2007-12-10 11:07 . 2007-12-10 11:07 <DIR> d-------- C:\Program Files\Common Files\Datawatch Shared
2007-12-10 10:51 . 2005-08-24 15:03 192,512 --a------ C:\WINDOWS\system32\DWRCSET.DLL
2007-12-10 10:51 . 2005-08-24 15:03 160,256 --a------ C:\WINDOWS\system32\DWRCS.EXE
2007-12-10 10:51 . 2004-10-05 15:14 69,632 --a------ C:\WINDOWS\system32\DWRCShell.dll
2007-12-10 10:51 . 2005-08-24 15:02 53,248 --a------ C:\WINDOWS\system32\DWRCK.DLL
2007-12-10 10:51 . 2005-08-24 15:03 43,520 --a------ C:\WINDOWS\system32\DWRCST.EXE
2007-12-10 10:51 . 2004-07-01 09:22 714 --a------ C:\WINDOWS\system32\DWRCST.exe.manifest
2007-12-10 09:31 . 2007-01-08 16:18 2,359,352 --a------ C:\WINDOWS\Cingularbmp.old
2007-12-10 09:31 . 2006-12-20 16:28 1,629,067 --a------ C:\WINDOWS\system32\Cingular.old
2007-12-10 09:31 . 2007-11-12 10:34 1,301,004 --a------ C:\WINDOWS\system32\ATT35Time.att
2007-12-10 07:49 . 2007-12-27 10:07 <DIR> d-------- C:\Program Files\DRU
2007-12-10 06:53 . 2007-12-10 06:53 1,786 ---hs---- C:\WINDOWS\system32\ehhrqffo.ini
2007-12-09 12:26 . 2007-12-10 06:53 1,726 ---hs---- C:\WINDOWS\system32\midbjudo.ini
2007-12-09 11:28 . 2007-12-09 11:29 1,434 ---hs---- C:\WINDOWS\system32\uandrmqi.ini
2007-12-09 00:01 . 2007-12-09 11:23 1,374 ---hs---- C:\WINDOWS\system32\kavdadcp.ini
2007-12-08 23:04 . 2007-12-08 23:04 1,254 ---hs---- C:\WINDOWS\system32\muglqwna.ini
2007-12-08 22:15 . 2007-12-08 22:59 1,194 ---hs---- C:\WINDOWS\system32\dulvxlsq.ini
2007-12-08 18:11 . 2007-12-08 18:11 <DIR> d-------- C:\Program Files\Emanate
2007-12-08 18:09 . 2007-12-23 16:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 18:09 . 2007-12-08 18:09 <DIR> d-------- C:\Program Files\ASDclient
2007-12-08 17:32 . 2007-12-08 22:12 1,074 ---hs---- C:\WINDOWS\system32\slimxane.ini
2007-12-08 09:36 . 2007-12-08 17:30 834 ---hs---- C:\WINDOWS\system32\agmmewpc.ini
2007-12-07 20:40 . 2007-12-08 09:28 654 ---hs---- C:\WINDOWS\system32\mgauakni.ini
2007-12-07 14:43 . 2007-12-07 20:35 534 ---hs---- C:\WINDOWS\system32\rtpoyabm.ini
2007-12-07 08:45 . 2007-12-07 14:35 414 ---hs---- C:\WINDOWS\system32\byksaoim.ini
2007-12-07 08:26 . 2007-12-07 08:26 <DIR> d-------- C:\WINDOWS\ms
2007-12-07 07:48 . 2007-12-07 07:48 294 ---hs---- C:\WINDOWS\system32\pvccbwmq.ini
2007-12-07 06:37 . 2007-12-07 06:37 294 ---hs---- C:\WINDOWS\system32\vltxsjkh.ini
2007-12-06 19:26 . 2007-12-06 19:26 654 ---hs---- C:\WINDOWS\system32\ibatgcdp.ini
2007-12-06 07:48 . 2007-12-06 18:21 594 ---hs---- C:\WINDOWS\system32\colmlcne.ini
2007-12-05 21:47 . 2007-12-06 07:43 474 ---hs---- C:\WINDOWS\system32\jauoboif.ini
2007-12-05 09:24 . 2007-12-10 11:58 <DIR> d-------- C:\Documents and Settings\jw1173\Oracle Jar Cache
2007-12-05 09:24 . 2007-12-10 07:35 <DIR> d-------- C:\Documents and Settings\jw1173\.jinit
2007-12-05 09:24 . 2006-09-28 04:45 45,164 --------- C:\WINDOWS\system32\plugincpl13128.cpl
2007-12-05 09:23 . 2006-09-28 04:45 36,962 --------- C:\WINDOWS\system32\ActPanel.dll
2007-12-05 09:22 . 2007-12-05 20:42 354 ---hs---- C:\WINDOWS\system32\eyuokdxp.ini
2007-12-05 08:19 . 2007-12-05 08:19 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-05 07:58 . 2007-12-05 07:58 <DIR> d-------- C:\WINDOWS\Mcafee
2007-12-05 07:54 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-05 07:54 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-12-05 07:54 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-12-05 07:54 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-05 07:53 . 2007-12-05 07:53 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-05 07:51 . 2007-12-05 07:53 <DIR> d-------- C:\Program Files\McAfee
2007-12-05 07:51 . 2007-12-05 07:51 <DIR> d-------- C:\Program Files\Common Files\McAfee Inc
2007-12-05 07:51 . 2007-12-05 07:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-04 09:19 . 2007-12-04 10:11 294 ---hs---- C:\WINDOWS\system32\qwkdbbyu.ini
2007-12-04 08:21 . 2007-12-04 08:21 294 ---hs---- C:\WINDOWS\system32\obhsbqxe.ini
2007-12-03 21:11 . 2007-12-21 16:35 435 --a------ C:\WINDOWS\wininit.ini
2007-12-03 20:44 . 2007-12-19 07:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 20:19 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-03 09:09 . 2007-03-27 17:06 1,495,552 --a------ C:\WINDOWS\system32\epoPGPsdk.dll
2007-12-03 09:09 . 2007-03-27 17:06 280 --a------ C:\WINDOWS\system32\epoPGPsdk.dll.sig
2007-12-02 22:31 . 2007-12-02 22:31 793,664 ---hs---- C:\WINDOWS\system32\aasybheu.ini
2007-12-02 17:51 . 2007-12-09 21:04 3 --a------ C:\WINDOWS\bootvrfy.ini
2007-12-02 17:50 . 2007-12-02 17:50 218 --a------ C:\WINDOWS\ulksystem33.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 17:39 --------- d-----w C:\Documents and Settings\jw1173\Application Data\.purple
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765F6.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765F5.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765E0.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765D9.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765D3.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765CF.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765CE.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765CD.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765CC.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765CB.DLL
2007-12-10 16:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 14:43 --------- d-----w C:\Program Files\Network Associates
2007-12-02 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2007-11-30 20:13 --------- d-----w C:\Program Files\Java
2007-11-30 15:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-29 17:15 111,153 ----a-w C:\Program Files\INSTALL.LOG
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 15:34 1,301,004 ----a-w C:\WINDOWS\system32\Cingular.scr
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Documents and Settings\jw1173\Application Data\.purple ----

