Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

win32/adware.virtumonde.application keeps appearing on NOD32

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

win32/adware.virtumonde.application keeps appearing on NOD32

Unread postby owise1 » March 25th, 2008, 7:32 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:46, on 25/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\DAP Premium\DAP.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://skybroadband.com/portal/site/skybb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\real\IEeREAD.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\real\WebHook.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {CF3FC4E8-8132-4D99-B43D-AEC175D64E8B} - C:\WINDOWS\system32\gebxvvv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP Premium\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8946681359
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Wind ... lisher.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gebxvvv - C:\WINDOWS\SYSTEM32\gebxvvv.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9656 bytes

Any help would be very appreciated.

Cheers!
owise1
Active Member
 
Posts: 5
Joined: March 25th, 2008, 7:25 am
Advertisement
Register to Remove

Re: win32/adware.virtumonde.application keeps appearing on NOD32

Unread postby Scotty » March 25th, 2008, 7:35 am

Hi! Welcome to the MWR forums.
My name is Scotty. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research.

Please be patient as my posts to you have to be checked before I reply, so they make take longer.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: win32/adware.virtumonde.application keeps appearing on NOD32

Unread postby owise1 » March 25th, 2008, 7:40 am

As requested.


Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.1
AI RoboForm (All Users)
Allok 3GP PSP MP4 iPod Video Converter 2.3.2
Apple Mobile Device Support
Apple Software Update
BCM V.92 56K Modem
Broadcom 440x 10/100 Integrated Controller
CCleaner (remove only)
ConvertXtoDVD 3.0.0.1
DAP Premium
Diskeeper Professional Edition
DivX Web Player
Download Accelerator Plus (DAP)
FinePixViewer Ver.4.3
Five-A-Side Football
FrostWire 4.13.5
FUJIFILM USB Driver
Hide IP Platinum 3.5
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Intel(R) Extreme Graphics Driver
iPod for Windows 2005-03-23
iPodCopy
iTunes
Java(TM) 6 Update 3
Java(TM) 6 Update 5
KeyScrambler
Lexmark 4300 Series
Lexmark Fax Solutions
M3 Ringtones 1.01
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
Mozilla Firefox (2.0.0.12)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 7 Premium
neroxml
NOD32 antivirus system
NOD32 FiX v1.9
PPLive 1.3.20
PPMate Network TV 2.3.1.74
PPStream
QuickTime
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows XP (KB923789)
Sky Broadband
Sony Ericsson PC Suite
SoundMAX
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
TuneUp Utilities 2008
TVAnts 1.0
TVUPlayer 2.3.5.4
U.B. Funkeys
VersionTracker Pro Windows
VideoLAN VLC media player 0.8.6e
Vodafone 804SS USB driver Software
WIDCOMM Bluetooth Software
Windows Imaging Component
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows XP Service Pack 2
WinRAR archiver
Xilisoft DVD Ripper Platinum
owise1
Active Member
 
Posts: 5
Joined: March 25th, 2008, 7:25 am

Re: win32/adware.virtumonde.application keeps appearing on NOD32

Unread postby Scotty » March 25th, 2008, 8:46 am

Hi

P2P Warning!
Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
Additional information on the safety of Peer to Peer programs themselves is here :
Clean/Infected P2P Programs
Please uninstall Frostwire for the course of your fix, so you dont risk inviting more malware onto your computer.


If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Here is a small tutorial on the use of Combofix
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
The use of Combofix without instruction from an expert is not recommended


Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

  • Save it to your Desktop.
  • Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
  • Double-click the Combofix.exe to run it.
  • When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

Note 1: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Note 2:Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet.



In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: win32/adware.virtumonde.application keeps appearing on NOD32

Unread postby owise1 » March 25th, 2008, 10:00 am

as requested:

ComboFix 08-03-24.2 - Owner 2008-03-25 13:40:08.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.166 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\inst.exe
C:\WINDOWS\system32\gebxvvv.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-25 12:52 . 2008-03-25 12:52 <DIR> d-------- C:\Program Files\Photo Story 3 for Windows
2008-03-25 11:21 . 2008-03-25 11:21 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 20:29 . 2008-03-24 20:29 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-24 20:29 . 2008-03-24 20:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-24 20:25 . 2008-03-24 20:25 <DIR> d-------- C:\Program Files\real
2008-03-24 17:07 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2008-03-24 17:07 . 2008-03-24 17:10 51,355 --a------ C:\WINDOWS\system32\muzika.xm
2008-03-24 15:49 . 2008-03-24 16:34 <DIR> d-------- C:\Documents and Settings\Owner\.housecall6.6
2008-03-24 11:15 . 2008-03-24 11:15 277 --a------ C:\WINDOWS\wininit.ini
2008-03-23 18:11 . 2008-03-23 18:11 2,368 --a------ C:\WINDOWS\system32\SVKP.sys
2008-03-23 18:10 . 2008-03-23 18:11 <DIR> d-------- C:\Program Files\Allok 3GP PSP MP4 iPod Video Converter
2008-03-23 18:10 . 2006-09-26 13:57 28,672 --a------ C:\WINDOWS\system32\AVEQ.dll
2008-03-23 16:14 . 2008-03-23 16:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-23 16:13 . 2008-03-23 17:01 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-23 16:13 . 2008-03-23 16:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2008-03-23 11:49 . 2008-02-28 13:26 1,414,440 --a------ C:\WINDOWS\system32\ShellManager310E2D762.dll
2008-03-23 11:49 . 2008-02-28 13:01 774,144 --a------ C:\WINDOWS\system32\NEROINSTAEC43759.DB
2008-03-23 11:46 . 2008-03-23 11:46 0 --a------ C:\WINDOWS\Irremote.ini
2008-03-22 17:44 . 2008-03-22 17:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-22 13:20 . 2008-03-22 13:21 <DIR> d-------- C:\Program Files\Five-A-Side Football
2008-03-22 13:20 . 2008-03-22 13:20 <DIR> d-------- C:\Documents and Settings\Owner\WINDOWS
2008-03-22 13:20 . 1997-03-24 17:42 314,368 --a------ C:\WINDOWS\IsUninst.exe
2008-03-21 18:59 . 2008-03-21 18:59 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-03-21 17:03 . 2004-05-04 11:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-03-21 17:03 . 2006-05-20 16:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-03-21 17:03 . 2006-05-11 19:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-03-21 17:03 . 2007-03-18 20:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-03-21 16:05 . 2008-03-21 16:05 <DIR> d-------- C:\Documents and Settings\Owner\Bluetooth Software
2008-03-21 16:02 . 2008-03-21 16:02 <DIR> d-------- C:\Program Files\WIDCOMM
2008-03-21 16:02 . 2006-11-13 10:41 862,922 --a------ C:\WINDOWS\system32\drivers\btkrnl.sys
2008-03-21 16:02 . 2006-10-30 10:52 329,901 --a------ C:\WINDOWS\system32\drivers\btaudio.sys
2008-03-21 16:02 . 2006-10-30 10:51 149,123 --a------ C:\WINDOWS\system32\drivers\btwdndis.sys
2008-03-21 16:02 . 2006-10-30 10:52 106,557 --a------ C:\WINDOWS\system32\btw_ci.dll
2008-03-21 16:02 . 2006-10-30 10:51 67,672 --a------ C:\WINDOWS\system32\drivers\btwusb.sys
2008-03-21 16:02 . 2006-10-30 10:51 47,875 --a------ C:\WINDOWS\system32\drivers\btwhid.sys
2008-03-21 16:02 . 2006-10-30 10:51 30,459 --a------ C:\WINDOWS\system32\drivers\btport.sys
2008-03-21 15:34 . 2005-08-30 01:49 94,000 --a------ C:\WINDOWS\system32\drivers\ssm_mdm.sys
2008-03-21 15:34 . 2005-08-30 01:47 58,320 --a------ C:\WINDOWS\system32\drivers\ssm_bus.sys
2008-03-21 15:34 . 2005-08-30 01:49 8,336 --a------ C:\WINDOWS\system32\drivers\ssm_mdfl.sys
2008-03-21 15:34 . 2005-08-30 01:49 6,176 --a------ C:\WINDOWS\system32\drivers\ssm_cmnt.sys
2008-03-21 15:34 . 2005-08-30 01:49 6,176 --a------ C:\WINDOWS\system32\drivers\ssm_cm.sys
2008-03-21 15:34 . 2005-08-30 01:47 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_whnt.sys
2008-03-21 15:34 . 2005-08-30 01:47 5,840 --a------ C:\WINDOWS\system32\drivers\ssm_wh.sys
2008-03-21 15:21 . 2008-03-21 15:21 <DIR> d-------- C:\Program Files\Sony Ericsson
2008-03-21 15:21 . 2008-03-21 15:22 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2008-03-21 15:21 . 2008-03-21 15:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Teleca
2008-03-21 15:21 . 2008-03-21 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2008-03-19 20:43 . 2008-03-19 20:43 28,876 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-03-18 13:17 . 2008-03-18 13:17 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\FaxCtr
2008-03-16 18:29 . 2008-03-16 18:29 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\FUJIFILM
2008-03-16 17:36 . 2003-09-04 01:45 274,432 --a------ C:\WINDOWS\system32\FFTIFF16.dll
2008-03-16 17:36 . 2004-07-24 12:28 155,648 --a------ C:\WINDOWS\system32\FFRAFLIB.DLL
2008-03-16 17:35 . 2008-03-16 17:36 <DIR> d-------- C:\Program Files\FinePixViewer
2008-03-16 17:34 . 2001-11-25 11:11 81,924 --------- C:\WINDOWS\system32\drivers\VC4CB104.SYS
2008-03-16 17:34 . 2002-02-05 16:33 69,632 --------- C:\WINDOWS\system32\FREGSHEX.DLL
2008-03-16 17:34 . 2002-02-27 11:27 65,536 --------- C:\WINDOWS\system32\FINFCHECK.dll
2008-03-16 17:34 . 2002-06-25 10:06 45,056 --------- C:\WINDOWS\system32\FINFCOPY.dll
2008-03-16 17:34 . 2002-02-13 10:00 45,056 --------- C:\WINDOWS\system32\FCLKBTN.DLL
2008-03-15 16:22 . 2008-03-15 16:22 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-03-15 16:17 . 2008-03-23 11:53 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-03-15 13:49 . 2008-03-15 13:49 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Nero
2008-03-15 13:42 . 2008-03-23 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-03-15 10:48 . 2008-03-15 10:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-03-15 10:48 . 2008-03-23 18:32 2,392 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-15 09:20 . 2008-03-15 09:20 376 --a------ C:\WINDOWS\ODBC.INI
2008-03-15 09:17 . 2008-03-15 09:17 <DIR> d-------- C:\WINDOWS\ShellNew
2008-03-15 09:16 . 2008-03-15 09:16 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Microsoft Web Folders
2008-03-14 14:19 . 2008-03-14 14:19 <DIR> d-------- C:\Program Files\iTunes
2008-03-11 20:42 . 2000-01-18 23:45 69,632 --a------ C:\WINDOWS\system32\CrcCtrl.ocx
2008-03-10 20:52 . 2008-03-10 20:53 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\VideoEgg
2008-03-09 21:01 . 2008-03-10 11:28 <DIR> d-------- C:\Program Files\Google
2008-03-06 19:49 . 2008-03-06 19:49 <DIR> d-------- C:\Program Files\Xilisoft
2008-03-06 19:49 . 2005-11-21 05:48 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-03-06 19:49 . 2005-11-21 05:48 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-03-06 12:38 . 2008-03-06 12:38 307,968 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-03-06 12:38 . 2008-02-27 13:15 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-03-06 12:36 . 2008-03-22 17:44 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-03-06 12:36 . 2008-03-24 20:28 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-05 21:41 . 2008-03-10 22:27 189 --a------ C:\WINDOWS\system32\temp_0000_65-15.aok
2008-03-05 21:27 . 2008-03-06 10:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-05 21:26 . 2008-03-05 21:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Channel4
2008-03-01 11:46 . 2008-03-01 11:47 <DIR> d-------- C:\Program Files\PPLive
2008-02-29 20:07 . 2008-02-29 20:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-02-29 17:39 . 2008-03-21 15:57 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Samsung
2008-02-29 17:38 . 2006-05-03 22:53 174,592 --a------ C:\WINDOWS\system32\framedyn.dll
2008-02-29 17:36 . 2006-07-24 16:05 5,632 --a------ C:\WINDOWS\system32\drivers\StarOpen.sys
2008-02-29 17:20 . 2005-08-13 05:06 22,486 -ra------ C:\WINDOWS\system32\UnInstall_Sample.ico
2008-02-29 17:19 . 2008-03-21 15:33 <DIR> d-------- C:\WINDOWS\system32\Samsung PC Studio Codecs
2008-02-29 17:19 . 2005-08-28 20:51 766 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-02-29 17:18 . 2006-03-21 15:49 2,729,472 --a------ C:\WINDOWS\system32\fun_avcodec.dll
2008-02-29 17:18 . 2006-04-18 16:32 684,032 --a------ C:\WINDOWS\system32\fun_mp4_enc.dll
2008-02-29 17:18 . 2006-04-11 16:49 671,744 --a------ C:\WINDOWS\system32\FunDecFilter.ax
2008-02-29 17:18 . 2006-04-11 13:13 532,480 --a------ C:\WINDOWS\system32\FunEncFilter.ax
2008-02-29 17:18 . 2006-04-06 11:28 77,824 --a------ C:\WINDOWS\system32\fun_mp4_dec.dll
2008-02-29 17:17 . 2008-02-29 17:37 <DIR> d-------- C:\WINDOWS\system32\Samsung_USB_Drivers
2008-02-29 17:17 . 2008-03-21 15:33 <DIR> d-------- C:\Program Files\Samsung
2008-02-29 17:17 . 2005-08-13 05:06 22,486 -ra------ C:\WINDOWS\system32\UnInstall_Driver.ico
2008-02-28 13:38 . 2008-02-28 13:38 <DIR> d-------- C:\Program Files\MSBuild
2008-02-28 09:51 . 2008-03-04 19:53 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2008-02-28 09:50 . 2008-02-28 09:51 <DIR> d-------- C:\Program Files\Lexmark Fax Solutions

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 08:54 --------- d-----w C:\Program Files\ESET
2008-03-25 13:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-25 13:33 --------- d-----w C:\Program Files\FrostWire
2008-03-25 13:09 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-03-25 10:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\Ahead
2008-03-24 20:31 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-03-24 17:23 --------- d-----w C:\Program Files\Nero
2008-03-24 15:24 --------- d-----w C:\Program Files\Java
2008-03-23 14:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\VersionTracker Pro
2008-03-23 12:05 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-22 14:41 --------- d-----w C:\Program Files\PPMate
2008-03-21 17:03 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-21 17:03 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-03-21 17:03 --------- d-----w C:\Program Files\VSO
2008-03-21 15:55 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-21 15:33 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-21 14:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sony
2008-03-21 14:20 --------- d-----w C:\Documents and Settings\Owner\Application Data\FrostWire
2008-03-20 15:40 --------- d-----w C:\Program Files\M3 Ringtones
2008-03-19 20:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-03-19 20:25 --------- d-----w C:\Program Files\DAP Premium
2008-03-15 09:15 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-14 14:19 --------- d-----w C:\Program Files\iPod
2008-03-11 19:40 2,608 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
2008-03-06 20:55 --------- d-----w C:\Documents and Settings\Owner\Application Data\dvdcss
2008-03-05 15:40 --------- d-----w C:\Documents and Settings\Owner\Application Data\eBookPro6
2008-03-01 13:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-28 12:23 --------- d-----w C:\Program Files\Lexmark 4300 Series
2008-02-27 10:05 --------- d-----w C:\Program Files\Common Files\Real
2008-02-24 16:13 --------- d-----w C:\Program Files\QuickTime
2008-02-24 16:10 --------- d-----w C:\Program Files\Apple Software Update
2008-02-24 15:08 --------- d-----w C:\Program Files\PPStream
2008-02-24 09:59 --------- d-----w C:\Program Files\TVUPlayer
2008-02-24 09:59 --------- d-----w C:\Documents and Settings\Owner\Application Data\TVU networks
2008-02-24 09:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\TVU networks
2008-02-24 09:17 --------- d-----w C:\Program Files\TVAnts
2008-02-22 16:35 --------- d-----w C:\Program Files\Hide IP Platinum
2008-02-15 22:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\{732094A9-8D45-41EB-B8CC-4EBAADD7808E}
2008-02-15 22:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\URSoft
2008-02-13 20:36 --------- d-----w C:\Program Files\Common Files\Synacast
2008-02-13 20:36 --------- d-----w C:\Documents and Settings\Owner\Application Data\PPMate
2008-02-10 17:03 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-10 13:44 --------- d-----w C:\Program Files\Real Desktop
2008-02-09 10:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-02-09 10:44 --------- d-----w C:\Program Files\Sony Setup
2008-01-29 22:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-29 22:19 --------- d-----w C:\Documents and Settings\Owner\Application Data\Media Player Classic
2008-01-28 20:36 --------- d-----w C:\Program Files\Sky Broadband
2008-01-28 20:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\Azureus
.
Code: Select all
<pre>
----a-w         7,019,335 2008-01-05 00:34:16  C:\Documents and Settings\Owner\My Documents\software\Download Accelerator Plus 8.6.1.4 Final\DAP Premium .exe
</pre>



------- Sigcheck -------

2006-04-20 11:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 12:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 16:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2006-04-20 11:38 340480 b8158e2a6112c0a5ca67bc158fc70218 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-04 06:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2008-02-24 09:55 360064 01307b76a916a8f6d1f1452744ba7ad6 C:\WINDOWS\system32\backup\tcpip.sys
2007-10-30 17:20 360064 90caff4b094573449a0872a0f919b178 C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 17:20 360064 34a663e7f74ae8b2c992c2513343477e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{24F06550-65E3-4D1C-8CFE-839C296B5530}]
2007-06-28 17:25 57344 --------- C:\Program Files\real\IEeREAD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A19C29D-ED45-4483-8999-9F939C8161F2}]
2008-02-01 10:20 57224 --------- C:\Program Files\real\WebHook.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-19 08:59 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-19 08:59 126976]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-29 23:04 917504]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-31 23:13 385024]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 0 (0x0)
"DisableLockWorkstation"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoCommonGroups"= 0 (0x0)
"NoNetConnectDisconnect"= 1 (0x1)
"NoFileSharing"= 0 (0x0)
"NoPrintSharing"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\DAP Premium\\DAP.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\PPStream\\PPStream.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
"C:\\Program Files\\PPStream\\PPSAP.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\PPLive\\PPLive.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\real\\eREAD_Cookcase.exe"=

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2008-03-23 18:11]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 07:56]
R3 KeyScrambler;KeyScrambler;C:\WINDOWS\system32\drivers\keyscrambler.sys [2007-12-29 14:35]
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-01-16 19:48]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-03-06 12:38]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 13:47:23 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-03-19 20:26:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-25 13:47:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
.
**************************************************************************
.
Completion time: 2008-03-25 13:50:21 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-25 13:50:17
.
2008-02-23 15:27:43 --- E O F ---


And Hijack file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:54:45, on 25/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://skybroadband.com/portal/site/skybb
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AddTask Class - {24F06550-65E3-4D1C-8CFE-839C296B5530} - C:\Program Files\real\IEeREAD.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O2 - BHO: AddTask Class - {6A19C29D-ED45-4483-8999-9F939C8161F2} - C:\Program Files\real\WebHook.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP Premium\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP Premium\dapextie.htm
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP Premium\dapextie2.htm
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 8946681359
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Wind ... lisher.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxce_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcecoms.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9108 bytes
owise1
Active Member
 
Posts: 5
Joined: March 25th, 2008, 7:25 am

Re: win32/adware.virtumonde.application keeps appearing on NOD32

Unread postby Scotty » March 25th, 2008, 12:36 pm

Hi
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System, which in your case is SP2

Image


Download the file & save it as it's originally named, next to ComboFix.exe.

Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: win32/adware.virtumonde.application keeps appearing on NOD32

Unread postby owise1 » March 25th, 2008, 1:36 pm

the item cannot be found by Microsoft it says
owise1
Active Member
 
Posts: 5
Joined: March 25th, 2008, 7:25 am

Re: win32/adware.virtumonde.application keeps appearing on NOD32

Unread postby Scotty » March 25th, 2008, 3:56 pm

What do you mean? Was that an error message? At what point did you get the message?
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: win32/adware.virtumonde.application keeps appearing on NOD32

Unread postby owise1 » March 25th, 2008, 4:42 pm

I had a problem before but sorted it this is the file:


WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /TUTag=MI7XF9 /Kernel=TUKernel.exe
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition (TuneUp Backup)" /fastdetect /NoExecute=OptIn /TUTag=MI7XF9-BAK
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
owise1
Active Member
 
Posts: 5
Joined: March 25th, 2008, 7:25 am

Re: win32/adware.virtumonde.application keeps appearing on NOD32

Unread postby Scotty » March 27th, 2008, 7:16 am

Hi
Go to http://virusscan.jotti.org
Copy the following line into the white textbox:
C:\WINDOWS\system32\mlfcache.dat
Click Submit.
Please post the results of this scan to this thread.
Do the same for all of these:
C:\WINDOWS\system32\d3d9caps.dat
C:\WINDOWS\system32\temp_0000_65-15.aok
C:\WINDOWS\system32\framedyn.dll
C:\Documents and Settings\Owner\Application Data\wklnhst.dat



Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.


Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

Code: Select all
KillAll::

File::
C:\WINDOWS\system32\muzika.xm

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Elaborate Bytes]

RenV::
C:\Documents and Settings\Owner\My Documents\software\Download Accelerator Plus 8.6.1.4 Final\DAP Premium .exe

DirLook::
C:\Documents and Settings\Owner\WINDOWS
C:\Documents and Settings\All Users\Application Data\{732094A9-8D45-41EB-B8CC-4EBAADD7808E}

 


Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Image


Refering to the picture above, drag CFScript into ComboFix.exe


Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

      + Extended(If available otherwise Standard)
    • Scan Options:

      + Scan Archives
      + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete. This includes your anti-virus. Once you have installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.

In your next reply post:
Jotti results
ComboFix.txt
Kaspersky report
New HijackThis log taken after the above scan has run
User avatar
Scotty
Retired Graduate
 
Posts: 4138
Joined: August 4th, 2006, 5:31 am
Location: Haggistown, Kiltland

Re: win32/adware.virtumonde.application keeps appearing on NOD32

Unread postby Simon V. » April 4th, 2008, 8:57 am

Due to lack of response this topic is now closed.

If you still need help open a new thread in the Malware Removal forum and wait for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal
User avatar
Simon V.
MRU Emeritus
MRU Emeritus
 
Posts: 3388
Joined: November 11th, 2006, 3:35 pm
Location: Antwerp, Belgium
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 291 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware