Virtumonde and other malware .... really need some advice.

**km2357** · 2007-10-19, 19:46

Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.

Step # 1 Download AVG Anti-Spyware

Download the trial version of AVG Anti-Spyware from here and install it. When the program has been installed, and you click the Finish button, AVG Anti-Spyware will open.

If the program does not automatically update itself during installation, or you are unsure whether it has done so, please do the following:

Click the Update icon at the top and under Manual Update click the Start update button.
The program will either update or inform you that no update was available.
It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).

Please set up the program as follows:

Click the Shield icon at the top and under Resident shield is... click active. This should now
change to inactive.
Click the Update icon and untick the automatic update option.
Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act? - make sure that Quarantine is selected.
- Under How to scan? - All checkboxes should be ticked.
- Under Possibly unwanted software - All checkboxes should be ticked.
- Under Reports - Select Do not automatically generate reports.
- Under What to scan? - Select Scan every file.

Close all open windows.
Do not run a scan yet.

Step # 2: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step # 3: Boot into Safe Mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Step # 4: Remove Hijackthis Entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (file missing)
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

Step # 5 Run AVG Anti-Spyware

Click on Scanner on the toolbar.
Click on Complete System Scan to start the scan process.
Let the program scan your computer.
When the scan has finished, follow the instructions below:
- Make sure that Set all elements to: shows Quarantine
- Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
- When the program has finished, it will display the message All actions have been applied.
- Then click the Save Scan Report button.
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Tray Icon and select Exit.
Reboot your computer.
Now copy the report back to this topic.

Step # 6 Post Logs

In your next post/reply, I'd like to see the following:

1. AVG AntiSpyware Report
2. A fresh HijackThis log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.

**ndamico** · 2007-10-20, 03:54

AVG Log ....

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:39:00 PM 10/19/2007

+ Scan result:

HKLM\SYSTEM\CurrentControlSet\Services\Sniffer\\Tag -> Adware.BrowserAid : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP485\A0134807.exe -> Downloader.Adload.lv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP485\A0134806.exe -> Downloader.Agent.dpn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP484\A0134339.exe -> Downloader.Alphabet.aa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP485\A0134808.exe -> Trojan.Agent.bqn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP485\A0134378.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP504\A0136990.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\qoobox\Quarantine\C\WINDOWS\UXVpbnRpbGVz\orpDvBlDv3pW.vbs.vir -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

HJT Log .....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:49:32 PM, on 10/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Syslogd\Syslogd_Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\jennie\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet/apps/intranet/Intran...+Main?ReadForm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - .DEFAULT User Startup: NetGM.lnk = C:\Program Files\AT&T Global Network Client\NetGM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://neo.tiffany.com/dana-cached/...terisSetup.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.tiffany.com/dana-cached/...niperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homenet.net
O17 - HKLM\Software\..\Telephony: DomainName = homenet.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homenet.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homenet.net
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Kiwi Syslog Daemon - Kiwi Enterprises - C:\Program Files\Syslogd\Syslogd_Service.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 7009 bytes

Jeeze ...that McAfee is stubborn huh? Does it matter which user profile I run these scans from? All 3 account are local admins.

Thanks
-Nick

**km2357** · 2007-10-21, 01:10

Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)

First, go to Add/Remove Programs and uninstall all previous versions.
Please go to this link Adobe Acrobat Reader Download Link
On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
Click the Continue button
Click Run, and click Run again
Next click the Install Now button and follow the on screen prompts

Note: Adobe 8 is a large program and if you prefer a smaller program you can get Foxit 2.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php

Step # 2 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u3 .
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
Java 2 Runtime Environment, SE v1.4.1_07

J2SE Runtime Environment 5.0 Update 2
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.

Step # 3: Delete bad services

Please open Notepad. Ensure that word wrap is turned off. Click on Format and make sure that there's a tick next to Word Wrap. If there's none, click on Word Wrap to tick it. Copy and paste the following in the code box into Notepad:

Code:

sc stop McAfeeFramework 
sc delete McAfeeFramework

Click on File > Save As....

In the File Name box, copy and paste in fix.bat
In the Save as type box, select All Files from the drop-down list.

Click Save.

Double click on fix.bat. A Command Prompt window will open and close quickly. That is normal.

Step # 4: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

Also delete the CFScript.txt from your Desktop, you will be creating and running a new one.

Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:
```
Folder:: 

C:\Program Files\Network Associates\Common Framework
```
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Step # 5: Run HijackThis

Run HijackThis scans on all three accounts (ndamico, jennie and q014620) and post the logs.

Step # 6: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
The program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Once finished, save the log to your Desktop as filename KAV.txt

Step # 7 Post Logs

In your next post/reply, I'd like to see the following:

1. ComboFix Log (C:/Combofix.txt)
2. Kaspersky Log (KAV.txt)
3. The three Hijackthis Logs (from ndamico, jennie, and q014620 accounts)
4. How is your computer running?/Any problems?

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.

**ndamico** · 2007-10-21, 17:20

NDAMICO HJT ....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:40 AM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Syslogd\Syslogd_Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\ndamico\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet/apps/intranet/Intran...+Main?ReadForm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet/apps/intranet/Intran...+Main?ReadForm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-137981764-1709787988-231145771-32528\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-137981764-1709787988-231145771-32528\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe (User '?')
O4 - HKUS\S-1-5-21-137981764-1709787988-231145771-32528\..\Run: [SolarWinds Toolbar] C:\Program Files\SolarWinds\2002 Professional Plus Edition\SolarWinds-Toolbar.exe (User '?')
O4 - HKUS\S-1-5-21-137981764-1709787988-231145771-32528\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User '?')
O4 - HKUS\S-1-5-21-4096406472-1175672225-596777383-1009\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4096406472-1175672225-596777383-1009\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User '?')
O4 - HKUS\S-1-5-21-4096406472-1175672225-596777383-1015\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'jennie')
O4 - S-1-5-21-137981764-1709787988-231145771-32528 Startup: NetGM.lnk = C:\Program Files\AT&T Global Network Client\NetGM.exe (User '?')
O4 - S-1-5-21-137981764-1709787988-231145771-32528 Startup: Sametime Connect.lnk = ? (User '?')
O4 - S-1-5-21-4096406472-1175672225-596777383-1009 Startup: NetGM.lnk = C:\Program Files\AT&T Global Network Client\NetGM.exe (User '?')
O4 - .DEFAULT User Startup: NetGM.lnk = C:\Program Files\AT&T Global Network Client\NetGM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://neo.tiffany.com/dana-cached/...terisSetup.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.tiffany.com/dana-cached/...niperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homenet.net
O17 - HKLM\Software\..\Telephony: DomainName = homenet.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homenet.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homenet.net
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Kiwi Syslog Daemon - Kiwi Enterprises - C:\Program Files\Syslogd\Syslogd_Service.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\profsyxym.html

--
End of file - 8839 bytes

**ndamico** · 2007-10-21, 17:24

HJT from Jennie

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:02 AM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Syslogd\Syslogd_Service.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Compaq\EAB\EABSERVR.EXE
C:\Program Files\Compaq\Hotkey Software\hkss.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\jennie\Desktop\HiJackThis.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/mail?.intl=us
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://intranet/apps/intranet/Intran...+Main?ReadForm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EABSERVR.EXE /Start
O4 - HKLM\..\Run: [hkss] C:\Program Files\Compaq\Hotkey Software\hkss.exe
O4 - HKLM\..\Run: [OSSelectorReinstall] C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-137981764-1709787988-231145771-32528\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-137981764-1709787988-231145771-32528\..\Run: [AbyssWebServer] C:\Program Files\Abyss Web Server\abyssws.exe (User '?')
O4 - HKUS\S-1-5-21-137981764-1709787988-231145771-32528\..\Run: [SolarWinds Toolbar] C:\Program Files\SolarWinds\2002 Professional Plus Edition\SolarWinds-Toolbar.exe (User '?')
O4 - HKUS\S-1-5-21-137981764-1709787988-231145771-32528\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User '?')
O4 - HKUS\S-1-5-21-4096406472-1175672225-596777383-1009\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4096406472-1175672225-596777383-1009\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User '?')
O4 - S-1-5-21-137981764-1709787988-231145771-32528 Startup: NetGM.lnk = C:\Program Files\AT&T Global Network Client\NetGM.exe (User '?')
O4 - S-1-5-21-137981764-1709787988-231145771-32528 Startup: Sametime Connect.lnk = ? (User '?')
O4 - S-1-5-21-4096406472-1175672225-596777383-1009 Startup: NetGM.lnk = C:\Program Files\AT&T Global Network Client\NetGM.exe (User '?')
O4 - .DEFAULT User Startup: NetGM.lnk = C:\Program Files\AT&T Global Network Client\NetGM.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://neo.tiffany.com/dana-cached/...terisSetup.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetup Control) - https://neo.tiffany.com/dana-cached/...niperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = homenet.net
O17 - HKLM\Software\..\Telephony: DomainName = homenet.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = homenet.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = homenet.net
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Kiwi Syslog Daemon - Kiwi Enterprises - C:\Program Files\Syslogd\Syslogd_Service.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\RapApp.exe
O23 - Service: Cisco Systems, Inc. STC Agent (STCAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\SSL VPN Client\agent.exe

--
End of file - 8612 bytes

**ndamico** · 2007-10-21, 17:27

Combofix Log

ComboFix 07-10-20.6 - jennie 2007-10-20 22:09:44.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.147 [GMT -4:00]
Running from: C:\Documents and Settings\jennie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\jennie\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\pac.txt

.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-19 21:54 <DIR> d-------- C:\Program Files\Opera
2007-10-19 19:05 <DIR> d-------- C:\Documents and Settings\jennie\Application Data\Grisoft
2007-10-19 19:05 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-19 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-14 02:13 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-10 02:07 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-07 22:40 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-07 22:40 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2007-10-07 22:40 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-07 22:40 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-07 22:40 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-07 22:40 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-07 22:40 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-07 22:40 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-07 22:40 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-07 21:13 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-10-07 21:08 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2007-10-07 20:09 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-10-07 19:58 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-10-07 19:58 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-10-07 19:58 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-10-07 17:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-07 13:15 <DIR> d-------- C:\WINDOWS\provisioning
2007-10-07 13:15 <DIR> d-------- C:\WINDOWS\peernet
2007-10-07 13:08 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-10-07 12:14 <DIR> d-------- C:\WINDOWS\EHome
2007-10-06 16:41 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2007-10-06 16:41 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2007-10-06 16:41 4,569 --a------ C:\WINDOWS\system32\dllcache\secupd.dat
2007-10-06 15:48 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2007-10-06 15:28 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-10-06 15:28 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2007-10-06 15:28 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2007-10-06 15:28 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-21 02:05 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-16 01:51 --------- d-----w C:\Program Files\QScreenSavers
2007-09-16 05:35 --------- d-----w C:\Documents and Settings\ndamico\Application Data\Media Player Classic
2007-09-16 05:35 --------- d-----w C:\Documents and Settings\ndamico\Application Data\DivX
2007-09-15 16:54 --------- d-----w C:\Program Files\epson
2007-09-10 18:56 --------- d-----w C:\Documents and Settings\jennie\Application Data\Media Player Classic
2007-09-10 18:54 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-09-10 18:51 --------- d-----w C:\Documents and Settings\jennie\Application Data\InterVideo
2007-08-30 17:11 19,288 ----a-w C:\Documents and Settings\jennie\Application Data\GDIPFONTCACHEV1.DAT
2007-08-29 15:40 --------- d-----w C:\Documents and Settings\jennie\Application Data\EPSON
2007-08-28 03:28 --------- d-----w C:\Documents and Settings\ndamico\Application Data\CyberLink
2007-08-28 03:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2007-08-28 03:21 --------- d-----w C:\Program Files\Common Files\Ahead
2007-08-28 03:20 --------- d-----w C:\Documents and Settings\ndamico\Application Data\Ahead
2007-08-28 03:17 --------- d-----w C:\Program Files\Nero
2007-08-28 03:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-08-28 03:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-28 03:12 --------- d-----w C:\Program Files\CyberLink
2007-08-28 03:05 --------- d-----w C:\Program Files\QuickPlace
2007-08-27 20:22 --------- d-----w C:\Documents and Settings\jennie\Application Data\AdobeUM
2007-08-27 05:42 --------- d-----w C:\Documents and Settings\jennie\Application Data\Sonic
2007-08-27 04:53 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2007-08-27 04:53 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2007-08-27 04:53 --------- d-----w C:\Documents and Settings\LocalService\Application Data\VMware
2007-08-27 04:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\VMware
2007-08-27 04:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\LightScribe
2007-08-27 04:35 --------- d-----w C:\Program Files\Common Files\Funk Software
2007-08-27 04:34 --------- d-----w C:\Program Files\Whale Communications
2007-08-27 04:34 --------- d-----w C:\Documents and Settings\ndamico\Application Data\Vodafone Mobile Connect
2007-08-27 04:32 --------- d-----w C:\Program Files\HP OpenView
2007-08-27 04:29 --------- d-----w C:\Program Files\Cisco Systems
2007-08-27 03:29 --------- d-----w C:\Program Files\Common Files\LightScribe
2007-08-26 03:59 --------- d-----w C:\Documents and Settings\ndamico\Application Data\Sonic
2007-08-26 03:59 --------- d-----w C:\Documents and Settings\ndamico\Application Data\CiscoCAA
2007-08-22 13:12 96,256 ------w C:\WINDOWS\system32\dllcache\inseng.dll
2007-08-22 13:12 658,944 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-22 13:12 615,424 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-22 13:12 55,808 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-22 13:12 532,480 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-22 13:12 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-08-22 13:12 449,024 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-22 13:12 39,424 ------w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-08-22 13:12 357,888 ------w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-08-22 13:12 3,058,176 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-22 13:12 251,392 ------w C:\WINDOWS\system32\dllcache\iepeers.dll
2007-08-22 13:12 205,312 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-22 13:12 16,384 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-22 13:12 151,040 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-08-22 13:12 146,432 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-22 13:12 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-22 13:12 1,054,208 ----a-w C:\WINDOWS\system32\dllcache\danim.dll
2007-08-22 13:12 1,022,976 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-21 10:30 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 23:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 23:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 23:19 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 23:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 23:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 23:19 25,944 ----a-w C:\WINDOWS\system32\wuauserv.dll
2007-07-30 23:19 25,944 ----a-w C:\WINDOWS\system32\dllcache\wuauserv.dll
2007-07-30 23:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 23:19 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 23:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-29 21:51 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-07-25 19:24 1,559,040 ----a-w C:\WINDOWS\system32\xvidcore.dll
2006-04-05 19:30 32,768 ----a-w C:\Documents and Settings\q014602\WebVpnRegKey4-12-110-197-17.dll
2005-10-07 16:29 739 ----a-w C:\Documents and Settings\q014602\SDM-2.2-2821-c2800nm-advsecurityk9-mz.123-8.T7.bin
2005-10-07 14:38 776 ----a-w C:\Documents and Settings\q014602\SDM-2.2-2811-c2800nm-advsecurityk9-mz.123-8.T6.bin
2005-02-09 21:39 18,776 ----a-w C:\Documents and Settings\q014602\Application Data\GDIPFONTCACHEV1.DAT
2005-01-26 09:32 1,145 ----a-w C:\Program Files\INSTALL.LOG
.

((((((((((((((((((((((((((((( snapshot@2007-10-14_22.40.31.80 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-28 13:06:08 135,168 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 10:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-21 02:07:08 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
+ 2007-06-11 20:34:34 2,115,816 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2007-06-11 20:34:40 190,696 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2007-10-20 02:06:37 45,218 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
- 2007-09-28 05:19:39 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-09-28 02:19:40 18,089,592 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-10-20 01:45:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_16c.dat
+ 2006-06-05 18:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 18:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 18:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"eabconfg.cpl"="C:\Program Files\Compaq\EAB\EABSERVR.exe" [2002-11-12 12:39]
"hkss"="C:\Program Files\Compaq\Hotkey Software\hkss.exe" [2002-09-19 15:30]
"OSSelectorReinstall"="C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe" [2006-04-12 20:33]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 15:10]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 22:55]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"EPSON Stylus Photo 820 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.exe" [2002-04-10 03:00]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 06:06]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"LightScribe Control Panel"="C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-07-18 17:55]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 18:05]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"VMware NAT Service"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)

R0 snapman;Acronis Snapshots Manager;C:\WINDOWS\system32\DRIVERS\snapman.sys
R2 CcmExec;SMS Agent Host;C:\WINDOWS\System32\CCM\CcmExec.exe
R2 Kiwi Syslog Daemon;Kiwi Syslog Daemon;C:\Program Files\Syslogd\Syslogd_Service.exe
R2 Sniffer;SNIFFER Protocol Driver;C:\WINDOWS\system32\DRIVERS\sniffer.sys
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
R3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\WINDOWS\system32\DRIVERS\CSVirtA.sys
S3 ess;ESS Audio Driver (WDM);C:\WINDOWS\system32\drivers\ess.sys
S3 G3GRUMDM;G3G R USB Modem;C:\WINDOWS\system32\DRIVERS\g3grumdm.sys
S3 G3GRUSER;G3G R USB Serial;C:\WINDOWS\system32\DRIVERS\g3gruser.sys
S3 PCX500;Cisco Wireless LAN Adapters Driver;C:\WINDOWS\system32\DRIVERS\pcx500.sys
S3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\System32\CCM\prepdrv.sys
S3 RapDrv;RapDrv;\??\C:\WINDOWS\System32\drivers\RapDrv.sys
S3 RapFile;RapFile;\??\C:\WINDOWS\System32\drivers\RapFile.sys
S3 RapNet;RapNet;\??\C:\WINDOWS\System32\drivers\RapNet.sys
S4 whlva;Whale Network Connector;C:\WINDOWS\system32\DRIVERS\whlva.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-20 22:12:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-20 22:13:46
C:\ComboFix2.txt ... 2007-10-18 22:42
C:\ComboFix3.txt ... 2007-10-15 20:15
.
--- E O F ---

**ndamico** · 2007-10-21, 17:28

Kaspersky Log ....

Sunday, October 21, 2007 11:01:11 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/10/2007
Kaspersky Anti-Virus database records: 441833

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 54394
Number of viruses found 13
Number of infected objects 28
Number of suspicious objects 2
Duration of the scan process 01:11:47

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_b90a4e93-0029-4437-aa54-7f1c5be78f07 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d4d7f8444b2b10d43e5f58db06be5ea5_b90a4e93-0029-4437-aa54-7f1c5be78f07 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/avp.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\jennie\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\jennie\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped

C:\Documents and Settings\jennie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\jennie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\jennie\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\jennie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\jennie\ntuser.dat Object is locked skipped

C:\Documents and Settings\jennie\NTUSER.DAT.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\q014602\Desktop\SDM_New\SDM Stuff\Installs\Angry IP Scanner\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped

C:\Documents and Settings\q014602\My Documents\Installs\SolarWindsProfessionalPlus.v5.2.ENG\Source\SolarWinds-Licensed\SolarWinds2002-PP-Release.exe/WISE0220.BIN Infected: not-a-virus:Server-FTP.Win32.Tftp.500 skipped

C:\Documents and Settings\q014602\My Documents\Installs\SolarWindsProfessionalPlus.v5.2.ENG\Source\SolarWinds-Licensed\SolarWinds2002-PP-Release.exe WiseSFX: infected - 1 skipped

C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped

C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped

C:\Program Files\Network ICE\BlackICE\blackice-service.log Object is locked skipped

C:\Program Files\Outlook Express\msimn.exe Object is locked skipped

C:\Program Files\SolarWinds\2002 Professional Plus Edition\TFTP-Server.exe Infected: not-a-virus:Server-FTP.Win32.Tftp.500 skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\bc1\bsasven2.exe.vir/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\bc1\bsasven2.exe.vir/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\bc1\bsasven2.exe.vir/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\bc1\bsasven2.exe.vir NSIS: infected - 3 skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\kmjypnsl.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.acf skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\mbdtygvm.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.acf skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\ppahofsl.dll.vir Infected: Trojan.Win32.Pakes.sc skipped

C:\qoobox\Quarantine\C\WINDOWS\system32\vMW02a\vMW02a1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bkw skipped

C:\qoobox\Quarantine\C\WINDOWS\tsitra572.exe.vir Infected: Trojan-Downloader.Win32.Agent.dve skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP485\A0134391.dll Infected: Backdoor.Win32.Hupigon.qcs skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP492\A0136062.dll Infected: Trojan.Win32.Pakes.sc skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP495\A0136282.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ace skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP495\A0136283.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ace skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP496\A0136361.exe Infected: Trojan-Downloader.Win32.Agent.dve skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP496\A0136364.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acf skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP496\A0136365.dll Infected: Trojan.Win32.Pakes.sc skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP501\A0136783.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP501\A0136783.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP504\A0136914.exe Infected: Email-Worm.Win32.Zhelatin.kb skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP504\A0136915.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP504\A0136915.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP504\A0136915.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP504\A0136915.exe NSIS: infected - 3 skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP504\A0136989.exe Infected: Trojan-Downloader.Win32.VB.bkw skipped

C:\System Volume Information\_restore{2028BC3E-D2D8-4996-9628-1D52322EBCD5}\RP511\change.log Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\CcmExec.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\ClientIDManagerStartup.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\execmgr.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\LocationServices.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\mtrmgr.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PatchUIMonitor.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PolicyAgent.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PolicyAgentProvider.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\PolicyEvaluator.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\Scheduler.log Object is locked skipped

**ndamico** · 2007-10-21, 17:29

C:\WINDOWS\system32\CCM\Logs\SrcUpdateMgr.log Object is locked skipped

C:\WINDOWS\system32\CCM\Logs\StatusAgent.log Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\0000002L.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\0000002L.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\0000000J.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\0000000J.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000007.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000007.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000005.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000005.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\0000002M.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\0000002M.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0000001P.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\0000001P.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000007.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000007.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000003.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000003.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\0000019A.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\0000019A.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\0000000M.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\0000000M.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\000000EG.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\000000EG.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\00000014.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\00000014.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\direct_iparssmsipa_uploadprotocol\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\direct_iparssmsipa_uploadprotocol\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\direct_qrtpssmsrtp_uploadprotocol\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\direct_qrtpssmsrtp_uploadprotocol\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000003.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000003.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\0000000A.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\0000000A.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\0000008L.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\0000008L.que Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\000000E7.msg Object is locked skipped

C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\000000E7.que Object is locked skipped

C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_14c.dat Object is locked skipped

C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped

C:\WINDOWS\Temp\~DF4EED.tmp Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

**ndamico** · 2007-10-21, 17:35

The PC Seems to be ok. Better than it was when I first posted. Alot better!

The 3rd user account (q014620) I deleted but the directory is still there so I can access the old files.

I installed Opera last night. I'm going to give that browser a shot.

Should I still keep AVG-Antispyware on my machine although it expires???

**km2357** · 2007-10-23, 09:39

Should I still keep AVG-Antispyware on my machine although it expires???

I would keep AVG AntiSpyware on your machine and scan your computer with it at least once a week. When it expires, you will be unable get updates automatically, you will have to update AVG AS manually.

Do you know anything about the following programs?

C:\Documents and Settings\q014602\Desktop\SDM_New\SDM Stuff\Installs\Angry IP Scanner\ipscan.exe

C:\Documents and Settings\q014602\My Documents\Installs\SolarWindsProfessionalPlus.v5.2.ENG\Source\SolarWinds-Licensed\SolarWinds2002-PP-Release.exe

C:\Program Files\SolarWinds\2002 Professional Plus Edition\TFTP-Server.exe

The first one is a portscanner and the last two are part of Solarwinds Network administration tools. Do you need either program?

Also did you configure your computer so you do not need to press Ctrl+Alt+Del to get the log on screen?

Log onto the ndamico account and follow the steps below:

Step # 1: Disable Teatimer

Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

This is a two step process.
First step:

Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident

Second step, For Either Version :

Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

Step # 2: Remove Hijackthis Entries

Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):

O24 - Desktop Component 0: (no name) - C:\Program Files\NetMeeting\profsyxym.html
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Click Apply.
Click Apply and then Exit Display properties.

Step # 3: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.

Also delete the CFScript.txt from your Desktop, you will be creating and running a new one.

Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
Code:
```
File::

C:\Program Files\NetMeeting\profsyxym.html 

DirLook::

C:\Program Files\QScreenSavers
```
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Step # 4 Post Logs

In your next post/reply, I'd like to see the following:

1. Answers to my questions about Angry IP, Solar Winds, and Ctrl-Alt-Del question.
2. ComboFix Log (C:\ComboFix.txt)
3. Fresh HJT log from ndamico account.

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.

Thread: Virtumonde and other malware .... really need some advice.

Thread Tools

Display

Posting Permissions