2007-12-22 12:39 79096 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\blist.xml
2007-12-22 12:39 16637 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\accounts.xml
2007-12-22 12:39 15708 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\prefs.xml
2007-12-22 12:39 1397 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\658e2a0dd5fa76f0eb3a81644603d47b735fcc71.jpg
2007-12-22 11:50 8935 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\accels
2007-12-22 10:17 15748 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\81122312f4330a7d1c07c90e65b30d07454d61ac.png
2007-12-19 02:30 20589 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\224271e2fa46d87ba5c0115ac793e433906c7250.png
2007-12-18 20:50 7808 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\9799079e8379c4cecc86c733b81974d41a85e3ef.png
2007-12-18 14:42 2123 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\d96eab324d008e8886eeea465b21da2e4e04d3ec.jpg
2007-12-18 13:16 17875 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\0e1d35aa557b49962c5e9a3cedb0cb47b64fa267.png
2007-12-18 10:40 16747 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\650ae39c5c549187209f91bbc889aa2f4c1a5436.png
2007-12-18 10:40 15818 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\7e7dbbc57a9b715c64a2112c41fe828756f369c1.png
2007-12-17 22:12 22289 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\b58a9a11942f59baf2c2940ae2b8788c7127db02.png
2007-12-16 12:31 2001 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\0dbc67796e2aae102f5e316708afe86989ce0fc1.gif
2007-12-16 12:28 1998 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\f03364dfdbc60504e9341150f77c36f5ba5007aa.gif
2007-12-14 08:45 23985 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\6536c4e89f24976d1dce8168f5b98896938e17dd.png
2007-12-13 22:35 14832 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\30d48942e416296918307aa2b83245f741188a9b.png
2007-12-13 21:03 22842 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\279c0625a138905fde6761ce0bb794c698c628c3.png
2007-12-13 19:37 4724 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\5822bddd73107ed7f804b77499012fcf0a3e0057.gif
2007-12-13 19:01 2759 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\2fcd6134dba9fc40912ca5ce35cc6368e737f480.gif
2007-12-13 18:50 19838 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\0a03fa034653990236621ff4ebf6d7f62df92066.png
2007-12-05 23:04 17120 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\60aa59f8fdd9484fbdc266aee55cfc09074891e7.png
2007-12-05 21:41 2045 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\9c8664657b895ee017ba6aebebea138ce26efd95.gif
2007-12-02 22:04 1533 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\7da5671e59cd7e90e5033df95185989a859fa695.gif
2007-12-02 21:42 2892 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\d8d75be0ad4f5a4e482d46f1bf66c75839121d60.gif
2007-12-02 16:45 19075 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\c930953ad6ddd4b8517bc357f6feb294ed1f1d6e.png
2007-12-02 16:45 17997 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\a2bcc46cd0de2bb3d98382763b7f6546c610eb83.png
2007-12-02 16:45 16401 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\4e839742fb3a0741e7e84b90993f3551fc329e91.png
2007-12-02 16:45 16005 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\f4928c288ce8deccf0161de1f67782ee4c9f1d23.png
2007-12-01 22:37 2893 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\8f86d280fae3ed726fbf5f3f06e8f94a91eb3042.gif
2007-12-01 21:46 2910 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\06520ee29d22118644cde9d1ef0bec9e2a879cb5.gif
2007-12-01 10:47 1938 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\6f8816a585e67ba65820197b951966751447c022.gif
2007-12-01 10:27 2075 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\0b1144998f09d7c0818b1f9fefc398110b04f618.gif
2007-12-01 09:06 19944 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\73cbccc0ae58fb6e0745238883cb3b78601c7a80.png
2007-12-01 08:37 15850 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\951f22d4ad0550685613f6478f978f02c747c925.png
2007-11-30 21:33 20091 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\497851683249f832b4afda8b13562d36ec47701a.png
2007-11-30 20:52 20129 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\87f49d5331a9d1db2ab155d62af53c1d41f7f025.png
2007-11-30 19:56 4451 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\5069c4726c78723380ebd0ffeb6f081e2922cfed.jpg
2007-11-30 18:56 17243 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\8b55cdba1ca2a4e6c010da7c27c0713416f37cfa.png
2007-11-30 18:21 7020 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\6e775354f637d96ab2a9413cb5398b44669ad0c9.gif
2007-11-30 18:17 401 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\status.xml
2007-11-30 17:36 3167 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\ec0740070db0ee4faafbcffb4ec5f4f1f6262683.gif
2007-11-30 17:36 3109 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\1bd272aca7bdfb6ec8a178273db13f1c58d30b44.gif
2007-11-30 17:36 2686 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\f2dfe5a0c80f5e915949faeffde41bdaee4dad42.gif
2007-11-30 17:36 2146 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\534c51dc957b19ab8234029ee2c49809221e2434.gif
2007-11-30 17:36 21091 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\6927ddd6477dbdce71dc8d930a4159cc2eeda7e1.png
2007-11-30 17:36 1993 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\89b467984da01efb7577d85c24c224e0d44bab21.gif
2007-11-30 17:36 1783 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\36a9d97648002d3b965806ac35feb5cd0cfe29ed.gif
2007-11-30 17:36 1696 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\f016d4848188c78657e2751909f3b6c69257205b.gif
2007-11-30 17:36 15684 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\162b0e39735bf8445a4cb3f3366e1c4e8d6302de.png
2007-11-30 17:36 15039 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\bf3100d0f6b14a96ebfb27bfa9fe80312ddc1d6e.png
2007-11-30 17:36 14777 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\af49569e0edfb3541d0b7c37a5055da0a7c42c3b.png
2007-11-30 17:36 13278 --a------ C:\Documents and Settings\jw1173\Application Data\.purple\icons\3b26ee7787eec568e2299e8926cbee269bfd24fb.png


((((((((((((((((((((((((((((( snapshot@2007-12-25_13.14.54.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-27 14:38:07 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_514.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]
"ViewSonic Explorer V5.3"="C:\WINDOWS\msdtcsw32.exe" []
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-11-29 16:09:55]
IMproxy.bat [2004-01-30 19:56:00]
McAfee Host Intrusion Prevention Tray.lnk - C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe [2007-12-05 07:51:22]
VPN Client.lnk - C:\WINDOWS\Installer\{8A3A2363-2129-43FB-8DFC-F237DA58038C}\Icon3E5562ED7.ico [2007-08-01 06:50:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
"RunLogonScriptSync"= 1 (0x1)
"MaxGPOScriptWait"= 0 (0x0)
"RunStartupScriptSync"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=EPOstartup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=AddAdmin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=EPOstartup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-29503\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-35163\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-3711\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-3711\Scripts\Logon\1\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

*Newly Created Service* - HIDSYS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Bo65]
C:\Program Files\Business Objects\BusinessObjects Enterprise 6\bin\UserProfileRkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ViewSonic Explorer V5.3]
C:\WINDOWS\msdtcsw32.exe
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2007-12-27 10:29:34
C:\ComboFix2.txt ... 2007-12-25 13:16
.
2007-12-12 21:45:00 --- E O F ---
xcel
Active Member
 
Posts: 14
Joined: December 21st, 2007, 9:41 pm

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby Katana » December 27th, 2007, 3:46 pm

Do you know what these files and folders relate too ?

C:\WINDOWS\system32\PSS765F6.DLL
C:\WINDOWS\system32\PSS765F5.DLL
C:\WINDOWS\system32\PSS765E0.DLL
C:\WINDOWS\system32\PSS765D9.DLL
C:\WINDOWS\system32\PSS765D3.DLL
C:\WINDOWS\system32\PSS765CF.DLL
C:\WINDOWS\system32\PSS765CE.DLL
C:\WINDOWS\system32\PSS765CD.DLL
C:\WINDOWS\system32\PSS765CC.DLL
C:\WINDOWS\system32\PSS765CB.DLL
C:\WINDOWS\ms
C:\Documents and Settings\jw1173\Application Data\.purple




Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    C:\posA7D.tmp
    C:\pos7E5.tmp
    C:\pos61D.tmp
    C:\pos5FC.tmp
    C:\pos420.tmp
    C:\pos40D.tmp
    C:\pos335.tmp
    C:\pos222.tmp
    C:\posFE.tmp
    C:\WINDOWS\system32\ehhrqffo.ini
    C:\WINDOWS\system32\midbjudo.ini
    C:\WINDOWS\system32\uandrmqi.ini
    C:\WINDOWS\system32\kavdadcp.ini
    C:\WINDOWS\system32\muglqwna.ini
    C:\WINDOWS\system32\dulvxlsq.ini
    C:\WINDOWS\system32\slimxane.ini
    C:\WINDOWS\system32\agmmewpc.ini
    C:\WINDOWS\system32\mgauakni.ini
    C:\WINDOWS\system32\rtpoyabm.ini
    C:\WINDOWS\system32\byksaoim.ini
    C:\WINDOWS\system32\pvccbwmq.ini
    C:\WINDOWS\system32\vltxsjkh.ini
    C:\WINDOWS\system32\ibatgcdp.ini
    C:\WINDOWS\system32\colmlcne.ini
    C:\WINDOWS\system32\jauoboif.ini
    C:\WINDOWS\system32\eyuokdxp.ini
    C:\WINDOWS\system32\qwkdbbyu.ini
    C:\WINDOWS\system32\obhsbqxe.ini
    C:\WINDOWS\wininit.ini
    C:\WINDOWS\system32\epoPGPsdk.dll
    C:\WINDOWS\system32\epoPGPsdk.dll.sig
    C:\WINDOWS\system32\aasybheu.ini
    C:\WINDOWS\bootvrfy.ini
    C:\WINDOWS\ulksystem33.exe
    C:\WINDOWS\msdtcsw32.exe
    
    Registry::
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ViewSonic Explorer V5.3"=-
    
    [-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ViewSonic Explorer V5.3]
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby xcel » December 29th, 2007, 11:07 pm

I do not know what those files you mentioned are for. Here is my new log.

ComboFix 07-12-21.4 - jw1173 2007-12-29 21:58:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.546 [GMT -5:00]
Running from: C:\Documents and Settings\jw1173\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jw1173\Desktop\CfScript.txt
* Created a new restore point

FILE
C:\pos222.tmp
C:\pos335.tmp
C:\pos40D.tmp
C:\pos420.tmp
C:\pos5FC.tmp
C:\pos61D.tmp
C:\pos7E5.tmp
C:\posA7D.tmp
C:\posFE.tmp
C:\WINDOWS\bootvrfy.ini
C:\WINDOWS\msdtcsw32.exe
C:\WINDOWS\system32\aasybheu.ini
C:\WINDOWS\system32\agmmewpc.ini
C:\WINDOWS\system32\byksaoim.ini
C:\WINDOWS\system32\colmlcne.ini
C:\WINDOWS\system32\dulvxlsq.ini
C:\WINDOWS\system32\ehhrqffo.ini
C:\WINDOWS\system32\epoPGPsdk.dll
C:\WINDOWS\system32\epoPGPsdk.dll.sig
C:\WINDOWS\system32\eyuokdxp.ini
C:\WINDOWS\system32\ibatgcdp.ini
C:\WINDOWS\system32\jauoboif.ini
C:\WINDOWS\system32\kavdadcp.ini
C:\WINDOWS\system32\mgauakni.ini
C:\WINDOWS\system32\midbjudo.ini
C:\WINDOWS\system32\muglqwna.ini
C:\WINDOWS\system32\obhsbqxe.ini
C:\WINDOWS\system32\pvccbwmq.ini
C:\WINDOWS\system32\qwkdbbyu.ini
C:\WINDOWS\system32\rtpoyabm.ini
C:\WINDOWS\system32\slimxane.ini
C:\WINDOWS\system32\uandrmqi.ini
C:\WINDOWS\system32\vltxsjkh.ini
C:\WINDOWS\ulksystem33.exe
C:\WINDOWS\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pos222.tmp
C:\pos335.tmp
C:\pos40D.tmp
C:\pos420.tmp
C:\pos5FC.tmp
C:\pos61D.tmp
C:\pos7E5.tmp
C:\posA7D.tmp
C:\posFE.tmp
C:\WINDOWS\bootvrfy.ini
C:\WINDOWS\system32\aasybheu.ini
C:\WINDOWS\system32\agmmewpc.ini
C:\WINDOWS\system32\byksaoim.ini
C:\WINDOWS\system32\colmlcne.ini
C:\WINDOWS\system32\dulvxlsq.ini
C:\WINDOWS\system32\ehhrqffo.ini
C:\WINDOWS\system32\epoPGPsdk.dll
C:\WINDOWS\system32\epoPGPsdk.dll.sig
C:\WINDOWS\system32\eyuokdxp.ini
C:\WINDOWS\system32\ibatgcdp.ini
C:\WINDOWS\system32\jauoboif.ini
C:\WINDOWS\system32\kavdadcp.ini
C:\WINDOWS\system32\mgauakni.ini
C:\WINDOWS\system32\midbjudo.ini
C:\WINDOWS\system32\muglqwna.ini
C:\WINDOWS\system32\obhsbqxe.ini
C:\WINDOWS\system32\pvccbwmq.ini
C:\WINDOWS\system32\qwkdbbyu.ini
C:\WINDOWS\system32\rtpoyabm.ini
C:\WINDOWS\system32\slimxane.ini
C:\WINDOWS\system32\uandrmqi.ini
C:\WINDOWS\system32\vltxsjkh.ini
C:\WINDOWS\ulksystem33.exe
C:\WINDOWS\wininit.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-29 21:50 . 2007-12-11 10:31 176,128 --a------ C:\WINDOWS\system32\KevlarSigs.dll
2007-12-29 21:50 . 2007-06-13 11:41 176,128 --a------ C:\WINDOWS\system32\hidapi.dll
2007-12-29 21:50 . 2007-01-26 17:19 53,248 --a------ C:\WINDOWS\system32\hidapistub.dll
2007-12-29 21:50 . 2007-12-05 12:24 23,398 --a------ C:\WINDOWS\system32\kevlar_api_hook_list.dat
2007-12-29 21:48 . 2007-06-13 11:41 182,784 --a------ C:\WINDOWS\system32\drivers\HidSys.sys
2007-12-24 22:59 . 2007-12-24 22:59 <DIR> dr-h----- C:\Documents and Settings\jw1173\Application Data\SecuROM
2007-12-24 22:59 . 2007-12-24 22:59 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-24 22:26 . 2007-12-24 22:26 <DIR> d-------- C:\Program Files\EA GAMES
2007-12-24 22:26 . 2007-08-06 19:28 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-12-23 14:53 . 2007-12-23 14:53 <DIR> d-------- C:\VundoFix Backups
2007-12-21 16:36 . 2007-12-21 16:36 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\Grisoft
2007-12-21 16:00 . 2007-12-21 16:00 14,033 --a------ C:\posA78.tmp
2007-12-21 15:46 . 2007-12-21 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-21 15:46 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-20 16:17 . 2007-12-20 16:17 14,033 --a------ C:\pos7D0.tmp
2007-12-20 16:16 . 2007-12-20 16:16 14,033 --a------ C:\pos614.tmp
2007-12-20 15:06 . 2007-12-20 15:06 14,033 --a------ C:\pos5F7.tmp
2007-12-20 15:05 . 2007-12-20 15:05 14,033 --a------ C:\pos41B.tmp
2007-12-20 13:58 . 2007-12-20 13:58 14,033 --a------ C:\pos40B.tmp
2007-12-20 13:57 . 2007-12-20 13:58 14,033 --a------ C:\pos333.tmp
2007-12-20 09:48 . 2007-12-20 09:48 14,033 --a------ C:\pos221.tmp
2007-12-20 09:47 . 2007-12-20 09:47 14,033 --a------ C:\posFB.tmp
2007-12-17 23:27 . 2007-12-17 23:27 113 --a------ C:\WINDOWS\notesnsd.ini
2007-12-17 15:40 . 2007-12-17 15:40 <DIR> d-------- C:\Program Files\HP
2007-12-17 15:40 . 2003-11-11 11:16 266,296 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-12-17 15:40 . 2003-10-22 10:26 196,608 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-12-17 15:40 . 2003-07-21 14:24 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-12-17 15:40 . 2003-10-22 10:19 65,536 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-12-17 15:40 . 2003-07-25 12:20 61,699 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-12-17 15:40 . 2003-07-21 14:24 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-12-17 15:38 . 2007-12-17 15:38 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-13 08:38 . 2007-12-13 08:38 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\Yahoo!
2007-12-13 08:36 . 2007-12-17 21:34 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-12 18:42 . 2007-12-12 18:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-12 18:42 . 2007-12-12 18:42 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-10 15:20 . 2006-09-22 14:09 812,296 --a------ C:\WINDOWS\system32\wodFtpDLX.dll
2007-12-10 15:20 . 2001-03-08 17:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-10 15:19 . 2007-12-10 15:21 <DIR> d-------- C:\Program Files\PharosSystems
2007-12-10 15:19 . 2007-12-10 15:19 1,759 --a------ C:\WINDOWS\pbp0310y.mif
2007-12-10 11:12 . 2007-12-10 11:12 <DIR> d-------- C:\Program Files\Monarch Report Explorer
2007-12-10 11:12 . 1994-06-14 13:19 51,988 --a------ C:\WINDOWS\system32\pres.ttf
2007-12-10 11:10 . 1997-04-08 14:08 299,520 --a------ C:\WINDOWS\uninst.exe
2007-12-10 11:07 . 2007-12-10 11:07 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-10 11:07 . 2007-12-10 11:07 <DIR> d-------- C:\Program Files\Monarch
2007-12-10 11:07 . 2007-12-10 11:07 <DIR> d-------- C:\Program Files\Common Files\Datawatch Shared
2007-12-10 10:51 . 2005-08-24 15:03 192,512 --a------ C:\WINDOWS\system32\DWRCSET.DLL
2007-12-10 10:51 . 2005-08-24 15:03 160,256 --a------ C:\WINDOWS\system32\DWRCS.EXE
2007-12-10 10:51 . 2004-10-05 15:14 69,632 --a------ C:\WINDOWS\system32\DWRCShell.dll
2007-12-10 10:51 . 2005-08-24 15:02 53,248 --a------ C:\WINDOWS\system32\DWRCK.DLL
2007-12-10 10:51 . 2005-08-24 15:03 43,520 --a------ C:\WINDOWS\system32\DWRCST.EXE
2007-12-10 10:51 . 2004-07-01 09:22 714 --a------ C:\WINDOWS\system32\DWRCST.exe.manifest
2007-12-10 09:31 . 2007-01-08 16:18 2,359,352 --a------ C:\WINDOWS\Cingularbmp.old
2007-12-10 09:31 . 2006-12-20 16:28 1,629,067 --a------ C:\WINDOWS\system32\Cingular.old
2007-12-10 09:31 . 2007-11-12 10:34 1,301,004 --a------ C:\WINDOWS\system32\ATT35Time.att
2007-12-10 07:49 . 2007-12-28 20:17 <DIR> d-------- C:\Program Files\DRU
2007-12-08 18:11 . 2007-12-08 18:11 <DIR> d-------- C:\Program Files\Emanate
2007-12-08 18:09 . 2007-12-23 16:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 18:09 . 2007-12-08 18:09 <DIR> d-------- C:\Program Files\ASDclient
2007-12-07 08:26 . 2007-12-07 08:26 <DIR> d-------- C:\WINDOWS\ms
2007-12-05 09:24 . 2007-12-10 11:58 <DIR> d-------- C:\Documents and Settings\jw1173\Oracle Jar Cache
2007-12-05 09:24 . 2007-12-10 07:35 <DIR> d-------- C:\Documents and Settings\jw1173\.jinit
2007-12-05 09:24 . 2006-09-28 04:45 45,164 --------- C:\WINDOWS\system32\plugincpl13128.cpl
2007-12-05 09:23 . 2006-09-28 04:45 36,962 --------- C:\WINDOWS\system32\ActPanel.dll
2007-12-05 08:19 . 2007-12-05 08:19 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-05 07:58 . 2007-12-05 07:58 <DIR> d-------- C:\WINDOWS\Mcafee
2007-12-05 07:54 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-05 07:54 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-12-05 07:54 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-12-05 07:54 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-05 07:53 . 2007-12-05 07:53 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-05 07:51 . 2007-12-05 07:53 <DIR> d-------- C:\Program Files\McAfee
2007-12-05 07:51 . 2007-12-05 07:51 <DIR> d-------- C:\Program Files\Common Files\McAfee Inc
2007-12-05 07:51 . 2007-12-05 07:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-03 20:44 . 2007-12-19 07:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 20:19 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-02 03:05 . 2007-12-02 03:05 118 --a------ C:\WINDOWS\system32\MRT.INI
2007-12-01 22:54 . 2007-12-01 23:00 174,259 ---hs---- C:\WINDOWS\system32\D4CE400c__.ini
2007-12-01 22:53 . 2007-12-17 17:38 <DIR> d-------- C:\Program Files\zzpxkhkx
2007-12-01 22:52 . 2007-12-01 22:52 <DIR> d-------- C:\Program Files\E404 Helper
2007-12-01 22:32 . 2007-12-01 22:32 <DIR> d-------- C:\WINDOWS\system32\mm6
2007-12-01 22:32 . 2007-12-02 06:06 <DIR> d-------- C:\WINDOWS\system32\hv2
2007-12-01 22:32 . 2007-12-02 06:06 <DIR> d-------- C:\WINDOWS\system32\dr1
2007-12-01 22:32 . 2007-12-01 22:59 <DIR> d-------- C:\WINDOWS\system32\daSgo01
2007-12-01 22:32 . 2007-12-02 06:06 <DIR> d--hs---- C:\WINDOWS\Q2luZ3VsYXIgVXNlcg
2007-12-01 22:32 . 2007-12-25 13:07 <DIR> d-------- C:\Temp
2007-12-01 19:20 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-01 19:20 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-01 13:32 . 2007-12-10 07:02 82 --a------ C:\WINDOWS\wwwbatch.ini
2007-12-01 08:33 . 2007-12-01 08:33 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\Sierra Wireless
2007-12-01 08:32 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2007-12-01 08:32 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2007-12-01 07:58 . 2007-12-02 20:05 <DIR> d-------- C:\Program Files\lotus
2007-11-30 20:22 . 2007-11-30 20:22 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-30 17:43 . 2007-12-01 10:17 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\gtk-2.0
2007-11-30 17:35 . 2007-12-22 12:39 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\.purple
2007-11-30 17:30 . 2007-11-30 17:31 <DIR> d-------- C:\Program Files\Pidgin
2007-11-30 17:30 . 2007-11-30 17:31 <DIR> d-------- C:\Program Files\Aspell
2007-11-30 17:29 . 2007-11-30 17:29 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-11-30 15:16 . 2007-11-30 15:16 4 --a------ C:\WINDOWS\Essbase.id
2007-11-30 15:15 . 2007-11-30 15:15 <DIR> d-------- C:\Hyperion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 17:39 --------- d-----w C:\Documents and Settings\jw1173\Application Data\.purple
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765F6.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765F5.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765E0.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765D9.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765D3.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765CF.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765CE.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765CD.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765CC.DLL
2007-12-10 20:22 11,264 ----a-w C:\WINDOWS\system32\PSS765CB.DLL
2007-12-10 16:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 14:43 --------- d-----w C:\Program Files\Network Associates
2007-12-02 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2007-11-30 20:13 --------- d-----w C:\Program Files\Java
2007-11-30 15:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-29 17:15 111,153 ----a-w C:\Program Files\INSTALL.LOG
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 15:34 1,301,004 ----a-w C:\WINDOWS\system32\Cingular.scr
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot@2007-12-25_13.14.54.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-30 02:49:01 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_4e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-11-29 16:09:55]
IMproxy.bat [2004-01-30 19:56:00]
McAfee Host Intrusion Prevention Tray.lnk - C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe [2007-12-05 07:51:22]
VPN Client.lnk - C:\WINDOWS\Installer\{8A3A2363-2129-43FB-8DFC-F237DA58038C}\Icon3E5562ED7.ico [2007-08-01 06:50:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
"RunLogonScriptSync"= 1 (0x1)
"MaxGPOScriptWait"= 0 (0x0)
"RunStartupScriptSync"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=EPOstartup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=AddAdmin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=EPOstartup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-29503\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-35163\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-3711\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-3711\Scripts\Logon\1\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

R0 GhMon;GhostMountMonitor - Boot Phase Driver;C:\WINDOWS\system32\Drivers\ghmon.sys [2004-08-26 16:03]
R1 tcpipBM;Bytemobile Kernel Network Provider;C:\WINDOWS\system32\drivers\tcpipBM.sys [2007-03-23 17:18]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\System32\CCM\CcmExec.exe [2007-04-13 02:50]
R2 DRUAgent;DRUAgent;C:\PROGRAM FILES\DRU\bin\DRUService.exe [2007-06-22 18:02]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;"C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe" [2007-06-13 11:47]
R2 prgnDiscAgent;Peregrine Discovery Agent;"C:\Program Files\Peregrine\Discovery Agent\bin32\discagnt.exe" [2005-12-07 21:01]
R2 snmpdm;snmpdm;"C:\Program Files\Emanate\snmpdm.exe" -l 8161 []
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe [2007-04-13 02:50]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 23:49]
R3 hidsys;hidsys;C:\WINDOWS\system32\Drivers\hidsys.sys [2007-06-13 11:41]
R3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys [2005-11-28 10:44]
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys [2005-11-28 10:44]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\System32\CCM\prepdrv.sys [2007-04-13 02:50]
S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;C:\WINDOWS\system32\Drivers\ghpcw2k.sys [2004-08-26 16:04]
S1 snmpdm_;snmpdm_;"C:\Program Files\Emanate\snmpdm_.sys" [2007-12-29 21:49]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;C:\WINDOWS\system32\Drivers\ghpcw2k.sys [2004-08-26 16:04]
S2 NGClient;Symantec Ghost Win32 Client Agent;C:\Program Files\Symantec\Ghost\ngctw32.exe [2004-08-26 16:35]
S3 mbxfilt;mbxfilt;C:\WINDOWS\system32\drivers\MbxFilt.sys [2002-12-09 15:29]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 13:50]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [2004-01-08 08:10]
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\PCTINDIS5.SYS [2007-03-23 17:14]
S3 SWNC8U20;Sierra Wireless MUX NDIS Driver (UMTS20);C:\WINDOWS\system32\DRIVERS\swnc8u20.sys [2007-03-26 14:21]
S3 SWUMX20;Sierra Wireless USB MUX Driver (UMTS20);C:\WINDOWS\system32\DRIVERS\swumx20.sys [2007-03-26 14:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe

*Newly Created Service* - HIDSYS

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Bo65]
C:\Program Files\Business Objects\BusinessObjects Enterprise 6\bin\UserProfileRkey.exe
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2007-12-29 22:03:58
C:\ComboFix2.txt ... 2007-12-27 10:30
C:\ComboFix3.txt ... 2007-12-25 13:16
.
2007-12-12 21:45:00 --- E O F ---
xcel
Active Member
 
Posts: 14
Joined: December 21st, 2007, 9:41 pm

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby Katana » December 30th, 2007, 8:16 am

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\WINDOWS\system32\D4CE400c__.ini
Click Submit/Send File
Please post back, to let me know the results.

If Virustotal is too busy please try Jotti

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    DirLook::
    C:\WINDOWS\ms
    C:\Program Files\zzpxkhkx
    C:\WINDOWS\system32\mm6
    C:\WINDOWS\system32\hv2
    C:\WINDOWS\system32\dr1
    C:\WINDOWS\system32\daSgo01
    C:\WINDOWS\Q2luZ3VsYXIgVXNlcg
    
    File::
    C:\posA78.tmp
    C:\pos7D0.tmp
    C:\pos614.tmp
    C:\pos5F7.tmp
    C:\pos41B.tmp
    C:\pos40B.tmp
    C:\pos333.tmp
    C:\pos221.tmp
    C:\posFB.tmp
    C:\WINDOWS\system32\PSS765F6.DLL
    C:\WINDOWS\system32\PSS765F5.DLL
    C:\WINDOWS\system32\PSS765E0.DLL
    C:\WINDOWS\system32\PSS765D9.DLL
    C:\WINDOWS\system32\PSS765D3.DLL
    C:\WINDOWS\system32\PSS765CF.DLL
    C:\WINDOWS\system32\PSS765CE.DLL
    C:\WINDOWS\system32\PSS765CD.DLL
    C:\WINDOWS\system32\PSS765CC.DLL
    C:\WINDOWS\system32\PSS765CB.DLL
    Folder::
    C:\Program Files\E404 Helper
    

  • Save this as CFScript.txt and place it on your desktop.


    Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Go Here http://www.kaspersky.com/virusscanner

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • Virus Total Results
  • ComboFix Log
  • Kaspersky Log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby xcel » December 30th, 2007, 1:45 pm

VirusTotal results

File D4CE400c__.ini received on 12.30.2007 18:30:49 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 5.
Estimated start time is between 50 and 72 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.12.29.11 2007.12.29 -
AntiVir 7.6.0.46 2007.12.30 -
Authentium 4.93.8 2007.12.30 -
Avast 4.7.1098.0 2007.12.30 -
AVG 7.5.0.516 2007.12.30 -
BitDefender 7.2 2007.12.30 -
CAT-QuickHeal 9.00 2007.12.29 -
ClamAV 0.91.2 2007.12.30 -
DrWeb 4.44.0.09170 2007.12.30 -
eSafe 7.0.15.0 2007.12.27 -
eTrust-Vet 31.3.5412 2007.12.29 -
Ewido 4.0 2007.12.30 -
FileAdvisor 1 2007.12.30 -
Fortinet 3.14.0.0 2007.12.30 -
F-Prot 4.4.2.54 2007.12.29 -
F-Secure 6.70.13030.0 2007.12.30 -
Ikarus T3.1.1.15 2007.12.30 -
Kaspersky 7.0.0.125 2007.12.30 -
McAfee 5195 2007.12.28 -
Microsoft 1.3109 2007.12.30 -
NOD32v2 2756 2007.12.30 -
Norman 5.80.02 2007.12.28 -
Panda 9.0.0.4 2007.12.30 -
Prevx1 V2 2007.12.30 -
Rising 20.24.52.00 2007.12.29 -
Sophos 4.24.0 2007.12.30 -
Sunbelt 2.2.907.0 2007.12.30 -
Symantec 10 2007.12.30 -
TheHacker 6.2.9.175 2007.12.29 -
VBA32 3.12.2.5 2007.12.29 -
VirusBuster 4.3.26:9 2007.12.30 -
Webwasher-Gateway 6.6.2 2007.12.30 -
Additional information
File size: 174259 bytes
MD5: d0f8171d4b48e35db55eae8e1642f351
SHA1: e6bba0136ce4d588f6f53fb78f95aa3dbb57bf7b
PEiD: -
xcel
Active Member
 
Posts: 14
Joined: December 21st, 2007, 9:41 pm

Re: Can not remove Virtumonde and Virtumonde.generic - NEED HELP

Unread postby xcel » December 30th, 2007, 1:55 pm

ComboFix 07-12-21.4 - jw1173 2007-12-30 12:48:01.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.526 [GMT -5:00]
Running from: C:\Documents and Settings\jw1173\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jw1173\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\pos221.tmp
C:\pos333.tmp
C:\pos40B.tmp
C:\pos41B.tmp
C:\pos5F7.tmp
C:\pos614.tmp
C:\pos7D0.tmp
C:\posA78.tmp
C:\posFB.tmp
C:\WINDOWS\system32\PSS765CB.DLL
C:\WINDOWS\system32\PSS765CC.DLL
C:\WINDOWS\system32\PSS765CD.DLL
C:\WINDOWS\system32\PSS765CE.DLL
C:\WINDOWS\system32\PSS765CF.DLL
C:\WINDOWS\system32\PSS765D3.DLL
C:\WINDOWS\system32\PSS765D9.DLL
C:\WINDOWS\system32\PSS765E0.DLL
C:\WINDOWS\system32\PSS765F5.DLL
C:\WINDOWS\system32\PSS765F6.DLL
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\pos221.tmp
C:\pos333.tmp
C:\pos40B.tmp
C:\pos41B.tmp
C:\pos5F7.tmp
C:\pos614.tmp
C:\pos7D0.tmp
C:\posA78.tmp
C:\posFB.tmp
C:\Program Files\E404 Helper
C:\Program Files\E404 Helper\e404.v4.dll
C:\WINDOWS\system32\PSS765CB.DLL
C:\WINDOWS\system32\PSS765CC.DLL
C:\WINDOWS\system32\PSS765CD.DLL
C:\WINDOWS\system32\PSS765CE.DLL
C:\WINDOWS\system32\PSS765CF.DLL
C:\WINDOWS\system32\PSS765D3.DLL
C:\WINDOWS\system32\PSS765D9.DLL
C:\WINDOWS\system32\PSS765E0.DLL
C:\WINDOWS\system32\PSS765F5.DLL
C:\WINDOWS\system32\PSS765F6.DLL

.
((((((((((((((((((((((((( Files Created from 2007-11-28 to 2007-12-30 )))))))))))))))))))))))))))))))
.

2007-12-30 12:23 . 2007-12-11 10:31 176,128 --a------ C:\WINDOWS\system32\KevlarSigs.dll
2007-12-30 12:23 . 2007-06-13 11:41 176,128 --a------ C:\WINDOWS\system32\hidapi.dll
2007-12-30 12:23 . 2007-01-26 17:19 53,248 --a------ C:\WINDOWS\system32\hidapistub.dll
2007-12-30 12:23 . 2007-12-05 12:24 23,398 --a------ C:\WINDOWS\system32\kevlar_api_hook_list.dat
2007-12-30 12:21 . 2007-06-13 11:41 182,784 --a------ C:\WINDOWS\system32\drivers\HidSys.sys
2007-12-24 22:59 . 2007-12-24 22:59 <DIR> dr-h----- C:\Documents and Settings\jw1173\Application Data\SecuROM
2007-12-24 22:59 . 2007-12-24 22:59 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-24 22:26 . 2007-12-24 22:26 <DIR> d-------- C:\Program Files\EA GAMES
2007-12-24 22:26 . 2007-08-06 19:28 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
2007-12-23 14:53 . 2007-12-23 14:53 <DIR> d-------- C:\VundoFix Backups
2007-12-21 16:36 . 2007-12-21 16:36 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\Grisoft
2007-12-21 16:00 . 2007-12-21 16:00 14,033 --a------ C:\posA6C.tmp
2007-12-21 15:46 . 2007-12-21 15:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-21 15:46 . 2007-05-30 07:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-20 16:17 . 2007-12-20 16:17 14,033 --a------ C:\pos7CD.tmp
2007-12-20 16:16 . 2007-12-20 16:16 14,033 --a------ C:\pos609.tmp
2007-12-20 15:06 . 2007-12-20 15:06 14,033 --a------ C:\pos5DC.tmp
2007-12-20 15:05 . 2007-12-20 15:05 14,033 --a------ C:\pos409.tmp
2007-12-20 13:58 . 2007-12-20 13:58 14,033 --a------ C:\pos40A.tmp
2007-12-20 13:57 . 2007-12-20 13:57 14,033 --a------ C:\pos326.tmp
2007-12-20 09:48 . 2007-12-20 09:48 14,033 --a------ C:\pos216.tmp
2007-12-20 09:47 . 2007-12-20 09:47 14,033 --a------ C:\posF0.tmp
2007-12-17 23:27 . 2007-12-17 23:27 113 --a------ C:\WINDOWS\notesnsd.ini
2007-12-17 15:40 . 2007-12-17 15:40 <DIR> d-------- C:\Program Files\HP
2007-12-17 15:40 . 2003-11-11 11:16 266,296 --a------ C:\WINDOWS\system32\HPZidr12.dll
2007-12-17 15:40 . 2003-10-22 10:26 196,608 --a------ C:\WINDOWS\system32\HPZipr12.dll
2007-12-17 15:40 . 2003-07-21 14:24 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2007-12-17 15:40 . 2003-10-22 10:19 65,536 --a------ C:\WINDOWS\system32\HPZipm12.exe
2007-12-17 15:40 . 2003-07-25 12:20 61,699 --a------ C:\WINDOWS\system32\HPZinw12.exe
2007-12-17 15:40 . 2003-07-21 14:24 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2007-12-17 15:38 . 2007-12-17 15:38 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-12-13 08:38 . 2007-12-13 08:38 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\Yahoo!
2007-12-13 08:36 . 2007-12-17 21:34 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\yahoo!
2007-12-12 18:42 . 2007-12-12 18:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-12 18:42 . 2007-12-12 18:42 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-10 15:22 . 2006-09-22 13:23 442,368 --a------ C:\WINDOWS\system32\PSP765B6.DLL
2007-12-10 15:22 . 2006-09-22 13:23 249,856 --a------ C:\WINDOWS\system32\PSR76562.DLL
2007-12-10 15:20 . 2006-09-22 14:09 812,296 --a------ C:\WINDOWS\system32\wodFtpDLX.dll
2007-12-10 15:20 . 2001-03-08 17:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-12-10 15:19 . 2007-12-10 15:21 <DIR> d-------- C:\Program Files\PharosSystems
2007-12-10 15:19 . 2007-12-10 15:19 1,759 --a------ C:\WINDOWS\pbp0310y.mif
2007-12-10 11:12 . 2007-12-10 11:12 <DIR> d-------- C:\Program Files\Monarch Report Explorer
2007-12-10 11:12 . 1994-06-14 13:19 51,988 --a------ C:\WINDOWS\system32\pres.ttf
2007-12-10 11:10 . 1997-04-08 14:08 299,520 --a------ C:\WINDOWS\uninst.exe
2007-12-10 11:07 . 2007-12-10 11:07 <DIR> d--h----- C:\WINDOWS\PIF
2007-12-10 11:07 . 2007-12-10 11:07 <DIR> d-------- C:\Program Files\Monarch
2007-12-10 11:07 . 2007-12-10 11:07 <DIR> d-------- C:\Program Files\Common Files\Datawatch Shared
2007-12-10 10:51 . 2005-08-24 15:03 192,512 --a------ C:\WINDOWS\system32\DWRCSET.DLL
2007-12-10 10:51 . 2005-08-24 15:03 160,256 --a------ C:\WINDOWS\system32\DWRCS.EXE
2007-12-10 10:51 . 2004-10-05 15:14 69,632 --a------ C:\WINDOWS\system32\DWRCShell.dll
2007-12-10 10:51 . 2005-08-24 15:02 53,248 --a------ C:\WINDOWS\system32\DWRCK.DLL
2007-12-10 10:51 . 2005-08-24 15:03 43,520 --a------ C:\WINDOWS\system32\DWRCST.EXE
2007-12-10 10:51 . 2004-07-01 09:22 714 --a------ C:\WINDOWS\system32\DWRCST.exe.manifest
2007-12-10 09:31 . 2007-01-08 16:18 2,359,352 --a------ C:\WINDOWS\Cingularbmp.old
2007-12-10 09:31 . 2006-12-20 16:28 1,629,067 --a------ C:\WINDOWS\system32\Cingular.old
2007-12-10 09:31 . 2007-11-12 10:34 1,301,004 --a------ C:\WINDOWS\system32\ATT35Time.att
2007-12-10 07:49 . 2007-12-28 20:17 <DIR> d-------- C:\Program Files\DRU
2007-12-08 18:11 . 2007-12-08 18:11 <DIR> d-------- C:\Program Files\Emanate
2007-12-08 18:09 . 2007-12-23 16:23 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-08 18:09 . 2007-12-08 18:09 <DIR> d-------- C:\Program Files\ASDclient
2007-12-07 08:26 . 2007-12-07 08:26 <DIR> d-------- C:\WINDOWS\ms
2007-12-05 09:24 . 2007-12-10 11:58 <DIR> d-------- C:\Documents and Settings\jw1173\Oracle Jar Cache
2007-12-05 09:24 . 2007-12-10 07:35 <DIR> d-------- C:\Documents and Settings\jw1173\.jinit
2007-12-05 09:24 . 2006-09-28 04:45 45,164 --------- C:\WINDOWS\system32\plugincpl13128.cpl
2007-12-05 09:23 . 2006-09-28 04:45 36,962 --------- C:\WINDOWS\system32\ActPanel.dll
2007-12-05 08:19 . 2007-12-05 08:19 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-05 07:58 . 2007-12-05 07:58 <DIR> d-------- C:\WINDOWS\Mcafee
2007-12-05 07:54 . 2006-11-30 08:50 72,264 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-12-05 07:54 . 2006-11-30 08:50 64,360 --a------ C:\WINDOWS\system32\drivers\mfeapfk.sys
2007-12-05 07:54 . 2006-11-30 08:50 52,136 --a------ C:\WINDOWS\system32\drivers\mfetdik.sys
2007-12-05 07:54 . 2006-11-30 08:50 34,152 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-12-05 07:53 . 2007-12-05 07:53 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-12-05 07:51 . 2007-12-05 07:53 <DIR> d-------- C:\Program Files\McAfee
2007-12-05 07:51 . 2007-12-05 07:51 <DIR> d-------- C:\Program Files\Common Files\McAfee Inc
2007-12-05 07:51 . 2007-12-05 07:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-12-03 20:44 . 2007-12-19 07:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 20:19 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-02 03:05 . 2007-12-02 03:05 118 --a------ C:\WINDOWS\system32\MRT.INI
2007-12-01 22:54 . 2007-12-01 23:00 174,259 ---hs---- C:\WINDOWS\system32\D4CE400c__.ini
2007-12-01 22:53 . 2007-12-17 17:38 <DIR> d-------- C:\Program Files\zzpxkhkx
2007-12-01 22:32 . 2007-12-01 22:32 <DIR> d-------- C:\WINDOWS\system32\mm6
2007-12-01 22:32 . 2007-12-02 06:06 <DIR> d-------- C:\WINDOWS\system32\hv2
2007-12-01 22:32 . 2007-12-02 06:06 <DIR> d-------- C:\WINDOWS\system32\dr1
2007-12-01 22:32 . 2007-12-01 22:59 <DIR> d-------- C:\WINDOWS\system32\daSgo01
2007-12-01 22:32 . 2007-12-02 06:06 <DIR> d--hs---- C:\WINDOWS\Q2luZ3VsYXIgVXNlcg
2007-12-01 22:32 . 2007-12-25 13:07 <DIR> d-------- C:\Temp
2007-12-01 19:20 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-12-01 19:20 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-12-01 13:32 . 2007-12-10 07:02 82 --a------ C:\WINDOWS\wwwbatch.ini
2007-12-01 08:33 . 2007-12-01 08:33 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\Sierra Wireless
2007-12-01 08:32 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2007-12-01 08:32 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2007-12-01 07:58 . 2007-12-02 20:05 <DIR> d-------- C:\Program Files\lotus
2007-11-30 20:22 . 2007-11-30 20:22 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2007-11-30 17:43 . 2007-12-01 10:17 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\gtk-2.0
2007-11-30 17:35 . 2007-12-22 12:39 <DIR> d-------- C:\Documents and Settings\jw1173\Application Data\.purple
2007-11-30 17:30 . 2007-11-30 17:31 <DIR> d-------- C:\Program Files\Pidgin
2007-11-30 17:30 . 2007-11-30 17:31 <DIR> d-------- C:\Program Files\Aspell
2007-11-30 17:29 . 2007-11-30 17:29 <DIR> d-------- C:\Program Files\Common Files\GTK
2007-11-30 15:16 . 2007-11-30 15:16 4 --a------ C:\WINDOWS\Essbase.id

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 17:39 --------- d-----w C:\Documents and Settings\jw1173\Application Data\.purple
2007-12-10 16:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-02 14:43 --------- d-----w C:\Program Files\Network Associates
2007-12-02 14:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Network Associates
2007-11-30 20:13 --------- d-----w C:\Program Files\Java
2007-11-30 15:21 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-11-29 17:15 111,153 ----a-w C:\Program Files\INSTALL.LOG
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-12 15:34 1,301,004 ----a-w C:\WINDOWS\system32\Cingular.scr
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:39 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\zzpxkhkx ----


---- Directory of C:\WINDOWS\ms ----


---- Directory of C:\WINDOWS\Q2luZ3VsYXIgVXNlcg ----


---- Directory of C:\WINDOWS\system32\daSgo01 ----


---- Directory of C:\WINDOWS\system32\dr1 ----


---- Directory of C:\WINDOWS\system32\hv2 ----


---- Directory of C:\WINDOWS\system32\mm6 ----

2007-11-16 02:07 117913 --a------ C:\WINDOWS\system32\mm6\ncstdb33.exe


((((((((((((((((((((((((((((( snapshot@2007-12-25_13.14.54.08 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-30 17:21:51 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_618.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:39]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-11-29 16:09:55]
IMproxy.bat [2004-01-30 19:56:00]
McAfee Host Intrusion Prevention Tray.lnk - C:\Program Files\McAfee\Host Intrusion Prevention\FireTray.exe [2007-12-05 07:51:22]
VPN Client.lnk - C:\WINDOWS\Installer\{8A3A2363-2129-43FB-8DFC-F237DA58038C}\Icon3E5562ED7.ico [2007-08-01 06:50:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
"RunLogonScriptSync"= 1 (0x1)
"MaxGPOScriptWait"= 0 (0x0)
"RunStartupScriptSync"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoDesktopCleanupWizard"= 1 (0x1)
"NoAutoUpdate"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=EPOstartup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=AddAdmin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\2\0]
"Script"=EPOstartup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-29503\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-35163\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-3711\Scripts\Logon\0\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1337413286-2060671379-61685808-3711\Scripts\Logon\1\0]
"Script"=%LOGONSERVER%\NetLogon\CingularDriveMap.vbs

R0 GhMon;GhostMountMonitor - Boot Phase Driver;C:\WINDOWS\system32\Drivers\ghmon.sys [2004-08-26 16:03]
R1 tcpipBM;Bytemobile Kernel Network Provider;C:\WINDOWS\system32\drivers\tcpipBM.sys [2007-03-23 17:18]
R2 CcmExec;SMS Agent Host;C:\WINDOWS\System32\CCM\CcmExec.exe [2007-04-13 02:50]
R2 DRUAgent;DRUAgent;C:\PROGRAM FILES\DRU\bin\DRUService.exe [2007-06-22 18:02]
R2 enterceptAgent;McAfee Host Intrusion Prevention Service;"C:\Program Files\McAfee\Host Intrusion Prevention\FireSvc.exe" [2007-06-13 11:47]
R2 prgnDiscAgent;Peregrine Discovery Agent;"C:\Program Files\Peregrine\Discovery Agent\bin32\discagnt.exe" [2005-12-07 21:01]
R2 snmpdm;snmpdm;"C:\Program Files\Emanate\snmpdm.exe" -l 8161 []
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe [2007-04-13 02:50]
R3 CONAN;CONAN;C:\WINDOWS\system32\drivers\o2mmb.sys [2003-07-28 23:49]
R3 hidsys;hidsys;C:\WINDOWS\system32\Drivers\hidsys.sys [2007-06-13 11:41]
R3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys [2005-11-28 10:44]
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys [2005-11-28 10:44]
R3 prepdrvr;SMS Process Event Driver;C:\WINDOWS\System32\CCM\prepdrv.sys [2007-04-13 02:50]
S0 GhPostConfig;GhostPostConfig - Boot Phase Driver;C:\WINDOWS\system32\Drivers\ghpcw2k.sys [2004-08-26 16:04]
S2 GhPostConfig_Auto;GhostPostConfig - Auto Phase Driver;C:\WINDOWS\system32\Drivers\ghpcw2k.sys [2004-08-26 16:04]
S2 NGClient;Symantec Ghost Win32 Client Agent;C:\Program Files\Symantec\Ghost\ngctw32.exe [2004-08-26 16:35]
S3 mbxfilt;mbxfilt;C:\WINDOWS\system32\drivers\MbxFilt.sys [2002-12-09 15:29]
S3 MbxStby;MbxStby;C:\WINDOWS\system32\drivers\MbxStby.sys [2003-07-24 13:50]
S3 OracleClientCache80;OracleClientCache80;C:\orant\BIN\ONRSD80.EXE [2004-01-08 08:10]
S3 PCTINDIS5;PCTINDIS5 NDIS Protocol Driver;C:\WINDOWS\system32\PCTINDIS5.SYS [2007-03-23 17:14]
S3 SWNC8U20;Sierra Wireless MUX NDIS Driver (UMTS20);C:\WINDOWS\system32\DRIVERS\swnc8u20.sys [2007-03-26 14:21]
S3 SWUMX20;Sierra Wireless USB MUX Driver (UMTS20);C:\WINDOWS\system32\DRIVERS\swumx20.sys [2007-03-26 14:21]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Autorun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Bo65]
C:\Program Files\Business Objects\BusinessObjects Enterprise 6\bin\UserProfileRkey.exe
.
**************************************************************************

disk not found C:\

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk not found C:\

**************************************************************************
.
Completion time: 2007-12-30 12:53:24
C:\ComboFix2.txt ... 2007-12-29 22:04
C:\ComboFix3.txt ... 2007-12-27 10:30
.
2007-12-12 21:45:00 --- E O F ---
xcel
Active Member
 
Posts: 14
Joined: December 21st, 2007, 9:41 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 495 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware