Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde help please!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virtumonde help please!

Unread postby chunkeyman » March 25th, 2008, 2:32 pm

It seems I am infected with VirtuMonde and don't seem to be able to remove it despite using every method known to me! This only seems to appear on Spybot but unfortunately Spybot can't remove the item.I am still getting pop-ups for spyware removal. Can you help please?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:04:33, on 25/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\gvqnmtuf.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\LogitechImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\LogitechImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [ljdfsxda] C:\WINDOWS\system32\gvqnmtuf.exe
O4 - HKCU\..\Run: [fzwjdclc] C:\WINDOWS\system32\dgzkzsju.exe
O4 - HKCU\..\Run: [xmyjtmdz] C:\WINDOWS\system32\obkdetgl.exe
O4 - HKCU\..\Run: [vvwjwwsw] C:\WINDOWS\system32\robwncfs.exe
O4 - HKCU\..\Run: [nocbziew] C:\WINDOWS\system32\jwlwjshu.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1191289296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 10640 bytes
chunkeyman
Regular Member
 
Posts: 21
Joined: March 25th, 2008, 2:16 pm
Advertisement
Register to Remove

Re: Virtumonde help please!

Unread postby dan12 » March 25th, 2008, 5:37 pm

Hi,chunkeyman, and welcome to malwareremoval forums

I'm dan12, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator priviledges to perform the fixes. (XP accounts are Administrator by default)
  • Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

I'm presently looking over your log and hope not to be too long.
Will be back with you as soon as I can.
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Virtumonde help please!

Unread postby dan12 » March 25th, 2008, 5:40 pm

Download and Install CCleaner
  • Download CCleaner from here . Choose the Slim version.
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish

-------------------------------

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck Only delete files in Windows Temp folders older than 48 hours.
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.

----------------------------------

Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.

-------------------------------

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofi ... e-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall


Please include in your next post:
  • Combofix log txt
  • Uninstall list
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Virtumonde help please!

Unread postby chunkeyman » March 25th, 2008, 7:34 pm

Hi dan12

Thanks for your prompt action....much appreciated!
I have carried out items as per your instructions and below are the reports as requested.
Thanks again.

CCleaner
µTorrent
ABBYY FineReader 6.0 Sprint
AC3Filter (remove only)
Acronis True Image Home
Ad-Aware 2007
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Alarm 2.0.2
AppCore
a-squared Free 3.1
AV
AVG Anti-Spyware 7.5
Camera RAW Plug-In for EPSON Creativity Suite
ccCommon
CCleaner (remove only)
Codec Pack - All In 1 6.0.3.0
Cover Expert 1.3 Build 2307
DivX Codec
DivX Converter
DU Meter
Easy Video Joiner 5.21
EPSON Easy Photo Print
EPSON Printer Software
EPSON Scan
EPSON Stylus CX7300_CX8300_DX7400_DX8400 Manual
FairUse Wizard 2
Fantastic Flame Screensaver
ffdshow [rev 1650] [2007-11-28]
Free Mp3 Wma Converter V 1.6.3
GearDrvs
Google Earth
Google Toolbar for Internet Explorer
Google Updater
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB926239)
IsoBuster 1.6
Java(TM) 6 Update 5
JMB36X Raid Configurer
LimeWire PRO 4.12.6
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Logitech IM Video Companion
Logitech ImageStudio
MahJong Suite 2007 v4.2
MahJong Suite Graphics Pack Volume 1 - v1.7
MahJong Suite Graphics Pack Volume 2 - v2.7
Marvell Miniport Driver
Matroska Pack (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MP4 Converter
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
Nero Digital
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 Help
Norton Confidential Browser Component
Norton Confidential Web Authentification Component
Norton Confidential Web Protection Component
NVIDIA Drivers
O&O Defrag Professional Edition
Panda ActiveScan
PeerGuardian 2.0
Portrait Professional Max 6.3
PowerDVD
QuickTime Alternative 1.40
Real Alternative 1.27
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
ShellExView
Skype™ 3.6
SopCast 2.0.4
SoundMAX
SPBBC 32bit
Spybot - Search & Destroy 1.4.0.3
Spyware Doctor 5.5
SUPERAntiSpyware Free Edition
SuppSoft
Symantec Real Time Storage Protection Component
Symantec Technical Support Controls
SymNet
TMPGEnc 4.0 XPress
TuneUp Utilities 2008
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VideoLAN VLC media player 0.8.6c
WebFldrs XP
Winamp
WinAVI VideoConverter
Windows Defender
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Xvid 1.1.3 final uninstall

ComboFix log

ComboFix 08-03-25.1 - Colin & Kerry 2008-03-26 0:02:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1403 [GMT 1:00]
Running from: C:\Documents and Settings\Colin & Kerry\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\CMMGR32.EXE

.
((((((((((((((((((((((((( Files Created from 2008-02-25 to 2008-03-25 )))))))))))))))))))))))))))))))
.

2008-03-25 23:48 . 2008-03-25 23:48 <DIR> d-------- C:\Program Files\CCleaner
2008-03-25 22:23 . 2008-03-25 23:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-25 22:23 . 2008-03-25 22:23 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\SUPERAntiSpyware.com
2008-03-25 22:23 . 2008-03-25 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 21:02 . 2008-03-25 21:02 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\Grisoft
2008-03-25 20:11 . 2008-03-25 20:11 <DIR> d-------- C:\VundoFix Backups
2008-03-25 19:08 . 2008-03-25 19:08 <DIR> d-------- C:\Program Files\PC-Cleaner
2008-03-25 18:41 . 2008-03-25 18:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-25 17:05 . 2008-03-25 17:59 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-25 17:05 . 2008-03-25 17:05 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\PC Tools
2008-03-25 17:05 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-25 17:05 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-25 17:05 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-25 17:05 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-25 13:37 . 2008-03-25 23:22 <DIR> d-------- C:\Program Files\a-squared Free
2008-03-25 12:46 . 2008-03-25 23:28 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-25 11:19 . 2008-03-25 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-03-25 08:35 . 2008-03-25 23:34 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-25 08:35 . 2008-03-25 23:12 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-25 08:30 . 2008-03-25 08:30 106,496 --a------ C:\WINDOWS\system32\jwlwjshu.exe
2008-03-24 22:09 . 2008-03-24 22:09 94,208 --a------ C:\WINDOWS\system32\robwncfs.exe
2008-03-24 20:34 . 2008-03-24 20:34 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-24 20:24 . 2008-03-24 20:24 <DIR> d-------- C:\Documents and Settings\colin.LAMUELA\Application Data\Grisoft
2008-03-24 20:24 . 2008-03-24 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-24 20:24 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-24 19:50 . 2008-03-24 19:50 94,208 --a------ C:\WINDOWS\system32\obkdetgl.exe
2008-03-24 19:19 . 2008-03-24 19:19 <DIR> d-------- C:\Documents and Settings\colin.LAMUELA\Application Data\TuneUp Software
2008-03-24 18:51 . 2008-03-24 18:51 <DIR> d-------- C:\Documents and Settings\colin.LAMUELA\Desktopvirii
2008-03-24 18:51 . 2008-03-24 18:51 4,096 --a------ C:\Documents and Settings\colin.LAMUELA\DesktopTrojan.Win32.BlackBird.exe
2008-03-24 18:51 . 2008-03-24 18:51 4,096 --a------ C:\Documents and Settings\colin.LAMUELA\DesktopFWebdEditor.exe
2008-03-24 18:51 . 2008-03-24 18:51 4,096 --a------ C:\Documents and Settings\colin.LAMUELA\Desktopfwebd.exe
2008-03-24 18:51 . 2008-03-24 18:51 4,096 --a------ C:\Documents and Settings\colin.LAMUELA\Desktopfkwp2.0.exe
2008-03-24 18:51 . 2008-03-24 18:51 4,096 --a------ C:\Documents and Settings\colin.LAMUELA\Desktopfkwp1.5.exe
2008-03-24 18:51 . 2008-03-24 18:51 4,096 --a------ C:\Documents and Settings\colin.LAMUELA\Desktopfilemanagerclient.exe
2008-03-24 18:51 . 2008-03-24 18:51 4,096 --a------ C:\Documents and Settings\colin.LAMUELA\DesktopEditorFKWP2.0.exe
2008-03-24 18:51 . 2008-03-24 18:51 4,096 --a------ C:\Documents and Settings\colin.LAMUELA\DesktopEditorFKWP1.5.exe
2008-03-24 12:17 . 2008-03-24 12:17 <DIR> d-------- C:\Documents and Settings\colin\Desktopvirii
2008-03-24 12:17 . 2008-03-24 12:17 4,096 --a------ C:\Documents and Settings\colin\DesktopTrojan.Win32.BlackBird.exe
2008-03-24 12:17 . 2008-03-24 12:17 4,096 --a------ C:\Documents and Settings\colin\DesktopFWebdEditor.exe
2008-03-24 12:17 . 2008-03-24 12:17 4,096 --a------ C:\Documents and Settings\colin\Desktopfwebd.exe
2008-03-24 12:17 . 2008-03-24 12:17 4,096 --a------ C:\Documents and Settings\colin\Desktopfkwp2.0.exe
2008-03-24 12:17 . 2008-03-24 12:17 4,096 --a------ C:\Documents and Settings\colin\Desktopfkwp1.5.exe
2008-03-24 12:17 . 2008-03-24 12:17 4,096 --a------ C:\Documents and Settings\colin\Desktopfilemanagerclient.exe
2008-03-24 12:17 . 2008-03-24 12:17 4,096 --a------ C:\Documents and Settings\colin\DesktopEditorFKWP2.0.exe
2008-03-24 12:17 . 2008-03-24 12:17 4,096 --a------ C:\Documents and Settings\colin\DesktopEditorFKWP1.5.exe
2008-03-24 12:08 . 2008-03-24 18:40 <DIR> d-------- C:\Program Files\RogueRemover
2008-03-24 10:12 . 2008-03-24 20:35 4,754 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-24 10:11 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-24 10:11 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-24 10:11 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-24 10:11 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-24 10:11 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-24 10:11 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-23 21:08 . 2008-03-25 23:12 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-23 21:08 . 2008-03-25 23:12 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-23 19:27 . 2008-03-23 19:29 <DIR> d-------- C:\Program Files\ShellExView
2008-03-23 19:27 . 2008-03-23 19:27 39,424 --a------ C:\WINDOWS\zipinst.exe
2008-03-23 17:17 . 2008-03-25 10:52 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-23 16:16 . 2008-03-23 16:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-23 16:16 . 2008-03-23 16:16 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\Spybot - Search & Destroy
2008-03-23 16:16 . 2008-03-25 23:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-23 16:16 . 2007-03-03 03:55 9,662 -rahs---- C:\WINDOWS\unins000.ico
2008-03-23 16:08 . 2008-03-25 18:25 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 16:03 . 2008-03-25 12:40 <DIR> d-------- C:\Program Files\Trojan Remover
2008-03-23 14:53 . 2008-03-23 14:53 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Desktopvirii
2008-03-23 14:53 . 2008-03-25 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rszyjelw
2008-03-23 14:53 . 2008-03-23 14:53 4,096 --a------ C:\Documents and Settings\Colin & Kerry\DesktopTrojan.Win32.BlackBird.exe
2008-03-23 14:53 . 2008-03-23 14:53 4,096 --a------ C:\Documents and Settings\Colin & Kerry\DesktopFWebdEditor.exe
2008-03-23 14:53 . 2008-03-23 14:53 4,096 --a------ C:\Documents and Settings\Colin & Kerry\Desktopfwebd.exe
2008-03-23 14:53 . 2008-03-23 14:53 4,096 --a------ C:\Documents and Settings\Colin & Kerry\Desktopfkwp2.0.exe
2008-03-23 14:53 . 2008-03-23 14:53 4,096 --a------ C:\Documents and Settings\Colin & Kerry\Desktopfkwp1.5.exe
2008-03-23 14:53 . 2008-03-23 14:53 4,096 --a------ C:\Documents and Settings\Colin & Kerry\Desktopfilemanagerclient.exe
2008-03-23 14:53 . 2008-03-23 14:53 4,096 --a------ C:\Documents and Settings\Colin & Kerry\DesktopEditorFKWP2.0.exe
2008-03-23 14:53 . 2008-03-23 14:53 4,096 --a------ C:\Documents and Settings\Colin & Kerry\DesktopEditorFKWP1.5.exe
2008-03-23 12:45 . 2005-07-06 17:12 2,973,696 --------- C:\WINDOWS\UNNeroVision.exe
2008-03-23 12:45 . 2005-07-06 17:37 145,608 --------- C:\WINDOWS\UNNeroVision.cfg
2008-03-23 12:44 . 2008-03-23 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-23 12:44 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-03-23 12:44 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-03-12 15:42 . 2008-03-12 15:39 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-12 15:39 . 2008-03-25 16:28 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\.housecall6.6
2008-03-08 16:57 . 2008-03-08 17:07 <DIR> d-------- C:\Program Files\Super Internet TV
2008-02-28 16:58 . 2008-03-22 19:24 <DIR> d-------- C:\Incomplete

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-25 23:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-25 22:57 --------- d-----w C:\Program Files\PeerGuardian2
2008-03-25 22:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-25 22:28 --------- d-----w C:\Program Files\Winamp
2008-03-25 22:27 --------- d-----w C:\Program Files\Norton 360
2008-03-25 22:26 --------- d-----w C:\Program Files\Google
2008-03-25 22:25 --------- d-----w C:\Program Files\DU Meter
2008-03-25 21:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 19:42 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Skype
2008-03-25 18:34 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\skypePM
2008-03-25 18:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-25 17:47 --------- d-----w C:\Program Files\Super Ad Blocker
2008-03-25 17:30 --------- d-----w C:\Program Files\Java
2008-03-25 16:05 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\uTorrent
2008-03-23 20:48 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-23 20:47 --------- d-----w C:\Program Files\MagicISO
2008-03-23 20:47 --------- d-----w C:\Program Files\LogitechImageStudio
2008-03-23 11:44 --------- d-----w C:\Program Files\Ahead
2008-03-21 16:02 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\LimeWire
2008-03-20 12:59 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\MahJong Suite
2008-03-20 11:53 --------- d-----w C:\Program Files\MP4 Converter 3
2008-03-20 11:30 --------- d-----w C:\Program Files\IsoBuster
2008-03-06 20:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 20:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 20:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-21 09:08 --------- d-----w C:\Program Files\Easy Video Joiner
2008-02-20 21:37 --------- d-----w C:\Program Files\ffdshow
2008-02-20 21:18 --------- d-----w C:\Program Files\WinAVI VideoConverter
2008-02-20 21:01 --------- d-----w C:\Program Files\FairUse Wizard 2
2008-02-16 16:32 --------- d-----w C:\Program Files\DivX
2008-02-16 15:59 --------- d-----w C:\Program Files\Codec Pack - All In 1
2008-02-16 15:58 --------- d-----w C:\Program Files\Xvid
2008-02-16 13:51 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-02-16 13:45 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\AVS4YOU
2008-02-16 13:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-02-16 11:29 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-15 10:24 --------- d-----w C:\Program Files\ABBYY FineReader 6.0 Sprint
2008-02-13 13:45 --------- d-----w C:\Program Files\Cover Expert
2008-02-12 08:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Acronis
2008-02-12 08:34 441,760 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2008-02-12 08:34 44,384 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-02-12 08:34 129,248 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2008-02-12 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2008-02-12 08:33 368,736 ----a-w C:\WINDOWS\system32\drivers\tdrpman.sys
2008-02-12 08:33 --------- d-----w C:\Program Files\Common Files\Acronis
2008-02-12 08:33 --------- d-----w C:\Program Files\Acronis
2008-02-11 19:11 --------- d-----w C:\Program Files\LimeWire
2008-02-09 16:13 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-02-09 16:13 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-02-09 15:18 --------- d-----w C:\Program Files\Free Audio Pack
2008-02-09 11:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-07 15:21 --------- d-----w C:\Program Files\Portrait Professional Max 6
2008-02-07 15:21 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Anthropics
2008-02-05 08:38 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\LEAPS
2008-02-05 08:37 --------- d-----w C:\Program Files\Pegasys Inc
2008-02-05 08:25 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Pegasys Inc
2008-02-02 15:32 --------- d-----w C:\Program Files\SopCast
2008-02-01 20:20 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Winamp
2008-01-27 08:28 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-26 20:40 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\MAGIX
2008-01-26 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\MAGIX
2008-01-26 20:37 --------- d-----w C:\Program Files\MAGIX
2008-01-26 20:37 --------- d-----w C:\Program Files\Common Files\MAGIX Shared
2008-01-25 17:26 --------- d-----w C:\Program Files\Fantastic Flame Screensaver
2008-01-25 17:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Laconic Software
2008-01-25 12:32 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\TuneUp Software
2008-01-25 12:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-01-25 11:47 --------- d-----w C:\Program Files\Lavasoft
2008-01-25 11:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-25 10:10 --------- d-----w C:\Program Files\Skype
2008-01-25 10:00 --------- d-----w C:\Program Files\uTorrent
2008-01-25 09:27 --------- d-----w C:\Program Files\TGTSoft
2008-01-25 08:59 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Symantec
2008-01-24 20:30 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-24 19:00 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-02-09 17:13 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-02-09 17:13 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2007-10-17 20:23 979968]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 15:44 68856]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"xmyjtmdz"="C:\WINDOWS\system32\obkdetgl.exe" [2008-03-24 19:50 94208]
"vvwjwwsw"="C:\WINDOWS\system32\robwncfs.exe" [2008-03-24 22:09 94208]
"nocbziew"="C:\WINDOWS\system32\jwlwjshu.exe" [2008-03-25 08:30 106496]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 14:34 868352]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12 729088]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 07:36 36864]
"36X Raid Configurer"="C:\WINDOWS\System32\xRaidSetup.exe" [2007-03-21 09:23 1953792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568]
"nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54 127022]
"LogitechGalleryRepair"="C:\Program Files\LogitechImageStudio\ISStart.exe" [2002-12-10 18:32 155648]
"LogitechImageStudioTray"="C:\Program Files\LogitechImageStudio\LogiTray.exe" [2002-12-10 18:31 61440]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 02:08 2512392]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 06:28 36352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 02:52 2595480]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 03:02 905056]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 02:55 140568]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53 88024]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="C:\Program Files\Common Files\logishrd\WUApp32.exe" [2007-02-03 10:23 430080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-02-12 09:33]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 15:19]
R2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-09-14 04:01]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 15:01]
S1 SABKUTIL;SABKUTIL;C:\Program Files\Super Ad Blocker\SABKUTIL.sys []
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 17:53]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2007-10-23 02:45]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-25 13:33]
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 16:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 10:19:06 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 00:06:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2008-03-26 0:08:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-25 23:08:10
.
2008-03-12 08:22:32 --- E O F ---



Hijackthis

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:25:39, on 26/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\robwncfs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\LogitechImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\LogitechImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [xmyjtmdz] C:\WINDOWS\system32\obkdetgl.exe
O4 - HKCU\..\Run: [vvwjwwsw] C:\WINDOWS\system32\robwncfs.exe
O4 - HKCU\..\Run: [nocbziew] C:\WINDOWS\system32\jwlwjshu.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1191289296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 11102 bytes
chunkeyman
Regular Member
 
Posts: 21
Joined: March 25th, 2008, 2:16 pm

Re: Virtumonde help please!

Unread postby dan12 » March 26th, 2008, 9:03 am

Hi, while I'm researching returned logs can you throw any light on this file:
C:\Documents and Settings\colin.LAMUELA\DesktopTrojan.Win32.BlackBird.exe do you have an application where you can put music to photos where this might be used? let me know either way.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Virtumonde help please!

Unread postby chunkeyman » March 26th, 2008, 9:39 am

Hello again Dan

I have looked through my installed progs and nothing fits the bill. I do have 'Magix Photostory on CD and DVD v4' but that is not installed and is sitting unused in my 'D' drive. I did have a look at the location 'C:\Documents and Settings\colin.LAMUELA\DesktopTrojan.Win32.BlackBird.exe' and to be honest I haven't a clue where it came from. Also in the same group is a 'jpeg' with the title ' Desktopblackbird' again this means nothing to me.

Hope this furthers the cause.

Thanks

Colin aka chunkeyman
chunkeyman
Regular Member
 
Posts: 21
Joined: March 25th, 2008, 2:16 pm

Re: Virtumonde help please!

Unread postby dan12 » March 26th, 2008, 11:35 am

ok, thanks for that will be back with you later.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Virtumonde help please!

Unread postby dan12 » March 26th, 2008, 12:27 pm

P2P Warning!

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

LimeWire

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm

I would recommend that you uninstall LimeWire , however that choice is up to you.
If you wish to keep it, please do not use it until your computer is cleaned.

______________________

Stop Processes Prior to Deletion
Close ALL open windows. Use Ctrl-Alt-Delete together to bring up the task manager.
Under the processes tab, if it is visible, check the box 'Show processes from all users'.
One at a time, highlight each of these that are listed and "End Process":

robwncfs.exe


Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKCU\..\Run: [xmyjtmdz] C:\WINDOWS\system32\obkdetgl.exe
O4 - HKCU\..\Run: [vvwjwwsw] C:\WINDOWS\system32\robwncfs.exe
O4 - HKCU\..\Run: [nocbziew] C:\WINDOWS\system32\jwlwjshu.exe

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit

____________



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    File::
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\jwlwjshu.exe
C:\WINDOWS\system32\robwncfs.exe
C:\WINDOWS\system32\obkdetgl.exe
C:\Documents and Settings\colin.LAMUELA\Desktopvirii
C:\Documents and Settings\colin.LAMUELA\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\colin.LAMUELA\DesktopFWebdEditor.exe
C:\Documents and Settings\colin.LAMUELA\Desktopfwebd.exe
C:\Documents and Settings\colin.LAMUELA\Desktopfkwp2.0.exe
C:\Documents and Settings\colin.LAMUELA\Desktopfkwp1.5.exe
C:\Documents and Settings\colin.LAMUELA\Desktopfilemanagerclient.exe
C:\Documents and Settings\colin.LAMUELA\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\colin.LAMUELA\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\colin\Desktopvirii
C:\Documents and Settings\colin\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\colin\DesktopFWebdEditor.exe
C:\Documents and Settings\colin\Desktopfwebd.exe
C:\Documents and Settings\colin\Desktopfkwp2.0.exe
C:\Documents and Settings\colin\Desktopfkwp1.5.exe
C:\Documents and Settings\colin\Desktopfilemanagerclient.exe
C:\Documents and Settings\colin\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\colin\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Colin & Kerry\Desktopvirii
C:\Documents and Settings\All Users\Application Data\rszyjelw
C:\Documents and Settings\Colin & Kerry\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Colin & Kerry\DesktopFWebdEditor.exe
C:\Documents and Settings\Colin & Kerry\Desktopfwebd.exe
C:\Documents and Settings\Colin & Kerry\Desktopfkwp2.0.exe
C:\Documents and Settings\Colin & Kerry\Desktopfkwp1.5.exe
C:\Documents and Settings\Colin & Kerry\Desktopfilemanagerclient.exe
C:\Documents and Settings\Colin & Kerry\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Colin & Kerry\DesktopEditorFKWP1.5.exe


    Folder::
C:\VundoFix Backups

    Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"xmyjtmdz"=-
"vvwjwwsw"=-
"nocbziew"=-

   

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


-----------------------------------


: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt


Please do an online scan with Kaspersky WebScanner. (You will need to use Internet Explorer to run this scan)

On the welcome screen, click Accept.

You will be promted to install an ActiveX component from Kaspersky, click Install.

  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

  • Scan using the following Anti-Virus database:

    Extended (if available, otherwise Standard)

  • Scan Options:

    Scan Archives
    Scan Mail Bases

  • Click OK.
  • Now under Select a Target to Scan:

    Select My Computer.

  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button and save the file to your desktop.


Please include in your next post:
  • Combofix log txt
  • Malwarebytes log
  • Kaspersky scan log
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Virtumonde help please!

Unread postby chunkeyman » March 26th, 2008, 3:03 pm

Hi Dan

The comments regarding P2P have been noted.

Have carried out all of the above and reports are as follows.

Current situation is that all pop-ups seem to have stopped.

Thanks

Colin

Combofix report

ComboFix 08-03-25.1 - Colin & Kerry 2008-03-26 18:00:52.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1382 [GMT 1:00]
Running from: C:\Documents and Settings\Colin & Kerry\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Colin & Kerry\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Application Data\rszyjelw
C:\Documents and Settings\Colin & Kerry\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Colin & Kerry\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Colin & Kerry\Desktopfilemanagerclient.exe
C:\Documents and Settings\Colin & Kerry\Desktopfkwp1.5.exe
C:\Documents and Settings\Colin & Kerry\Desktopfkwp2.0.exe
C:\Documents and Settings\Colin & Kerry\Desktopfwebd.exe
C:\Documents and Settings\Colin & Kerry\DesktopFWebdEditor.exe
C:\Documents and Settings\Colin & Kerry\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\Colin & Kerry\Desktopvirii
C:\Documents and Settings\colin.LAMUELA\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\colin.LAMUELA\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\colin.LAMUELA\Desktopfilemanagerclient.exe
C:\Documents and Settings\colin.LAMUELA\Desktopfkwp1.5.exe
C:\Documents and Settings\colin.LAMUELA\Desktopfkwp2.0.exe
C:\Documents and Settings\colin.LAMUELA\Desktopfwebd.exe
C:\Documents and Settings\colin.LAMUELA\DesktopFWebdEditor.exe
C:\Documents and Settings\colin.LAMUELA\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\colin.LAMUELA\Desktopvirii
C:\Documents and Settings\colin\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\colin\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\colin\Desktopfilemanagerclient.exe
C:\Documents and Settings\colin\Desktopfkwp1.5.exe
C:\Documents and Settings\colin\Desktopfkwp2.0.exe
C:\Documents and Settings\colin\Desktopfwebd.exe
C:\Documents and Settings\colin\DesktopFWebdEditor.exe
C:\Documents and Settings\colin\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\colin\Desktopvirii
C:\WINDOWS\system32\jwlwjshu.exe
C:\WINDOWS\system32\obkdetgl.exe
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\robwncfs.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Colin & Kerry\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\Colin & Kerry\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\Colin & Kerry\Desktopfilemanagerclient.exe
C:\Documents and Settings\Colin & Kerry\Desktopfkwp1.5.exe
C:\Documents and Settings\Colin & Kerry\Desktopfkwp2.0.exe
C:\Documents and Settings\Colin & Kerry\Desktopfwebd.exe
C:\Documents and Settings\Colin & Kerry\DesktopFWebdEditor.exe
C:\Documents and Settings\Colin & Kerry\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\colin.LAMUELA\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\colin.LAMUELA\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\colin.LAMUELA\Desktopfilemanagerclient.exe
C:\Documents and Settings\colin.LAMUELA\Desktopfkwp1.5.exe
C:\Documents and Settings\colin.LAMUELA\Desktopfkwp2.0.exe
C:\Documents and Settings\colin.LAMUELA\Desktopfwebd.exe
C:\Documents and Settings\colin.LAMUELA\DesktopFWebdEditor.exe
C:\Documents and Settings\colin.LAMUELA\DesktopTrojan.Win32.BlackBird.exe
C:\Documents and Settings\colin\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\colin\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\colin\Desktopfilemanagerclient.exe
C:\Documents and Settings\colin\Desktopfkwp1.5.exe
C:\Documents and Settings\colin\Desktopfkwp2.0.exe
C:\Documents and Settings\colin\Desktopfwebd.exe
C:\Documents and Settings\colin\DesktopFWebdEditor.exe
C:\Documents and Settings\colin\DesktopTrojan.Win32.BlackBird.exe
C:\VundoFix Backups
C:\WINDOWS\system32\jwlwjshu.exe
C:\WINDOWS\system32\obkdetgl.exe
C:\WINDOWS\system32\pavas.ico
C:\WINDOWS\system32\robwncfs.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-25 23:48 . 2008-03-25 23:48 <DIR> d-------- C:\Program Files\CCleaner
2008-03-25 22:23 . 2008-03-26 12:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-25 22:23 . 2008-03-25 22:23 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\SUPERAntiSpyware.com
2008-03-25 22:23 . 2008-03-25 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 21:02 . 2008-03-25 21:02 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\Grisoft
2008-03-25 19:08 . 2008-03-25 19:08 <DIR> d-------- C:\Program Files\PC-Cleaner
2008-03-25 18:41 . 2008-03-25 18:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-25 17:05 . 2008-03-25 17:59 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-25 17:05 . 2008-03-25 17:05 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\PC Tools
2008-03-25 17:05 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-25 17:05 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-25 17:05 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-25 17:05 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-25 13:37 . 2008-03-26 09:51 <DIR> d-------- C:\Program Files\a-squared Free
2008-03-25 12:46 . 2008-03-26 09:51 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-25 11:19 . 2008-03-25 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-03-25 08:35 . 2008-03-26 09:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-24 20:34 . 2008-03-24 20:34 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-24 20:24 . 2008-03-24 20:24 <DIR> d-------- C:\Documents and Settings\colin.LAMUELA\Application Data\Grisoft
2008-03-24 20:24 . 2008-03-24 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-24 20:24 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-24 19:19 . 2008-03-24 19:19 <DIR> d-------- C:\Documents and Settings\colin.LAMUELA\Application Data\TuneUp Software
2008-03-24 18:51 . 2008-03-24 18:51 <DIR> d-------- C:\Documents and Settings\colin.LAMUELA\Desktopvirii
2008-03-24 12:17 . 2008-03-24 12:17 <DIR> d-------- C:\Documents and Settings\colin\Desktopvirii
2008-03-24 12:08 . 2008-03-24 18:40 <DIR> d-------- C:\Program Files\RogueRemover
2008-03-24 10:12 . 2008-03-24 20:35 4,754 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-24 10:11 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-24 10:11 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-24 10:11 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-24 10:11 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-24 10:11 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-24 10:11 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-23 21:08 . 2008-03-26 09:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-23 21:08 . 2008-03-26 09:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-23 19:27 . 2008-03-23 19:29 <DIR> d-------- C:\Program Files\ShellExView
2008-03-23 19:27 . 2008-03-23 19:27 39,424 --a------ C:\WINDOWS\zipinst.exe
2008-03-23 17:17 . 2008-03-25 10:52 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-23 16:16 . 2008-03-23 16:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-23 16:16 . 2008-03-23 16:16 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\Spybot - Search & Destroy
2008-03-23 16:16 . 2008-03-26 00:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-23 16:16 . 2007-03-03 03:55 9,662 -rahs---- C:\WINDOWS\unins000.ico
2008-03-23 16:08 . 2008-03-25 18:25 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 16:03 . 2008-03-25 12:40 <DIR> d-------- C:\Program Files\Trojan Remover
2008-03-23 14:53 . 2008-03-23 14:53 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Desktopvirii
2008-03-23 14:53 . 2008-03-25 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\rszyjelw
2008-03-23 12:45 . 2005-07-06 17:12 2,973,696 --------- C:\WINDOWS\UNNeroVision.exe
2008-03-23 12:45 . 2005-07-06 17:37 145,608 --------- C:\WINDOWS\UNNeroVision.cfg
2008-03-23 12:44 . 2008-03-23 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-23 12:44 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-03-23 12:44 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-03-12 15:42 . 2008-03-12 15:39 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-12 15:39 . 2008-03-25 16:28 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\.housecall6.6
2008-03-08 16:57 . 2008-03-08 17:07 <DIR> d-------- C:\Program Files\Super Internet TV
2008-02-28 16:58 . 2008-03-22 19:24 <DIR> d-------- C:\Incomplete

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 16:50 --------- d-----w C:\Program Files\PeerGuardian2
2008-03-26 16:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-26 15:11 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Skype
2008-03-26 15:01 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\skypePM
2008-03-26 08:51 --------- d-----w C:\Program Files\Winamp
2008-03-26 08:51 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-26 08:51 --------- d-----w C:\Program Files\Norton 360
2008-03-26 08:51 --------- d-----w C:\Program Files\LogitechImageStudio
2008-03-26 08:51 --------- d-----w C:\Program Files\DU Meter
2008-03-26 08:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-26 08:50 --------- d-----w C:\Program Files\Google
2008-03-25 21:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 18:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-25 17:47 --------- d-----w C:\Program Files\Super Ad Blocker
2008-03-25 17:30 --------- d-----w C:\Program Files\Java
2008-03-25 16:05 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\uTorrent
2008-03-23 20:47 --------- d-----w C:\Program Files\MagicISO
2008-03-23 11:44 --------- d-----w C:\Program Files\Ahead
2008-03-21 16:02 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\LimeWire
2008-03-20 12:59 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\MahJong Suite
2008-03-20 11:53 --------- d-----w C:\Program Files\MP4 Converter 3
2008-03-20 11:30 --------- d-----w C:\Program Files\IsoBuster
2008-03-06 20:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 20:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 20:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-21 09:08 --------- d-----w C:\Program Files\Easy Video Joiner
2008-02-20 21:37 --------- d-----w C:\Program Files\ffdshow
2008-02-20 21:18 --------- d-----w C:\Program Files\WinAVI VideoConverter
2008-02-20 21:01 --------- d-----w C:\Program Files\FairUse Wizard 2
2008-02-16 16:32 --------- d-----w C:\Program Files\DivX
2008-02-16 15:59 --------- d-----w C:\Program Files\Codec Pack - All In 1
2008-02-16 15:58 --------- d-----w C:\Program Files\Xvid
2008-02-16 13:51 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-02-16 13:45 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\AVS4YOU
2008-02-16 13:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-02-16 11:29 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-15 10:24 --------- d-----w C:\Program Files\ABBYY FineReader 6.0 Sprint
2008-02-13 13:45 --------- d-----w C:\Program Files\Cover Expert
2008-02-12 08:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Acronis
2008-02-12 08:34 441,760 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2008-02-12 08:34 44,384 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-02-12 08:34 129,248 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2008-02-12 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2008-02-12 08:33 368,736 ----a-w C:\WINDOWS\system32\drivers\tdrpman.sys
2008-02-12 08:33 --------- d-----w C:\Program Files\Common Files\Acronis
2008-02-12 08:33 --------- d-----w C:\Program Files\Acronis
2008-02-11 19:11 --------- d-----w C:\Program Files\LimeWire
2008-02-09 16:13 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-02-09 16:13 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-02-09 15:18 --------- d-----w C:\Program Files\Free Audio Pack
2008-02-09 11:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-07 15:21 --------- d-----w C:\Program Files\Portrait Professional Max 6
2008-02-07 15:21 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Anthropics
2008-02-05 08:38 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\LEAPS
2008-02-05 08:37 --------- d-----w C:\Program Files\Pegasys Inc
2008-02-05 08:25 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Pegasys Inc
2008-02-02 15:32 --------- d-----w C:\Program Files\SopCast
2008-02-01 20:20 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Winamp
2008-01-28 12:13 287,488 ----a-w C:\WINDOWS\system32\drivers\RTL8187.sys
2008-01-27 08:28 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-26 20:40 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\MAGIX
2008-01-26 20:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\MAGIX
2008-01-26 20:37 --------- d-----w C:\Program Files\MAGIX
2008-01-26 20:37 --------- d-----w C:\Program Files\Common Files\MAGIX Shared
2008-01-24 20:30 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-24 19:00 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-02-09 17:13 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-02-09 17:13 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((( snapshot@2008-03-26_ 0.08.00.76 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 21:05:05 64,088 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2008-03-26 12:54:43 66,936 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
- 2008-01-24 21:05:04 223,800 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2008-03-26 12:54:34 226,656 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2003-07-14 21:57:34 38,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\AUTHZAX.DLL
+ 2003-07-14 21:53:06 94,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\AW.DLL
+ 2003-07-15 02:14:28 350,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\CDLMSO.DLL
+ 2003-07-15 02:18:12 47,160 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\DFUICOM.EXE
+ 2003-07-14 21:56:54 14,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\DSITF.DLL
+ 2003-07-14 21:57:14 98,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\DSSM.EXE
+ 2003-08-13 01:34:38 10,073,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\EXCEL.EXE
+ 2003-08-03 09:56:16 1,146,184 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FM20.DLL
+ 2003-07-23 22:01:40 1,949,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPCUTL.DLL
+ 2003-07-14 22:36:14 186,424 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPDTC.DLL
+ 2003-07-14 21:40:12 179,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPERSON.DLL
+ 2003-07-14 21:40:12 165,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPLACE.DLL
+ 2003-07-25 18:00:16 1,157,696 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPSRVUTL.DLL
+ 2003-07-25 18:14:50 799,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPWEC.DLL
+ 2003-07-14 22:11:42 2,139,192 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\GRAPH.EXE
+ 2003-07-14 21:57:44 87,096 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\IEAWSDC.DLL
+ 2003-07-14 21:53:50 161,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\IETAG.DLL
+ 2003-06-18 16:31:44 758,784 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MDIGRAPH.DLL
+ 2003-06-18 16:31:10 252,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MDIINK.DLL
+ 2003-06-18 16:31:48 17,920 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MDIMON.DLL
+ 2003-06-18 16:31:48 18,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MDIPPR.DLL
+ 2003-06-18 16:31:46 35,328 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MDIUI.DLL
+ 2003-06-18 16:31:34 443,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MDIVWCTL.DLL
+ 2003-07-14 21:58:04 230,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSCDM.DLL
+ 2003-07-14 21:51:50 116,288 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSCONV97.DLL
+ 2002-12-17 18:08:50 359,600 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSDMENG.DLL
+ 2002-12-17 18:08:54 1,383,592 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSDMINE.DLL
+ 2003-07-14 21:51:44 87,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSENCODE.DLL
+ 2002-04-09 19:14:36 187,560 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSMDUN80.DLL
+ 2003-07-14 21:52:52 17,464 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSMH.DLL
+ 2003-08-07 23:23:16 12,172,336 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSO.DLL
+ 2003-07-14 21:57:16 120,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOAUTH.DLL
+ 2003-07-15 02:14:18 106,552 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOCF.DLL
+ 2003-07-23 21:35:26 127,032 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOCFU.DLL
+ 2003-07-14 21:52:52 27,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSODCW.DLL
+ 2003-07-14 21:44:06 25,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOEURO.DLL
+ 2003-07-14 21:52:56 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOHTMED.EXE
+ 2002-12-17 18:09:24 2,071,752 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOLAP80.DLL
+ 2003-07-11 01:15:48 1,292,872 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSONSEXT.DLL
+ 2003-07-15 02:18:52 376,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSORUN.DLL
+ 2003-07-14 21:52:54 28,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOSTYLE.DLL
+ 2003-07-14 21:52:52 35,896 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOSV.DLL
+ 2003-07-14 21:46:16 42,040 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOXEV.DLL
+ 2003-07-14 21:45:12 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOXMLED.EXE
+ 2003-07-14 21:45:12 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOXMLMF.DLL
+ 2003-06-18 16:31:24 1,033,216 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPCORE.DLL
+ 2003-06-18 16:31:50 16,384 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPGIMME.DLL
+ 2003-07-28 11:24:40 5,677,112 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPUB.EXE
+ 2003-06-19 15:05:50 364,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPVIEW.EXE
+ 2003-07-14 21:52:58 41,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSSH.DLL
+ 2003-07-14 22:02:14 627,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSTORDB.EXE
+ 2003-07-14 21:56:24 124,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSTORE.EXE
+ 2003-07-23 21:40:00 482,872 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSTORES.DLL
+ 2003-07-14 22:00:54 145,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSWEBCAP.DLL
+ 2003-07-14 21:57:10 56,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\NAME.DLL
+ 2003-07-14 21:56:52 13,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\NPOFFICE.DLL
+ 2008-01-24 21:05:04 223,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OFFICE.DLL
+ 2003-07-15 02:14:26 283,696 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OIS.EXE
+ 2003-07-15 02:14:26 828,472 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OISAPP.DLL
+ 2003-07-15 02:14:26 27,192 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OISCTRL.DLL
+ 2003-07-15 02:14:26 242,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OISGRAPH.DLL
+ 2003-07-14 22:05:24 1,054,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OMFC.DLL
+ 2003-08-04 12:19:34 7,330,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OWC10.DLL
+ 2003-08-01 14:09:04 8,086,072 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OWC11.DLL
+ 2003-07-30 11:40:40 6,133,312 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\POWERPNT.EXE
+ 2003-07-15 02:18:54 430,136 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PP4X322.DLL
+ 2003-07-15 02:18:44 93,752 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PP7X32.DLL
+ 2003-07-31 14:21:08 1,782,840 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PPTVIEW.EXE
+ 2003-07-14 21:40:26 130,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PRTF9.DLL
+ 2003-07-14 21:51:12 604,728 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PTXT9.DLL
+ 2003-07-14 21:50:26 551,480 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PUBCONV.DLL
+ 2003-07-14 21:40:16 51,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PUBTRAP.DLL
+ 2003-05-08 20:54:00 77,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\REFEDIT.DLL
+ 2003-07-14 21:57:08 40,512 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\REFIEBAR.DLL
+ 2003-07-14 21:57:08 58,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\SEQCHK10.DLL
+ 2003-07-14 21:53:14 11,848 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\SMARTTAGINSTALL.EXE
+ 2003-08-03 09:52:32 2,808,376 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\STSLIST.DLL
+ 2003-07-03 14:19:36 2,502,656 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\VBE6.DLL
+ 2008-01-24 21:05:05 64,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\VBIDEPIA.DLL
+ 2003-08-06 12:24:20 12,037,688 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\WINWORD.EXE
- 2008-03-24 18:20:56 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-03-26 12:55:07 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-03-24 18:20:56 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-03-26 12:55:07 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-03-24 18:20:56 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-03-26 12:55:07 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-03-24 18:20:56 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-03-26 12:55:07 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-03-24 18:20:56 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-03-26 12:55:07 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-03-24 18:20:56 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-03-26 12:55:07 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-03-24 18:20:56 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-03-26 12:55:07 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-03-24 18:20:56 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-03-26 12:55:07 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-03-24 18:20:56 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-03-26 12:55:07 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-03-24 18:20:56 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-03-26 12:55:07 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-03-24 18:20:56 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-03-26 12:55:07 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-03-24 18:20:56 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-03-26 12:55:07 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-03-24 18:20:56 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-03-26 12:55:07 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-03-25 21:23:12 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-03-26 08:45:15 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
- 2008-03-25 21:23:12 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-26 08:45:15 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
- 2008-03-25 21:23:12 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-03-26 08:45:15 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2008-03-26 12:56:25 3,174 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{9C929DBC-7237-4316-A472-FFA2F61D2C47}.bin
- 2003-08-03 09:56:16 1,146,184 ----a-w C:\WINDOWS\system32\FM20.DLL
+ 2007-06-06 09:53:34 1,195,888 ----a-w C:\WINDOWS\system32\FM20.DLL
- 2003-07-14 21:57:04 32,584 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
+ 2007-03-22 18:17:04 35,440 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
- 2008-02-17 06:50:13 192,976 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-03-26 12:57:40 192,976 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2003-06-18 16:31:48 17,920 ----a-w C:\WINDOWS\system32\mdimon.dll
+ 2007-04-09 12:23:54 28,040 ----a-w C:\WINDOWS\system32\mdimon.dll
- 2003-06-18 16:31:44 758,784 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2007-04-09 12:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
- 2003-06-18 16:31:46 35,328 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2007-04-09 12:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
- 2003-06-18 16:31:44 758,784 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
+ 2007-04-09 12:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
- 2003-06-18 16:31:46 35,328 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
+ 2007-04-09 12:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
- 2003-06-18 16:31:48 18,944 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
+ 2007-04-09 12:23:54 28,552 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2007-10-17 20:23 979968]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 15:44 68856]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 14:34 868352]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12 729088]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 07:36 36864]
"36X Raid Configurer"="C:\WINDOWS\System32\xRaidSetup.exe" [2007-03-21 09:23 1953792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568]
"nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54 127022]
"LogitechGalleryRepair"="C:\Program Files\LogitechImageStudio\ISStart.exe" [2002-12-10 18:32 155648]
"LogitechImageStudioTray"="C:\Program Files\LogitechImageStudio\LogiTray.exe" [2002-12-10 18:31 61440]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 02:08 2512392]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 06:28 36352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 02:52 2595480]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 03:02 905056]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 02:55 140568]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53 88024]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="C:\Program Files\Common Files\logishrd\WUApp32.exe" [2007-02-03 10:23 430080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-02-12 09:33]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 15:19]
R2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-09-14 04:01]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 15:01]
S1 SABKUTIL;SABKUTIL;C:\Program Files\Super Ad Blocker\SABKUTIL.sys []
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 17:53]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2008-01-28 13:13]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-25 13:33]
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 16:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 10:19:06 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 18:04:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2008-03-26 18:06:18 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-26 17:06:16
ComboFix2.txt 2008-03-25 23:08:13
.
2008-03-12 08:22:32 --- E O F ---


Malwarebytes Report


Malwarebytes' Anti-Malware 1.09
Database version: 549

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 86876
Time elapsed: 23 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\PC-Cleaner (Rogue.PC-Cleaner) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\obkdetgl.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\robwncfs.exe.vir (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8295CD4-041F-4125-8E90-DBC20C4CB6C2}\RP110\A0030463.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8295CD4-041F-4125-8E90-DBC20C4CB6C2}\RP110\A0030464.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8295CD4-041F-4125-8E90-DBC20C4CB6C2}\RP110\A0030465.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8295CD4-041F-4125-8E90-DBC20C4CB6C2}\RP110\A0030466.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8295CD4-041F-4125-8E90-DBC20C4CB6C2}\RP113\A0030857.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F8295CD4-041F-4125-8E90-DBC20C4CB6C2}\RP113\A0030859.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Web\def.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32smp\msrc.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.


Kaspersky Report


KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 26, 2008 7:51:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/03/2008
Kaspersky Anti-Virus database records: 664730
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 58203
Number of viruses found: 4
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 00:45:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\3327387B.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\E2C1AF83.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\colin\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\colin\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\colin\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Colin & Kerry\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Colin & Kerry\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Colin & Kerry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Colin & Kerry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Colin & Kerry\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Colin & Kerry\Local Settings\History\History.IE5\MSHist012008032620080327\index.dat Object is locked skipped
C:\Documents and Settings\Colin & Kerry\Local Settings\Temp\~DFDB73.tmp Object is locked skipped
C:\Documents and Settings\Colin & Kerry\Local Settings\Temp\~DFDB8E.tmp Object is locked skipped
C:\Documents and Settings\Colin & Kerry\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Colin & Kerry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Colin & Kerry\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Colin & Kerry\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\colin.LAMUELA\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\colin.LAMUELA\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\colin.LAMUELA\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\LocalService\Application Data\Acronis\TrueImageHome\Logs\603BBB9F-02AB-4873-8178-F10407434D19.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Hagel Technologies\DU Meter\DUMeter.sqb Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.5\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\Program Files\PeerGuardian2\history.db Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F8295CD4-041F-4125-8E90-DBC20C4CB6C2}\RP113\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9C929DBC-7237-4316-A472-FFA2F61D2C47}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\JET824.tmp Object is locked skipped
C:\WINDOWS\TEMP\JET8C0.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009287.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009287.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009287.exe/WISE0020.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009287.exe WiseSFX: infected - 3 skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009287.exe WiseSFXDropper: infected - 3 skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009288.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009288.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009288.exe/WISE0020.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009288.exe WiseSFX: infected - 3 skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009288.exe WiseSFXDropper: infected - 3 skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009308.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009308.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009308.exe/WISE0020.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009308.exe WiseSFX: infected - 3 skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009379.exe/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009379.exe/WISE0017.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP53\A0009379.exe WiseSFX: infected - 2 skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP56\A0010103.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.OneStep.c skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP56\A0010103.exe/WISE0019.BIN Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP56\A0010103.exe/WISE0020.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP56\A0010103.exe WiseSFX: infected - 3 skipped
D:\System Volume Information\_restore{7CC75D25-3185-4C73-88AD-16FB45024A7A}\RP56\A0010103.exe WiseSFXDropper: infected - 3 skipped

Scan process completed.
chunkeyman
Regular Member
 
Posts: 21
Joined: March 25th, 2008, 2:16 pm

Re: Virtumonde help please!

Unread postby dan12 » March 26th, 2008, 4:43 pm

Thanks for returned logs,don't forget the new HJT log also.
Will be tomorrow when I get back to you as I have a litlle to look over, pleased the popups have stopped. :D
dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Virtumonde help please!

Unread postby chunkeyman » March 26th, 2008, 4:48 pm

Hi Dan

Sorry, my mistake I forgot to add the HJT report.

Everything seems ok still...fingers crossed! :profileright:

Thanks

Colin


HJT Report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:55:40, on 26/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\LogitechImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\LogitechImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1191289296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 10944 bytes
chunkeyman
Regular Member
 
Posts: 21
Joined: March 25th, 2008, 2:16 pm

Re: Virtumonde help please!

Unread postby dan12 » March 27th, 2008, 5:22 am

Looking a lot better :)

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    File::
C:\Documents and Settings\colin\Desktop\SmitfraudFix.exe
C:\Documents and Settings\colin.LAMUELA\Desktop\SmitfraudFix.exe
C:\Documents and Settings\Colin & Kerry\Desktopvirii
C:\Documents and Settings\colin.LAMUELA\Desktopvirii
C:\Documents and Settings\colin\Desktopvirii

    Folder::
C:\Documents and Settings\All Users\Application Data\rszyjelw

    
    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Please include in your next post:
  • Combofix log txt
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Virtumonde help please!

Unread postby chunkeyman » March 27th, 2008, 5:52 am

Good morning Dan,

All reports completed as requested. Near the end me thinks :lol:

Thanks

Colin



Combofix report

ComboFix 08-03-25.1 - Colin & Kerry 2008-03-27 10:35:11.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1454 [GMT 1:00]
Running from: C:\Documents and Settings\Colin & Kerry\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Colin & Kerry\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\Colin & Kerry\Desktopvirii
C:\Documents and Settings\colin.LAMUELA\Desktop\SmitfraudFix.exe
C:\Documents and Settings\colin.LAMUELA\Desktopvirii
C:\Documents and Settings\colin\Desktop\SmitfraudFix.exe
C:\Documents and Settings\colin\Desktopvirii
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\rszyjelw
C:\Documents and Settings\colin.LAMUELA\Desktop\SmitfraudFix.exe
C:\Documents and Settings\colin\Desktop\SmitfraudFix.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-26 18:45 . 2008-03-26 18:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-26 18:45 . 2008-03-26 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-26 18:16 . 2008-03-26 18:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-26 18:16 . 2008-03-26 18:16 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\Malwarebytes
2008-03-26 18:16 . 2008-03-26 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-25 23:48 . 2008-03-25 23:48 <DIR> d-------- C:\Program Files\CCleaner
2008-03-25 22:23 . 2008-03-26 12:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-25 22:23 . 2008-03-25 22:23 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\SUPERAntiSpyware.com
2008-03-25 22:23 . 2008-03-25 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 21:02 . 2008-03-25 21:02 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\Grisoft
2008-03-25 18:41 . 2008-03-25 18:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-25 17:05 . 2008-03-25 17:59 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-25 17:05 . 2008-03-25 17:05 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\PC Tools
2008-03-25 17:05 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-25 17:05 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-25 17:05 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-25 17:05 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-25 13:37 . 2008-03-26 09:51 <DIR> d-------- C:\Program Files\a-squared Free
2008-03-25 12:46 . 2008-03-26 09:51 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-25 11:19 . 2008-03-25 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-03-25 08:35 . 2008-03-26 09:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-24 20:34 . 2008-03-24 20:34 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-24 20:24 . 2008-03-24 20:24 <DIR> d-------- C:\Documents and Settings\colin.LAMUELA\Application Data\Grisoft
2008-03-24 20:24 . 2008-03-24 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-24 20:24 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-24 19:19 . 2008-03-24 19:19 <DIR> d-------- C:\Documents and Settings\colin.LAMUELA\Application Data\TuneUp Software
2008-03-24 18:51 . 2008-03-24 18:51 <DIR> d-------- C:\Documents and Settings\colin.LAMUELA\Desktopvirii
2008-03-24 12:17 . 2008-03-24 12:17 <DIR> d-------- C:\Documents and Settings\colin\Desktopvirii
2008-03-24 12:08 . 2008-03-24 18:40 <DIR> d-------- C:\Program Files\RogueRemover
2008-03-24 10:12 . 2008-03-24 20:35 4,754 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-24 10:11 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-24 10:11 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-24 10:11 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-24 10:11 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-24 10:11 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-24 10:11 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-23 21:08 . 2008-03-26 09:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-23 21:08 . 2008-03-26 09:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-23 19:27 . 2008-03-23 19:29 <DIR> d-------- C:\Program Files\ShellExView
2008-03-23 19:27 . 2008-03-23 19:27 39,424 --a------ C:\WINDOWS\zipinst.exe
2008-03-23 17:17 . 2008-03-25 10:52 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-23 16:16 . 2008-03-23 16:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-23 16:16 . 2008-03-23 16:16 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\Spybot - Search & Destroy
2008-03-23 16:16 . 2008-03-26 00:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-23 16:16 . 2007-03-03 03:55 9,662 -rahs---- C:\WINDOWS\unins000.ico
2008-03-23 16:08 . 2008-03-25 18:25 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 16:03 . 2008-03-25 12:40 <DIR> d-------- C:\Program Files\Trojan Remover
2008-03-23 14:53 . 2008-03-23 14:53 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Desktopvirii
2008-03-23 12:45 . 2005-07-06 17:12 2,973,696 --------- C:\WINDOWS\UNNeroVision.exe
2008-03-23 12:45 . 2005-07-06 17:37 145,608 --------- C:\WINDOWS\UNNeroVision.cfg
2008-03-23 12:44 . 2008-03-23 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-23 12:44 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-03-23 12:44 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-03-12 15:42 . 2008-03-12 15:39 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-12 15:39 . 2008-03-25 16:28 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\.housecall6.6
2008-03-08 16:57 . 2008-03-08 17:07 <DIR> d-------- C:\Program Files\Super Internet TV
2008-02-28 16:58 . 2008-03-22 19:24 <DIR> d-------- C:\Incomplete

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 09:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-27 09:28 --------- d-----w C:\Program Files\PeerGuardian2
2008-03-27 09:28 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\uTorrent
2008-03-27 07:42 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Skype
2008-03-27 07:36 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\skypePM
2008-03-27 07:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-26 19:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-26 08:51 --------- d-----w C:\Program Files\Winamp
2008-03-26 08:51 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-26 08:51 --------- d-----w C:\Program Files\Norton 360
2008-03-26 08:51 --------- d-----w C:\Program Files\LogitechImageStudio
2008-03-26 08:51 --------- d-----w C:\Program Files\DU Meter
2008-03-26 08:50 --------- d-----w C:\Program Files\Google
2008-03-25 21:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 17:47 --------- d-----w C:\Program Files\Super Ad Blocker
2008-03-25 17:30 --------- d-----w C:\Program Files\Java
2008-03-23 20:47 --------- d-----w C:\Program Files\MagicISO
2008-03-23 11:44 --------- d-----w C:\Program Files\Ahead
2008-03-21 16:02 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\LimeWire
2008-03-20 12:59 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\MahJong Suite
2008-03-20 11:53 --------- d-----w C:\Program Files\MP4 Converter 3
2008-03-20 11:30 --------- d-----w C:\Program Files\IsoBuster
2008-03-06 20:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 20:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 20:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-21 09:08 --------- d-----w C:\Program Files\Easy Video Joiner
2008-02-20 21:37 --------- d-----w C:\Program Files\ffdshow
2008-02-20 21:18 --------- d-----w C:\Program Files\WinAVI VideoConverter
2008-02-20 21:01 --------- d-----w C:\Program Files\FairUse Wizard 2
2008-02-16 16:32 --------- d-----w C:\Program Files\DivX
2008-02-16 15:59 --------- d-----w C:\Program Files\Codec Pack - All In 1
2008-02-16 15:58 --------- d-----w C:\Program Files\Xvid
2008-02-16 13:51 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-02-16 13:45 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\AVS4YOU
2008-02-16 13:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-02-16 11:29 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-15 10:24 --------- d-----w C:\Program Files\ABBYY FineReader 6.0 Sprint
2008-02-13 13:45 --------- d-----w C:\Program Files\Cover Expert
2008-02-12 08:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Acronis
2008-02-12 08:34 441,760 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2008-02-12 08:34 44,384 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-02-12 08:34 129,248 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2008-02-12 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2008-02-12 08:33 368,736 ----a-w C:\WINDOWS\system32\drivers\tdrpman.sys
2008-02-12 08:33 --------- d-----w C:\Program Files\Common Files\Acronis
2008-02-12 08:33 --------- d-----w C:\Program Files\Acronis
2008-02-11 19:11 --------- d-----w C:\Program Files\LimeWire
2008-02-09 16:13 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-02-09 16:13 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-02-09 15:18 --------- d-----w C:\Program Files\Free Audio Pack
2008-02-09 11:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-07 15:21 --------- d-----w C:\Program Files\Portrait Professional Max 6
2008-02-07 15:21 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Anthropics
2008-02-05 08:38 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\LEAPS
2008-02-05 08:37 --------- d-----w C:\Program Files\Pegasys Inc
2008-02-05 08:25 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Pegasys Inc
2008-02-02 15:32 --------- d-----w C:\Program Files\SopCast
2008-02-01 20:20 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Winamp
2008-01-28 12:13 287,488 ----a-w C:\WINDOWS\system32\drivers\RTL8187.sys
2008-01-27 08:28 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-24 20:30 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-24 19:00 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

------- Sigcheck -------

2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-02-09 17:13 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-02-09 17:13 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2007-10-17 20:23 979968]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 15:44 68856]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 14:34 868352]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12 729088]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 07:36 36864]
"36X Raid Configurer"="C:\WINDOWS\System32\xRaidSetup.exe" [2007-03-21 09:23 1953792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568]
"nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54 127022]
"LogitechGalleryRepair"="C:\Program Files\LogitechImageStudio\ISStart.exe" [2002-12-10 18:32 155648]
"LogitechImageStudioTray"="C:\Program Files\LogitechImageStudio\LogiTray.exe" [2002-12-10 18:31 61440]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 02:08 2512392]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 06:28 36352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 02:52 2595480]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 03:02 905056]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 02:55 140568]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53 88024]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="C:\Program Files\Common Files\logishrd\WUApp32.exe" [2007-02-03 10:23 430080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-02-12 09:33]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 15:19]
R2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-09-14 04:01]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 15:01]
S1 SABKUTIL;SABKUTIL;C:\Program Files\Super Ad Blocker\SABKUTIL.sys []
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 17:53]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2008-01-28 13:13]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-25 13:33]
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 16:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 10:19:06 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 10:38:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
.
**************************************************************************
.
Completion time: 2008-03-27 10:41:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 09:40:58
.
2008-03-27 08:08:06 --- E O F ---


HJT report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:27, on 27/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\LogitechImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\LogitechImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1191289296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 10279 bytes
chunkeyman
Regular Member
 
Posts: 21
Joined: March 25th, 2008, 2:16 pm

Re: Virtumonde help please!

Unread postby dan12 » March 27th, 2008, 6:34 am

Good morning to you also,Yes not too far off :)
Ok, couple of stuburn items.


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all


    Folder::
C:\Documents and Settings\Colin & Kerry\Desktopvirii
C:\Documents and Settings\colin.LAMUELA\Desktopvirii
C:\Documents and Settings\colin\Desktopvirii
.
    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


-------------------------------


boot into safe mode

  • Next, please reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear use arrow up to highlight
  • Select the first option, to run Windows in Safe Mode hit enter.
  • For additional help in booting into Safe Mode, see the following site:HERE

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit

re-boot into normal mode.


Please include in your next post:
  • Combofix log txt
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Virtumonde help please!

Unread postby chunkeyman » March 27th, 2008, 7:08 am

Hi Dan

Once again, all items run as requested and reports are as follows -


Combofix report


ComboFix 08-03-25.1 - Colin & Kerry 2008-03-27 11:43:16.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1503 [GMT 1:00]
Running from: C:\Documents and Settings\Colin & Kerry\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Colin & Kerry\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Colin & Kerry\Desktopvirii
C:\Documents and Settings\Colin & Kerry\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe
C:\Documents and Settings\Colin & Kerry\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe
C:\Documents and Settings\Colin & Kerry\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe
C:\Documents and Settings\Colin & Kerry\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe
C:\Documents and Settings\Colin & Kerry\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe
C:\Documents and Settings\colin.LAMUELA\Desktopvirii
C:\Documents and Settings\colin.LAMUELA\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe
C:\Documents and Settings\colin.LAMUELA\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe
C:\Documents and Settings\colin.LAMUELA\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe
C:\Documents and Settings\colin.LAMUELA\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe
C:\Documents and Settings\colin.LAMUELA\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe
C:\Documents and Settings\colin\Desktopvirii
C:\Documents and Settings\colin\Desktopvirii\Trojan-Downloader.Win32.Agent.bl.exe
C:\Documents and Settings\colin\Desktopvirii\Trojan-Downloader.Win32.Agent.p.exe
C:\Documents and Settings\colin\Desktopvirii\Trojan-Downloader.Win32.Agent.r.exe
C:\Documents and Settings\colin\Desktopvirii\Trojan-Downloader.Win32.Agent.t.exe
C:\Documents and Settings\colin\Desktopvirii\Trojan-Downloader.Win32.Agent.v.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-27 to 2008-03-27 )))))))))))))))))))))))))))))))
.

2008-03-26 18:45 . 2008-03-26 18:45 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-26 18:45 . 2008-03-26 18:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-26 18:16 . 2008-03-26 18:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-26 18:16 . 2008-03-26 18:16 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\Malwarebytes
2008-03-26 18:16 . 2008-03-26 18:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-25 23:48 . 2008-03-25 23:48 <DIR> d-------- C:\Program Files\CCleaner
2008-03-25 22:23 . 2008-03-26 12:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-25 22:23 . 2008-03-25 22:23 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\SUPERAntiSpyware.com
2008-03-25 22:23 . 2008-03-25 22:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 21:02 . 2008-03-25 21:02 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\Grisoft
2008-03-25 18:41 . 2008-03-25 18:41 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-25 17:05 . 2008-03-25 17:59 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-03-25 17:05 . 2008-03-25 17:05 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\PC Tools
2008-03-25 17:05 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-25 17:05 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-25 17:05 . 2007-12-10 14:53 41,864 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-25 17:05 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-25 13:37 . 2008-03-26 09:51 <DIR> d-------- C:\Program Files\a-squared Free
2008-03-25 12:46 . 2008-03-26 09:51 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-25 11:19 . 2008-03-25 11:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-03-25 08:35 . 2008-03-26 09:50 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-24 20:34 . 2008-03-24 20:34 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-03-24 20:24 . 2008-03-24 20:24 <DIR> d-------- C:\Documents and Settings\colin.LAMUELA\Application Data\Grisoft
2008-03-24 20:24 . 2008-03-24 20:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-24 20:24 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-24 19:19 . 2008-03-24 19:19 <DIR> d-------- C:\Documents and Settings\colin.LAMUELA\Application Data\TuneUp Software
2008-03-24 12:08 . 2008-03-24 18:40 <DIR> d-------- C:\Program Files\RogueRemover
2008-03-24 10:12 . 2008-03-24 20:35 4,754 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-24 10:11 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-24 10:11 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-24 10:11 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-24 10:11 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-24 10:11 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-24 10:11 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-23 21:08 . 2008-03-26 09:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2008-03-23 21:08 . 2008-03-26 09:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-23 19:27 . 2008-03-23 19:29 <DIR> d-------- C:\Program Files\ShellExView
2008-03-23 19:27 . 2008-03-23 19:27 39,424 --a------ C:\WINDOWS\zipinst.exe
2008-03-23 17:17 . 2008-03-25 10:52 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-23 16:16 . 2008-03-23 16:19 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-23 16:16 . 2008-03-23 16:16 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\Application Data\Spybot - Search & Destroy
2008-03-23 16:16 . 2008-03-26 00:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-23 16:16 . 2007-03-03 03:55 9,662 -rahs---- C:\WINDOWS\unins000.ico
2008-03-23 16:08 . 2008-03-25 18:25 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-23 16:03 . 2008-03-25 12:40 <DIR> d-------- C:\Program Files\Trojan Remover
2008-03-23 12:45 . 2005-07-06 17:12 2,973,696 --------- C:\WINDOWS\UNNeroVision.exe
2008-03-23 12:45 . 2005-07-06 17:37 145,608 --------- C:\WINDOWS\UNNeroVision.cfg
2008-03-23 12:44 . 2008-03-23 12:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-23 12:44 . 2004-07-09 09:43 364,544 --------- C:\WINDOWS\system32\TwnLib4.dll
2008-03-23 12:44 . 2001-06-26 08:15 38,912 --------- C:\WINDOWS\system32\picn20.dll
2008-03-12 15:42 . 2008-03-12 15:39 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-03-12 15:39 . 2008-03-25 16:28 <DIR> d-------- C:\Documents and Settings\Colin & Kerry\.housecall6.6
2008-03-08 16:57 . 2008-03-08 17:07 <DIR> d-------- C:\Program Files\Super Internet TV
2008-02-28 16:58 . 2008-03-22 19:24 <DIR> d-------- C:\Incomplete

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-27 10:39 --------- d-----w C:\Program Files\PeerGuardian2
2008-03-27 10:36 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\uTorrent
2008-03-27 10:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-27 07:42 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Skype
2008-03-27 07:36 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\skypePM
2008-03-27 07:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-26 19:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-26 08:51 --------- d-----w C:\Program Files\Winamp
2008-03-26 08:51 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-26 08:51 --------- d-----w C:\Program Files\Norton 360
2008-03-26 08:51 --------- d-----w C:\Program Files\LogitechImageStudio
2008-03-26 08:51 --------- d-----w C:\Program Files\DU Meter
2008-03-26 08:50 --------- d-----w C:\Program Files\Google
2008-03-25 21:22 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-25 17:47 --------- d-----w C:\Program Files\Super Ad Blocker
2008-03-25 17:30 --------- d-----w C:\Program Files\Java
2008-03-23 20:47 --------- d-----w C:\Program Files\MagicISO
2008-03-23 11:44 --------- d-----w C:\Program Files\Ahead
2008-03-21 16:02 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\LimeWire
2008-03-20 12:59 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\MahJong Suite
2008-03-20 11:53 --------- d-----w C:\Program Files\MP4 Converter 3
2008-03-20 11:30 --------- d-----w C:\Program Files\IsoBuster
2008-03-06 20:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 20:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 20:32 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-02-21 09:08 --------- d-----w C:\Program Files\Easy Video Joiner
2008-02-20 21:37 --------- d-----w C:\Program Files\ffdshow
2008-02-20 21:18 --------- d-----w C:\Program Files\WinAVI VideoConverter
2008-02-20 21:01 --------- d-----w C:\Program Files\FairUse Wizard 2
2008-02-16 16:32 --------- d-----w C:\Program Files\DivX
2008-02-16 15:59 --------- d-----w C:\Program Files\Codec Pack - All In 1
2008-02-16 15:58 --------- d-----w C:\Program Files\Xvid
2008-02-16 13:51 --------- d-----w C:\Program Files\Common Files\AVSMedia
2008-02-16 13:45 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\AVS4YOU
2008-02-16 13:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\AVS4YOU
2008-02-16 11:29 --------- d-----w C:\Program Files\AviSynth 2.5
2008-02-15 10:24 --------- d-----w C:\Program Files\ABBYY FineReader 6.0 Sprint
2008-02-13 13:45 --------- d-----w C:\Program Files\Cover Expert
2008-02-12 08:43 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Acronis
2008-02-12 08:34 441,760 ----a-w C:\WINDOWS\system32\drivers\timntr.sys
2008-02-12 08:34 44,384 ----a-w C:\WINDOWS\system32\drivers\tifsfilt.sys
2008-02-12 08:34 129,248 ----a-w C:\WINDOWS\system32\drivers\snapman.sys
2008-02-12 08:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Acronis
2008-02-12 08:33 368,736 ----a-w C:\WINDOWS\system32\drivers\tdrpman.sys
2008-02-12 08:33 --------- d-----w C:\Program Files\Common Files\Acronis
2008-02-12 08:33 --------- d-----w C:\Program Files\Acronis
2008-02-11 19:11 --------- d-----w C:\Program Files\LimeWire
2008-02-09 16:13 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-02-09 16:13 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-02-09 15:18 --------- d-----w C:\Program Files\Free Audio Pack
2008-02-09 11:23 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-07 15:21 --------- d-----w C:\Program Files\Portrait Professional Max 6
2008-02-07 15:21 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Anthropics
2008-02-05 08:38 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\LEAPS
2008-02-05 08:37 --------- d-----w C:\Program Files\Pegasys Inc
2008-02-05 08:25 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Pegasys Inc
2008-02-02 15:32 --------- d-----w C:\Program Files\SopCast
2008-02-01 20:20 --------- d-----w C:\Documents and Settings\Colin & Kerry\Application Data\Winamp
2008-01-28 12:13 287,488 ----a-w C:\WINDOWS\system32\drivers\RTL8187.sys
2008-01-27 08:28 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-24 20:30 737,280 ----a-w C:\WINDOWS\iun6002.exe
2008-01-24 19:00 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-01-24 12:14 155,995 ----a-w C:\WINDOWS\java\Packages\33LZ1N5V.ZIP
2006-06-23 06:48 32,768 ----a-r C:\WINDOWS\inf\UpdateUSB.exe
.

------- Sigcheck -------

2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\TCPIP.SYS
2008-02-09 17:13 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-02-09 17:13 360064 482ab7f9cd41702e8f856c11cfefb02d C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2007-10-17 20:23 979968]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 15:44 68856]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:40 1421824]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-12-18 14:34 868352]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2006-07-13 07:12 729088]
"JMB36X IDE Setup"="C:\WINDOWS\RaidTool\xInsIDE.exe" [2007-03-20 07:36 36864]
"36X Raid Configurer"="C:\WINDOWS\System32\xRaidSetup.exe" [2007-03-21 09:23 1953792]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-12 16:44 8429568]
"nwiz"="nwiz.exe" [2007-04-12 16:44 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-12 16:44 81920]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE" [2002-12-10 17:54 127022]
"LogitechGalleryRepair"="C:\Program Files\LogitechImageStudio\ISStart.exe" [2002-12-10 18:32 155648]
"LogitechImageStudioTray"="C:\Program Files\LogitechImageStudio\LogiTray.exe" [2002-12-10 18:31 61440]
"OODefragTray"="C:\WINDOWS\system32\oodtray.exe" [2007-05-11 02:08 2512392]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-10-10 06:28 36352]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-09-14 02:52 2595480]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-09-14 03:02 905056]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-09-14 02:55 140568]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53 88024]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WUAppSetup"="C:\Program Files\Common Files\logishrd\WUApp32.exe" [2007-02-03 10:23 430080]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 tdrpman;Acronis Try&Decide and Restore Points filter;C:\WINDOWS\system32\DRIVERS\tdrpman.sys [2008-02-12 09:33]
R2 DUMeterSvc;DU Meter Service;C:\Program Files\DU Meter\DUMeterSvc.exe [2007-10-15 15:19]
R2 TryAndDecideService;Acronis Try And Decide Service;"C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe" [2007-09-14 04:01]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 00:56]
R3 genmcmnUSB;USB Scroll Mouse Driver;C:\WINDOWS\system32\DRIVERS\gflmouhid.sys [2004-04-19 15:01]
S1 SABKUTIL;SABKUTIL;C:\Program Files\Super Ad Blocker\SABKUTIL.sys []
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2002-12-10 17:53]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\WINDOWS\system32\DRIVERS\RTL8187.sys [2008-01-28 13:13]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-01-25 13:33]
S3 UPnPService;UPnPService;C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe [2006-12-14 16:00]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 10:19:06 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 11:46:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DUMeterSvc]
"ImagePath"="C:\Program Files\DU Meter\DUMeterSvc.exe /startedbyscm:E1F6D4BE-40E33354-DUMeterService"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
.
**************************************************************************
.
Completion time: 2008-03-27 11:48:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-27 10:48:49
ComboFix2.txt 2008-03-27 09:41:01
.
2008-03-27 08:08:06 --- E O F ---


HJT report


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:57:53, on 27/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\DU Meter\DUMeterSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PeerGuardian2\pg2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\System32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\LogitechImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\LogitechImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [OODefragTray] C:\WINDOWS\system32\oodtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f video -m logitech -d 10.5.1.2023 (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1191289296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: DU Meter Service (DUMeterSvc) - Hagel Technologies Ltd - C:\Program Files\DU Meter\DUMeterSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: UPnPService - Magix AG - C:\Program Files\Common Files\MAGIX Shared\UPnPService\UPnPService.exe

--
End of file - 10928 bytes
chunkeyman
Regular Member
 
Posts: 21
Joined: March 25th, 2008, 2:16 pm
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 281 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware